I’ve been setting up SSLVPN connections for remote users by default but recently have been testing the Global VPN client instead.
I wondered what people’s opinions on each were and how you select one or the other for a given situation?
So far I’ve discovered that with a Global VPN you can use your own existing DHCP servers which is nice. SSLVPN on the other hand has a preset address object for its IP pool.
Also as a bonus question:
When using Global VPN and internal DHCP, how would I exclude users connected by VPN from security services such as CaptureATP?
When I’m connected via Global VPN and opening / transferring files from network shares, they’re being submitted to capture ATP which is slowing things down quite badly.
With SSLVPN, I would exclude the IP pool address object from Capture ATP. But with GVPN, since users get an IP from internal DHCP, I don’t think I can exclude them by address?
I like SSLVPN more, you can set it up with either net extender or just on Windows 10 into the built-in Windows VPN which is nice.
also I’ve seen several cases where people were traveling out of the country and global VPN didn’t work ironically. SSL VPN work just fine in those cases.
My understanding is Sonicwall has most part dropped support and updates and pushing for ssl vpn because the blocking of it at a lot of locations. Plus they make more money on ssl vpn.
Keeping client VPN in it’s own pool is better practice than using existing scope.
GVC is older and not a focus for SonicWall now. One of your replies hit the nail on the head, SSL is almost never blocked, but IPSEC definitely can be (and has been in environments I’ve managed).
SSL VPN is designed from the ground up for remote users. IPSec is designed for site to site deployments. IPSec does not like anything getting in the way such as NATing and if running as a client based solution security is reduced to support aggressive mode.
SSL VPN has none of the issues as it resides on the transport layer. In short if you can see the internet then it will work. Plus security is not compromised for the remote user. In short it is ideal for remote workers plus you don’t have to install a client on each endpoint.
I spend my days removing Mobile Connect from Windows 10 Machines as its absolute garbage. (DNS lookup failure being a big part of the issues) Netextender is also far easier to use from the customers point of view.
my capture atp is turned off for cifs, you should do that as well. IMO capture should only be scanning stuff coming in from the internet, http/s,pop,smtp,pop,imap
I have the same problem with security services (app control, intrusion prevention) blocking the vpn users. Is it safe to set the vpn users address object in exclusion lists for these services or is there a better way that anyone knows of?
I personally like ssl better, however with a lot of our users working remotely now, we realized that we get much better throughput using the GVC. These are all TZ series, mostly 400’s. It’s too bad, bc the GVC has some issues too but the throughput issue was the bottom line for our clients.
this was my understanding as well. And now, they’re not really doing much for NetExtender on Windows, but pushing you to the Sonicwall Mobile Connect client, which sucks (and Windows 10 sucks for the interface to even launch the VPN, but that’s a different story).
We have clients who were using NetExtender, but after their latest firmware update it stopped working. Mobile Connect, however, worked for them so there’s at least connectivity. We’ve also had no issues with SSL VPN because we can put it on 443, which is a the standard port for SSL connections and we can enforce 2FA with Duo, which we push to all our clients.
SSL and Global are the same cost. Customer demand pushed Many vendors, SonicWALL included towards SSL since it’s more flexible with all the different types of devices on the market today.
I agree. I get better throughput and better latency with global vpn. However, I did have issues where it would kill the throughput of my speedtests overall when it was installed. I noticed that in June a new Global VPN client update was posted. 4.10.4.0314. As long as I disable RSC on Wi-Fi (compatibility issue with most of our laptops e.g. surfaces), I get really good performance now.
Previous, I was having problems with global vpn, due to modern standby. After two minutes of idle, global vpn would drop its connection but it would not reflect that and say it was connected. Strangely, the fix was to install netextender. Netextender seems to disable modern standby. This also fixed our main application from disconnecting every 2 minutes on modern standby laptops (not just vpn).
So I have to install both, but use global vpn. Unless someone knows a fix for the modern standby issue.
They aren’t the same cost for everyone. 5 pack SSL VPN is the same cost as 10 G-VPN. Also I have seen the Netextender performance sucks on the TZ series (wimpy CPU - SSL hits it pretty hard). The TZ215 (yes I know its ancient) has a max 75 G-VPN but a max of 25 SSL-VPN.
Just logged into ingram portal 5 users is the same for both VPN types. I agree that SSL will be lower performance on TZ (especially the 7year old 215).
You can also do an SMA and not worry about it anymore, but again cost being the only factor it’s sometimes hard to justify