Implementing a SonicWALL VPN

in Your Organization
Overview
This document guides you through the process of planning and designing
a SonicWALL VPN solution for small to medium sized organizations. The
building blocks for deploying the SonicWALL IPSec VPN solution include
the SonicWALL Internet security appliance and SonicWALL VPN. The
SonicWALL Internet security appliance delivers the core security with an
access security firewall as a foundation for your VPN using the
SonicWALL IPSec VPN solution.

Why VPN?
A VPN offers a technique for secure remote access to private networks
connected to the Internet through cost effective links from local Internet
service providers. Buzzwords you’ve probably heard like VPN, IPSec, PKI
and Digital Certificates can be boiled down to one important meaning –
secure remote access to your network. Remote access boosts business
productivity in many ways. For example, VPN allows sales people to
check email from hotel rooms, employees to work from home while
connected to the corporate network, or business partners to provide real
time data.
Note: For more information on the benefits of VPN for your business, visit
our VPN Center at www.sonicwall.com/vpn-center.

SonicWALL Internet security appliances and VPN allows for a cost-

effective, easy-to-manage remote access solution for small, medium and
large enterprises.

SonicWALL VPN Enabled Appliances

SonicWALL offers an integrated security platform for networks that
include VPN, firewall, network anti-virus, content filtering and FREE
lifetime security and interoperability updates. By using SonicWALL
Internet security appliances, including the TELE3, SOHO3, PRO 100,
PRO 200, PRO 300, GX 2500 and GX 6500, you can rest assured that

Page 2 - Implementing a SonicWALL VPN in Your Organization

your security investment will be preserved as your network grows.
SonicWALL Internet security appliances also provide a platform for an
expanding array of SonicWALL value-added security services, such as
network anti-virus, content-filtering and global management.
Note: For more information on SonicWALL security products and
services, please visit our Web site at www.sonicwall.com.

Implementing a SonicWALL VPN

With any remote access solution, the management and maintenance of
the system is the biggest hurdle for network administrators. SonicWALL
provides an affordable, secure and easy to deploy remote access solution
that uses and supports all the latest remote access and authentication
technologies, including IPSec VPN, IKE, RADIUS, SecurID, PKI and
Digital Certificates.
To implement a successful trouble free VPN, use these guidelines:
1. Create a Remote Access Policy and Procedures
When considering deploying a VPN for remote access, you should first
create a remote access policy and procedures document. These
documents lay the foundation for effectively implementing a remote
access solution by specifying the rules for employees working remotely.
Note: See Appendix A for a remote access policy template and Appendix
B for a remote access procedures template. Use these templates as a
guide for creating your remote access policies and procedures.
2. Determine the Required Equipment
The SonicWALL equipment required for your VPN depends on the
number of remote users using the system. What SonicWALL Internet
security appliance model you need will depend on the number of remote
VPN users you plan to support.
To help you determine the right SonicWALL Internet security appliance
and VPN user license configuration for your organization, visit the
SonicWALL Product Analyzer at
www.sonicwall.com/analyzer/analyzer.asp. After answering a few
questions, the Product Analyzer will match the appropriate SonicWALL
security and VPN solution for your organization.
3. Architect Your Network for VPN
Here are guidelines for architecting your private network for VPN:
• Don’t have any overlapping private IP addresses.

A White Paper by SonicWALL, Inc. – Page 3

 • Implement a WINS server on the network to allow remote VPN
client users to browse the Network Neighborhood.
• Consider high-availability or fail-over for your VPN gateways to
ensure mission-critical remote access.
• If you are using DHCP in your private network, set aside blocks of
private IP addresses based on end-user groups, for example Sales
IP addresses range from 10.1.0.5 -10.1.0.200. This allows you to
configure VPN access restriction in the future.
• Assign static IP addresses to key servers, like the File server,
Intranet Web server etc. The diagram below shows an example of a
VPN with WINS, internal DNS and a valid IP addressing scheme.

A VPN with WINS, internal DNS and a valid IP addressing scheme.

4. Enable Windows Networking over VPN
Installing a WINS server on the private network and configuring each VPN
Client computer to use the WINS server easily integrates remote
computers into the Windows Networking Neighborhood. Windows
network support is integrated into the SonicWALL VPN gateway and does
not require any extra servers or applications.
Note: A WINS server is an application service available on NT Server or
Windows 2000 Server. For more information about WINS server, please
refer to the Microsoft website www.microsoft.com.

Page 4 - Implementing a SonicWALL VPN in Your Organization

5. Deploy VPN to Advanced Users First
In every organization, there are a few technically advanced end-users.
Use these employees first before deploying your VPN to non-technical
savvy persons. This helps you detect any glitches in the system and
identify questions and areas of technical support end-users may require.
6. Deploy VPN Configurations for Clients and Gateways
SonicWALL has a unique VPN Client deployment feature called Group
VPN. The Group VPN allows easy VPN Client deployment with one
configuration file. This configuration file is automatically generated from
the SonicWALL gateway and can be distributed to end-users on a floppy
disk or over Intranet email.

