How to Configure the SSL-VPN Feature for use with NetExtender or Mobile Connect


How to Configure SSL-VPN:

SSL-VPN is one method of allowing Remote Users to connect to the SonicWall and access internal network resources. SSL VPN Connections can be setup with one of three methods:

  • The SonicWall NetExtender Client
  • The SonicWall Mobile Connect Client
  • SSL VPN Bookmarks via the SonicWall Virtual Office

This article details how to setup the SSL VPN Feature for NetExtender and Mobile Connect Users, both of which are software based solutions. If you would like information on configuring Virtual Office please reference Configuring Virtual Office.

NetExtender is available for the following Operating Systems:

  • Microsoft Windows
  • Android
  • iOS
  • OS X
  • Linux Distributions

Mobile Connect is available for the following Operating Systems:

  • Windows 8.1 & 10
  • OS X
  • iOS
  • Android


     Creating an Address Object for the SSLVPN IPv4 Address Range

1. Login to the SonicWall Management GUI.
2. Navigate to Network | Address Objects and click Add… at the bottom of the page.
3. In the pop-up window, enter the information for your SSL VPN Range. An example Range is included below:

  • Name: SSL VPN Range TIP: This is only a Friendly Name used for Administration.
  • Zone: SSLVPN
  • Type : Range
  • Starting IP Address:
  • Ending IP Address:

ssl vpn configuration

SSLVPN Configuration

1. Navigate to the SSL-VPN |Server Settings page.

2. Click on the Red Bubble for WAN, it should become Green. This indicates that SSL VPN Connections will be allowed on the WAN Zone.

3. Set the Cipher MethodSSL VPN Port, and Domain as desired. Cipher Method indicates the strength of the Public Key Infrastructure used for the VPN Connection and the SSL VPN Port as well as the Domain are used for User Login.

 NOTE: From 6.2.x Firmware , the Cipher options will be removed from the Server Settings Tab.


The SSL VPN | Client Settings page allows the administrator to configure the client address range information and NetExtender client settings, the most important being where the SSL-VPN will terminate (e.g. on the LAN in this case) and which IPs will be given to connecting clients. Finally, select from where users should be able to login:

 CAUTION: NetExtender cannot be terminated on an Interface that is paired to another Interface using Layer 2 Bridge Mode. This includes Interfaces bridged with a WLAN Interface. Interfaces that are configured with Layer 2 Bridge Mode are not listed in the “SSLVPN Client Address Range” Interface drop-down menu. For NetExtender termination, an Interface should be configured as a LAN, DMZ, WLAN, or a custom Trusted, Public, or Wireless zone, and also configured with the IP Assignment of “Static”.

4. Click on the Configure button for the Default Device Profile as shown below.

 NOTE: From 6.2.x Firmware , the SonicPoint L3 Management Default Device Profile option will be added under Client settings tab.

5. Set the Zone IP V4 as SSLVPN. Set Network Address IP V4 as the Address Object you created earlier (SSLVPN Range).


The Client Routes tab allows the Administrator to control what network access SSL VPN Users are allowed. The NetExtender client routes are passed to all NetExtender clients and are used to govern which networks and resources remote users can access via the SSL VPN connection.

 CAUTION: All SSL VPN Users can see these routes but without appropriate VPN Access on their User or Group they will not be able to access everything shown in the routes. Please make sure to set VPN Access appropriately.


The Client Settings tab allows the Administrator to input DNS, WINS, and Suffix information while also controlling the caching of passwords, user names, and the behavior of the NetExtender Client.

6. Input the necessary DNS/WINS information and a DNS Suffix if SSL VPN Users need to find Domain resources by name.

7. Enable Create Client Connection Profile – The NetExtender client will create a connection profile recording the SSL VPN Server name, the Domain name and optionally the username and password.


Adding Users to SSLVPN Services Group

NetExtender Users may either authenticate as a Local User on the SonicWall or as a member of an appropriate Group through LDAP. This article will cover setting up Local Users, however if you’re interested in using LDAP please reference How to Configure LDAP Authentication for SSL-VPN Users.

1. Navigate to Users | Local Users and add a new User if necessary by using the Add User… button.

2. On the Members tab add SSL-VPN Services to the Member Users and Groups field.

3. On the VPN Access tab add the relevant Subnets, Range, or IP Address Address Objects that match what the User needs access to via NetExtender.

 CAUTION: SSL VPN Users will only be able to access resources that match both their VPN Access and Client Routes.

How to Configure SSL-VPN

 Checking Access rule Information for SSLVPN Zone

1. Navigate to Firewall | Access Rules and open the SSL VPN to LAN Access Rules as indicated on the image below.

2. You should see an auto-created Access Rule similar to the image below. If not, recreate the rule as shown below.

3. If SSL VPN Users need access to resources on other Zones, such as the DMZ or a Custom Zone, verify or add those Access Rules. If you’re unsure how to create an Access Rule please reference How to Enable Port Forwarding and Allow Access to a Server Through the SonicWall.




  Testing the Connection

1. Download and install either SonicWall NetExtender or SonicWall Mobile Connect. NetExtender is available via or the Virtual Office page on the SonicWall. SonicWall Mobile Connect is available via the App Store, Windows Store, or Apple Store depending on your Operating System.

2. If using NetExtender, input the following:

  • IP Address or URL of the SonicWall WAN Interface, followed by the Port Number
  • User Name
  • Password
  • Domain

3. If using Mobile Connect, input the following:

  • IP Address or URL of the SonicWall WAN Interface, followed by the Port Number
  • Domain

 NOTE: Mobile Connect will prompt for User and Password after it’s able to verify a connection to the SonicWall. This is slightly different than NetExtender.

4. The connection should establish and the User should be able to access the appropriate resources.

 TIP: Ping is a great tool to test access to resources once the VPN Connection has established. If Pings are Timing Out it’s advisable to perform a Packet Monitor on the SonicWall to determine what is happening to the traffic.

Stay Tuned