Secure Remote Access Contents Platform Compatibility...1 Known Issues...1 Resolved Issues...3 Upgrading SonicOS SSL VPN Firmware Procedures...4 Related Technical Documentation...6 Platform Compatibility The SonicOS SSL VPN 3.5.0.5 release is supported on the following platform: SonicWALL SSL-VPN 200 Known Issues The following are known issues in the SonicOS SSL-VPN 200 3.5.0.5 release: ActiveX Client Full domain name is not resolved by the RDP- ActiveX Client. Java Clients Occurs when the user attempts to create and use a bookmark for RDP-ActiveX, giving a full domain name as exchange2003ad.com for Use Custom Credentials. Workaround: Use JAVA RDP to log into the backend server full domain name. Remove.com from the domain name field to automatically log into the RDP. The browser stops responding after attempting to re-login to a VNC session. A VNC session disconnect request is not handled properly when the clipboard is open. The user is prompted to enter his password even though custom credentials are configured under the Automatically log in option for the bookmark. Occurs when the user successfully connect to a VNC Java bookmark and log in, then press the Disconnect button, and then press the Re-login button. Occurs when using Ubuntu 7.04 and Firefox 3.0.10. Occurs when the user connects to a VNC Java bookmark, enters text into the clipboard, and then presses the Disconnect button before closing the clipboard. Occurs when using Firefox 3.0.11 on a computer running Mac OS version 10.5.7. May occur when accessing a Terminal Services (RDP-Java) bookmark on a computer running Mac OS version 10.5.7 using Safari 3.2.3 or Firefox 3.0.11. 78778 80420 80387 80304
FileShares Pound sign characters (#) are replaced by underscores (_) in file names. FTP Occurs when using FileShares to connect to a system, and a file with pound characters (#) in its name is downloaded. The downloaded file will have underscore characters in its name in place of the pound characters. The file contents are not changed. Occurs on client machines running Windows XP or Vista. File Type is not preserved during FTP download for filenames containing special characters. NetExtender Occurs when connected to a system through an FTP bookmark, and a file with special characters (any of: =- _)(&^%$_@!~`][{}') in its name is downloaded. For example, a downloaded Word file will no longer have the.doc extension. RAS error 638 occurs when there is network failure while NetExtender is trying to reconnect. The NetExtender client for Linux fails to connect with a pppd error. User Interface Occurs when a user connects with the NetExtender Windows client, and then network connectivity is lost during the connection process after the user authentication is done and when the NetExtender window is showing Connecting. The error message is due to an error code returned by the Windows Remote Access Services (RAS) subsystem. Occurs when launching NetExtender from a Linux machine, either in the SSL VPN user interface or on the command line. The headings in the left side navigation frame disappear after scrolling up and then down using the mouse scroll wheel. Occurs when using a Safari browser on a Mac computer. Workaround: Hover the mouse pointer over the up arrow near the bottom of the left frame. This will scroll the menu back into view. Or use the browser controls to reload, refresh or go back a page. 80188 71248 79123 78674 80807
Resolved Issues The following issues are resolved in the SonicOS SSL-VPN 200 3.5.0.5 release: ActiveX Client An ActiveX control method contains a stack buffer overflow vulnerability that can cause the Internet Explorer browser to crash. FileShares Occurs when the addroute6entry() method in the NELaunchCtrl ActiveX control is used. File shares with long names consisting of all numbers cannot be deleted unless renamed. Occurs when attempting to delete a file share on a system accessed via a CIFS File Share bookmark, where the file share name consists of a long series of numbers, such as 12345678901234.txt. If the file is renamed to a shorter name, it can then be deleted. 86876 Uploading large files over an HTTP File Share bookmark times out. NetExtender Occurs when uploading 50MB or larger files. Workaround: Use NetExtender or Java File Share bookmark to transfer large files. The NetExtender driver does not install properly on machines with an Ericsson F3507g Mobile Broadband Minicard. System Occurs because the Ericsson Minicard has a hardware ID with more than 256 characters, which causes one of the Windows API calls to return an error when NetExtender tries to query the previous NetExtender driver for upgrade. The SSL-VPN 200 displays an error message stating that the NetExtender client address range appears exhausted when a user attempts to connect using NetExtender. Vulnerability Occurs when the appliance has been running for a few days, allowing users to log in with NetExtender, but the lock files corresponding to an assigned NetExtender IP address are not cleaned up after the connection closes. A Man-In-the-Middle vulnerability exists when renegotiating a TLS session. A Slowloris denial of service attack can cause all available connections on the SSL-VPN appliance to be consumed, preventing access to the SSL-VPN Web server. Occurs when a server has client-initiated renegotiation enabled, and renegotiation is carried out in an existing TLS connection between a client and server. Workaround: Disable SSL/TLS session renegotiation. Restructure client certificate authentication feature to be either on or off for entire portal. Occurs when a Slowloris denial of service attack is launched that creates many HTTP connections, where each connection stops sending data within the HTTP headers or body. Workaround: Add per-ip address rate-limiting on an upstream firewall. 86308 80055 87806 72858 85259 83641
