Customizing the Sonicwall Content Filter

Tweaking our Sonicwall Gear Continues, and I have to say it responds quite well to our ever changing needs.  Several of our ministries needed our content filtering tweaked for their needs but IT and our Leadership team didn’t want to open entire categories in the filter to allow specific sites across the board especially since are using that content filtering for our core network AND our public Wifi, so enter Sonicwall Single Sign On Agent (SSO).

Sonicwall has offered the SSO agent since the release of version 4 last fall, but it took us quite a while to get this project on the top of the list and get it tested before we deployed it into production.  Basically the SSO agent allows for the user’s Windows workstation to authenticate the user who is logged into that workstation against the firewall.

The configuration process is fairly basic (although because of several issues I won’t say easy). 

What you need to make this happen:

• A Sonicwall Firewall with and active Content Filtering Service subscription and the CFS enabled
• The Sonicwall SSO agent installed on a networked machine (in our case a virtual server)
• A working MS Active Directory structure for your domain.
• User(s) added to groups defined in Active Directory.

The biggest hurdle we had was the SSO agent failing on us.  We would get everything running in our test environment and then the agent service would stop and then there was no web access.  You can set the device to fail open if the SSO agent fails, but we elected to drop down to the default CSF policy for all users if the agent fails.  After we downloaded a more recent version of the SSO agent, moved it to a more stable server and that seemed to resolve that issue.

First you need to adjust the content filter to allow access to the specific sites you want to allow some users to access. 

• The catch, you can’t allow/deny access to a specific url based on the logged-in user or group. To resolve this issue we had to first allow the specific sites we need to access through the content filter. This is a simple white list in the content filter. 
  • Note this excludes the url from all content filters
• Then utilize the firewall, which has the AD group specific granularity you need.
  • Create a firewall rule to allow access to the sites for specified groups and deny for all others.
  • This is all of course only on the authenticated side. Other zones and non Windows machines follow the default rules and provisioned the exceptions by user. Since firewall rules are higher priority than CFS the site can be an exception in the CFS but only those who are in the allow group are able to view the site.

E-Class + 30mb pipe = anti-climatic?

So after all the demos and testing going live with our new firewalls was fairly anti-climactic. 

Months ago we started the demos with some great sales staff at Fatpipe, Radware, and Astrocom load balancing devices and all performed well head to head.  We had narrowed the field down to the Radware primarily because of the included services.  Fatpipe was wanting us to pay extra for the same QOS that Radware included (Not to mention Radware performed better head to head with the others) and well the Astrocom boxes just didn’t handle the demo well.

So we were all but ready to move forward with Radware until Jeremie and I took a road trip to Ohio for a SonicWall Road Show where we learned a lot about the new E-Class firewall.  The E-Class is SonicWall’s answer to the enterprise environment.  After the Road Show our reseller (Mark at CMSupportServices.com) gave us the opportunity to have a 30 day demo of the E-Class and we couldn’t pass up that opportunity. 

Finally we decided that we would purchase the E-Class… Why you ask?  While there were some services that came with the Radware hardware the yearly recurring costs were fairly high.  Even after comparing the E-Class with Radware we decided the features that the Radware had over the E-Class were not important to us.  But we did come to the conclusion that the E-Class performed very well and had the added benefits that we didn’t have an ‘extra’ set of additional appliances and the yearly recurring costs were very much in range with what we were already paying for the services we had on or SonicWall 4060.  The last benefit was a great bonus that we now would have a redundant pair of firewalls removing that nagging concern that we were purchasing hardware to balance and give us fail over capability with our ISPs but our firewalls were still a single point of failure.   So we put the E-Class thru the same tests and it has performed very well. 

So why has it been anti-climactic ?  We had put the E-Class into production once during a test but were waiting for our next work night to roll out the new E-Class firewalls but then life happens.  Around 11 am all the web based applications on my desktop started failing, so I called our great network admin Jeremie.  A few minutes later JK comes to my office and says a Jeremie quotable… “Hey, so do you want to migrate to the E-Class this morning”?  Knowing Jeremie I knew this wasn’t good news.  JK went on to explain that our 4060 was in a reboot loop so we had the choice move forward with the replacement of the firewall and migrate to the E-Class or connect with support to resolve the issues with the 4060 and have a longer outage.

So after a few minutes of Jeremie showing the Pro406 who was boss…. we elected to make the jump to the E-Class.

We decided to make the jump since most of the rules and routing had already been built by Jeremie for our tests.  So about an hour later we were back up and running with all mail and web services working well.  (The delay was because we have elected to route all our internally hosted services in and out of our T-1 while our other traffic is load balanced.  Because of this unique route email wasn’t going outbound, but was quickly resolved by a call to support.)

So we made the migration to our new redundant ISPs and expanded bandwidth… with some extra added excitement.

