We are about to push out a new VPN solution for our organization. One of the beautiful things we saw in SonicWALL's SSL-VPN was the thin, browser-based solution of NetExtender.
Does anybody have experience with this? My specific concern is that, at least in Windows 7 during testing, it prompts for admin credentials to install the ActiveX NetExtender plugin, which is standard for installing anything in a Windows domain environment. But doesn't this mean I actually have to go in and install the client on all domain laptops that will be using the VPN in the field? They wouldn't actually be able to simply visit the site and run the client, as advertised? By the way, we're using the SonicWALL NSA 3500 device.
We do have ManageEngine's Desktop Central, which can push out software installations, but it usually has to be in the form of a .MSI package.
Is there any solution to this, besides hitting up all my organization's computers?
2 Answers
Unlike the stateless nature of the traditional SSL VPN, NetExtender stays resident on the client machine even after the connection is closed. The advantage of running NetExtender as a resident application on the remote system is that it speeds up login times in subsequent uses. Sonicwall netextender free download - SSL-VPN NetExtender Adapter, SonicWALL Anti-Spam Desktop (32-bit version), SonicWALL VPN Adapter, and many more programs. Best Video Software for the Mac. It’s relatively easy to connect a Windows machine/client, to a SonicWALL firewall using their free Global VPN Client. But it’s always been a headache to connect a Mac OSX computer, to a SonicWALL firewall.
NetExtender is neither thin nor browser-based. It cannot be deployed without administrator privileges and it cannot be deployed via GPO, because it requires installation of an unsigned network driver:
Personally, I find it a bit disturbing that a security vendor would see fit to sell a product that requires training users to ignore bright red security warnings.
You may be able to get around this by disabling driver signing, but I have not tested this approach. Allowing unsigned drivers on a domain-wide basis really isn't an appropriate fix for a single vendor's broken product.
Comparing hype vs. reality:
What SonicWall says on their marketing web site about installing NetExtender:
NetExtender is not a fat client. It pushes a thin client transparently onto the client's desktop or laptop and installs it automatically to facilitate this broader level of access.
What SonicWall says on their support web site about installing NetExtender (abridged):
To initially install the NetExtender client, the user must be logged in to the PC with administrative privileges. Downloading and running scripted ActiveX files must be enabled on Internet Explorer. It is recommended that you add the URL or domain name of your SSL-VPN server to Internet Explorer's trusted sites list. This will simplify the process of installing NetExtender and logging in, by reducing the number of security warnings you will receive.
Dell Sonicwall Netextender For Mac
In my opinion, 'transparently' is not the right word for this procedure.
Sonicwall Net Extender Client Download
SkyhawkSkyhawkI used GPOs once. Might be something to look into.