Upgrading SonicOS SSL VPN Firmware Procedures The following procedures are for upgrading an existing SonicOS SSL VPN image to a newer version. Obtaining the Latest SonicOS SSL VPN Image Version...4 Exporting a Copy of Your Configuration Settings...4 Uploading a New SonicOS SSL VPN Image...4 Resetting the SonicWALL SSL-VPN 200 Using SafeMode...5 Obtaining the Latest SonicOS SSL VPN Image Version 1. To obtain a new SonicOS SSL VPN image file for your SonicWALL security appliance, connect to your mysonicwall.com account at <http://www.mysonicwall.com>. Note: If you have already registered your SonicWALL SSL-VPN appliance, and you selected Notify me when new firmware is available on the System > Settings page, you are automatically notified of any updates available for your model. 2. Copy the new SonicOS SSL VPN image file to a directory on your management station. Exporting a Copy of Your Configuration Settings Before beginning the update process, export a copy of your SonicWALL SSL-VPN appliance configuration settings to your local machine. The Export Settings feature saves a copy of your current configuration settings on your SonicWALL SSL-VPN appliance, protecting all your existing settings in the event that it becomes necessary to return to a previous configuration state. Perform the following procedures to save a copy of your configuration settings and export them to a file on your local management station: 1. Click the Export Settings... button on the System > Settings page and save the settings file to your local machine. The default settings file is named sslvpnsettings.zip. Tip: To more easily restore settings in the future, rename the.zip file to include the version of the SonicWALL SSL VPN image from which you are exporting the settings. Uploading a New SonicOS SSL VPN Image Note: SonicWALL SSL-VPN appliances do not support downgrading an image and using the configuration settings file from a higher version. If you are downgrading to a previous version of a SonicOS SSL VPN image, you must select Uploaded Firmware with Factory Defaults New!. You can then import a settings file saved from the previous version or reconfigure manually. 1. Download the SonicOS SSL VPN image file from www.mysonicwall.com and save it to a location on your local computer. 2. Select Upload New Firmware from the System > Settings page. Browse to the location where you saved the SonicOS SSL VPN image file, select the file, and click the Upload button. The upload process can take up to one minute.
3. When the upload is complete, you are ready to reboot your SonicWALL SSL-VPN appliance with the new SonicOS SSL VPN image. Do one of the following: To reboot the image with current preference, click the boot icon for the following entry: Uploaded Firmware New! To reboot the image with factory default settings, click the boot icon for the following entry: Uploaded Firmware with Factory Defaults New! Note: Be sure to save a backup of your current configuration settings to your local machine before rebooting the SonicWALL SSL VPN appliance with factory default settings, as described in the previous Saving a Backup Copy of Your Configuration Settings section. 4. A warning message dialog is displayed saying Are you sure you wish to boot this firmware? Click OK to proceed. After clicking OK, do not power off the device while the image is being uploaded to the flash memory. 5. After successfully uploading the image to your SonicWALL SSL-VPN appliance, the login screen is displayed. The updated image information is displayed on the System > Settings page. Resetting the SonicWALL SSL-VPN 200 Using SafeMode If you are unable to connect to the SonicWALL security appliance s management interface, you can restart the SonicWALL security appliance in SafeMode. The SafeMode feature allows you to quickly recover from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page. To reset the SonicWALL security appliance, perform the following steps: 1. Connect your management station to a LAN port on the SonicWALL security appliance and configure your management station IP address with an address on the 192.168.200.0/24 subnet, such as 192.168.200.20. Note: The SonicWALL security appliance can also respond to the last configured LAN IP address in SafeMode. This is useful for remote management recovery or hands off recovery in a datacenter. 2. Use a narrow, straight object, like a straightened paper clip or a toothpick, to press and hold the reset button on the security appliance for five to ten seconds. The reset button is in a small hole next to the power supply. Reset Button SSL-VPN Tip: If this procedure does not work while the power is on, turn the unit off and on while holding the reset button until the Test light starts blinking. The Test light starts blinking when the SonicWALL security appliance has rebooted into SafeMode. 3. Connect to the management interface by pointing the Web browser on your management station to http://192.168.200.1. The SafeMode management interface displays. 4. Try rebooting the SonicWALL security appliance with your current settings. Click the boot icon in the same line with Current Firmware. 5. After the SonicWALL security appliance has rebooted, try to open the management interface again. If you still cannot open the management interface, use the reset button to restart the appliance in SafeMode again. In SafeMode, restart the SonicOS SSL VPN image with the factory default settings. Click the boot icon in the same line with Current Firmware with Factory Default Settings.
Related Technical Documentation This section contains a list of technical documentation available on the SonicWALL Technical Documentation Online Library located at: http://www.sonicwall.com/us/support.html Information about the SonicWALL SSL-VPN 200 appliances can be found in the many reference guides available on the Web site, including the following: SonicWALL SSL-VPN 200 Getting Started Guide SonicOS SSL VPN 3.5 Administrator s Guide SonicOS SSL VPN 3.5 User s Guide Advanced Deployment Technical Notes Last updated: 3/31/2010