For those who have asked…Yes, we are planning to sell our recently decommissioned Pro 4060 (after we get the reboot loop resolved under our support contract, of course!).  Let me know if you would like to have an opportunity to purchase this 1 1/2 year old gear.

Great job to my staff!  Jim & Jeremie you guys are great! (Linda you are too, but well you were off playing, partying and having fun at the ACS Convention and missed all the excitement.)

48 hour Work night?

Recently we were using Sonicwall’s BMR (Bare Metal Recovery) powered by Acronis True Image to backup our file server and move data and permissions from a physical to virtual disk.  We were wanting to keep the drive intact as much as possible so we decided to try the BMR to move the data.  When we started the restore we saw the status message below  and decided we had better change to plan B since we didn’t have a 2 day work night scheduled.

Installing Wildcard SSL Certificates

• Our SSL certificates were up for renewal so we began to investigated the most cost effective methods for our multipe SSL certificates.  We had two seperate certificates for SSL-VPN and our our Exchange server and expected to have needs for additional certificates.  This lead us to the decision of purchasing a Wildcard Certificate which allows us to use it for anything that is a sub domain of our primary domain name.

We have a SSL-VPN 2000 but Sonicwall doesn’t really have any documentation addressing use of the wildcard certificates on this appliance.  Their documentation is fairly straight forward of how to request and import a normal certificate so but makes no mention of using a Wildcard Cert.  Since the SSL-VPN’s certificate was going to expire sooner than our Exchange server’s and since process to import a certificate in the Sonciwall is a little more complex Windows IIS6 we decided start with the request from the SSL-VPN box.

The process to request and install the Certificate on the SSL-VPN 2000 is as follows:

• Create a Backup of the SSL-VPN Appliance
• Go to the System > Certificates page and click on the Generate CSR button.
• Complete the CSR window. 
• Enter the Fully Qualified Domain Name as *.domain.org
• Enter your organization’s name as registered name with the State. 
  • Our first submission to the CA failed because we entered the organzation name as Northwoods Community Church but the CA required our request to be entered under the name Northwoods Community Church, Inc. We were told that this was the case because of the liablity value was higher with a Wildcard Certificate than with the inexpensive SSL certificates.
• Enter and Document the request password.
  • You will need this when you import the certificate.
• Save the csr.zip file from the SSL-VPN console to your local workstation.
• Unzip the csr.zip and save the server.key file for use after you receive your certificate from the CA.
• Open the server.csr file with notepad and copy the contents of the server.csr file to the CA web interface to make your request.
• After the domain.org.crt file is received from the CA copy the .crt file and the .key file that was created during your csr request to a comon directory.
• Rename the .crt file server.crt and zip the directory.
• Be sure the .zip file is named certkey.zip
• Login to the SSL-VPN Appliance, Go to System > Certificates.
• Click on ‘Import certificate…’ button.
• In the pop-up that appears, select the ‘certkey.zip’ file you just created and click on import.
• If it is successful, the screen will now say ‘pending’.
• Activate the certificate by clicking on Configure icon next to new cert.
• You will be prompted to enter the password you entered when creating the CSR. Enter this and click on the Submit button. The screen will now say ‘inactive’.
• This next step will reboot the box.
• Select the Enable radio button next to the new certificate and click on the Apply button in the upper-right-hand corner.
• After the reboot, your certificate is now active.

To install the certificate on an additional server, in our case a IIS6 web server,  you will need import the certificate as a .pfx. 

• Download the cerficiate from your web browser to a .cer file going to the website that is using the SSL cert and choose view the certificate.
• Go to the details tab and choose copy to file and save the certificate as a .cer format.
• To import the certificate into IIS you will need to convert the .cer file to a .pfx file.
• Convert the files using OpenSSL
  • After installing OpenSSL Click START > RUN then type cmd.exe.
  • You need to navigate to the path where you installed your OpenSSL binaries.
  • Within this directory chdir to bin
  • Type the following commands to convert the .CER to .PEM format:
    • openssl x509 -in <drive:\path\to\cert>.cer -inform DER -out <drive:\path\to\cert>.pem -outform PE
    • openssl.exe pkcs12 -in<drive:\path\to\new\cert>.pem -out <drive:\path\to\cert>.pfx -nodes
  • Take the exported .pfx file and save it in a location where you can access it from your IIS server.
• Open IIS and go to the properties of the web you are configuring with the SSL certificate.
• Go to the Directory Secuirty Tab and select Server Certificate under Secure Communications.
• Choose Import a certificate from a .pfx file
• Enter the password you gave the .pfx file when you created it.
• After the certificate is imported rerun the wizard and Choose to ‘Assign an existing certificate’ to the site and choose the new certificate that you just imported.

You should now be able to browse the second web server and the SSL wildcard certificate should be activated.  Save the .pfx file for future use and it can be imported into a future webserver to utlize the wildcard certificate.