0

We are about to push out a new VPN solution for our organization. One of the beautiful things we saw in SonicWALL's SSL-VPN was the thin, browser-based solution of NetExtender.

Does anybody have experience with this? My specific concern is that, at least in Windows 7 during testing, it prompts for admin credentials to install the ActiveX NetExtender plugin, which is standard for installing anything in a Windows domain environment. But doesn't this mean I actually have to go in and install the client on all domain laptops that will be using the VPN in the field? They wouldn't actually be able to simply visit the site and run the client, as advertised? By the way, we're using the SonicWALL NSA 3500 device.

We do have ManageEngine's Desktop Central, which can push out software installations, but it usually has to be in the form of a .MSI package.

Is there any solution to this, besides hitting up all my organization's computers?

JArmani
  • 3
  • 1
  • 2
  • 1
    NetExtender is shockingly messy. One problem that comes up often is that newer versions of the NetExtender client are not backward-compatible with older versions of SonicOS. Consequently, someone who connects via NetExtender to different firewalls at different offices may need to uninstall and reinstall NetExtender each time the target firewall changes. Mac support exists but is extremely buggy. – Skyhawk Dec 08 '12 at 00:23

2 Answers2

0

I used GPOs once. Might be something to look into.

GPOsRUle
  • 11
  • 1
    So far as I know, it is not possible to deploy the NetExtender MSI package via GPO because it requires installation of an unsigned driver. – Skyhawk Dec 08 '12 at 00:46
  • It would be nice to have clarification on whether a GPO would work, now I see two differing opinions. Miles' response makes more sense... and the other guy's name is "GPOsRUle" Haha – JArmani Dec 10 '12 at 14:09
  • You mentioned an MSI package, however. Where do you find the MSI installer? In testing, I've only tried launching NetExtender from the portal via a browser. – JArmani Dec 10 '12 at 14:18
0

NetExtender is neither thin nor browser-based. It cannot be deployed without administrator privileges and it cannot be deployed via GPO, because it requires installation of an unsigned network driver:

Unsigned driver warning

Personally, I find it a bit disturbing that a security vendor would see fit to sell a product that requires training users to ignore bright red security warnings.

You may be able to get around this by disabling driver signing, but I have not tested this approach. Allowing unsigned drivers on a domain-wide basis really isn't an appropriate fix for a single vendor's broken product.

Comparing hype vs. reality:

What SonicWall says on their marketing web site about installing NetExtender:

NetExtender is not a fat client. It pushes a thin client transparently onto the client's desktop or laptop and installs it automatically to facilitate this broader level of access.

What SonicWall says on their support web site about installing NetExtender (abridged):

To initially install the NetExtender client, the user must be logged in to the PC with administrative privileges. Downloading and running scripted ActiveX files must be enabled on Internet Explorer. It is recommended that you add the URL or domain name of your SSL-VPN server to Internet Explorer's trusted sites list. This will simplify the process of installing NetExtender and logging in, by reducing the number of security warnings you will receive.

In my opinion, "transparently" is not the right word for this procedure.

Skyhawk
  • 14,149
  • 3
  • 52
  • 95