A Group VPN configuration file can be distributed to end-users on a

floppy disk or via E-mail.
Note: When using the Group VPN, SonicWALL strongly recommends you
use end-user authentication (PKI, RSA SecurID®, etc.) for adding and
removing remote VPN client users.
VPN gateway configuration is easy with SonicWALL’s Web-based
management. Configuration information can easily be shared in a couple
of lines. SonicWALL is presently the only firewall solution that allows
dynamic VPN Gateway IP addresses to connect with the main office static
IP. Entering 0.0.0.0 in the IPsec gateway field allows dynamic VPN
gateways to connect with the main office static IP.

A White Paper by SonicWALL, Inc. – Page 5

 SonicWALL’s Web-based management makes setting up VPN easy.
7. Select Authentication Method for Remote VPN Users
SonicWALL Authentication Service allows you to strongly authenticate
remote VPN users using digital certificates, without their own Public Key
Infrastructure (PKI). This service eliminates the need for you to install and
manage authentication software or servers on their own private LAN.
Note: For more information on SonicWALL’s Authentication Service, visit
our Web site at www.sonicwall.com/authentication-service.
If you want to install RADIUS or RSA SecurID® for VPN client
authentication, SonicWALL Group VPN can be easily be configured to
use these third party authentication servers. For more information on
configuring these third party authentication servers, visit our Web site at
www.sonicwall.com/products/documentation/VPN_documentation.html.

Page 6 - Implementing a SonicWALL VPN in Your Organization

 SonicWALL’s Authentication Service allows your organization to use
strong authentication using PKI and digital certificates without the high
cost and complexity of a do-it-yourself solution.
8. Monitor the VPN and Security of Your Network
The SonicWALL appliance gives a report of all attacks and alarms in the
web-based management GUI. This log can be sent via email to Network
Administrators or sent to a syslog server for more detailed analysis.
SonicWALL syslog supports multiple graphing programs like WebTrends.
9. Globally Manage Your VPN and Security Policies
SonicWALL Global Management System (SonicWALL GMS) allows
distributed enterprises and service providers to manage and monitor
SonicWALL VPN and security for up to 1,000 remote sites from a central
location. SonicWALL GMS is a scalable, cost-effective solution that
extends the SonicWALL Internet security appliance’s renowned ease of
installation and administration to network administrators.
Note: For more information on SonicWALL GMS, visit our Web site at
www.sonicwall.com/sgms.

A White Paper by SonicWALL, Inc. – Page 7

10. Update SonicWALL Internet Security Appliances and
VPN
SonicWALL offers FREE updates that include new security
enhancements and VPN features like expanded interoperability, logging
and rules. Upgrading to new firmware is easy with the auto-update
feature. Information about auto-update is detailed in the SonicWALL
users manual.

Page 8 - Implementing a SonicWALL VPN in Your Organization

Appendix A
Below is a template for creating your organization’s Remote Access
Policy outlining major sections in a typical policy statement. Use this
template as a starting point for designing your organization’s polices
based on your unique requirements.
1. Authorized Use
In this section, describe that users should use their digital certificate or
username/password responsibility to only allow authorized use. Explain
that if someone else uses their credentials while accessing the network,
they may be held liable.
2. Respect the Intended use of Remote Access
In this section, describe the intended use of remote access for various
business units. For example sales should only use the system for email
and sales report data. Engineering should only use remote access for
email and file transfer.
3. To Respect Privacy of other Users
In this section outline the responsibility of remote users to protect the
privacy of data individuals that is accessible on the Intranet like personal
web pages, phone books, hard drive data share etc.
4. To Respect Integrity of system
In this section, instruct users to use the system with care and not
experiment with un-authorized software or VPN clients that can break the
system
5. Responsible Use
In this section outline that end-users should use the system in a
responsible manner that does not break the system or hamper the remote
access of others
6. Appropriate Action
In this section, describe that the company has full authority to disconnect
and add any end-user at its discretion

A White Paper by SonicWALL, Inc. – Page 9

Appendix B
Below is a template for Remote Access Procedures. This is only a
template and your company should design procedure for its individual
situation.
1. Create a Standard Form for person requesting Remote
Access
This form should contain the contact information, business unit, intended
use and expected duration of use. This form can be a paper form or Web-
form hosted on the company intranet.
2. Create different groups for Remote Users
Create different classifications of remote end-users based on their
Internet connection type, Modem or dedicated link. Also further classify
what type of resources the end-user can have access to. In the future,
you will be able to restrict VPN tunnels to various IP address and
services. Creating groups will help you transition to access control VPN in
the future.
3. Create an Internal deployment and technical support
team to provide assistance to end-users
Assign some technical people to solve internal VPN deployment and
configuration issues. This will help you quickly deploy and resolve end-
user issues.

Page 10 - Implementing a SonicWALL VPN in Your Organization

SonicWALL, Inc
E-mail: [email protected]
Web: www.sonicwall.com

©2001 SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein may be
trademarks and/or registered trademarks of their respective companies.