SonicWall VPN config deployment via Intune

VPN
1

This may be a question for Sonicwall (not Intune Reddit) but here we go anyway. I’ve pushed a Sonicwall VPN client successfully via Intune/EM to our client systems. The VPN client obviously requires a hostname/domain to connect, so I created a batch file that adds in the hostnames to our VPN servers, which I’ve tested by running locally on my system without issues:

@ECHO OFF
SET MPPATH=“C:\Program Files (x86)\SonicWall\SSL-VPN\NetExtender”
CD %MPPATH%
NECLI.exe addprofile -s (our vpn hostname) -d (ourdomain)

I packaged the batch using IntuneWinApp - then built a new Win32 app in Intune. I deployed it to a test PC and even though Intune says it ran successfully on the target system, it did NOT add in the server hostnames. I am scratching my head, any advice?

Intune app properties:
Install command: (batch file name)
Uninstall command: (batch file name)
Rules format: Manually configure
Detection rules: File C:\Program Files (x86)\SonicWall\SSL-VPN\NetExtender (points to NECLI.exe)

App is configured to run w/ system account, not user account.
Runs in 64-bit (all of our clients are 64-bit Win10)

2

Update to people coming here after the fact. The easier way to do this is to modify the MSI file beforehand.

  1. Download the latest MSI from sonicwall website.
  2. Install and open ORCA from microsoft. (need sdk pack)
  3. Open the MSI and navigate to the PROPERTY section on the left.
  4. Change SERVER, DOMAIN to your desired values. Also, change ALLUSERS to value of 2. Change EDITABLE to TRUE
  5. Right click and add a new row in the properties called NETLOGON with a value of true
  6. Save .

Deploy the new MSI with intune and it will install to all users on the machine, have editable fields for the domain and server, but be prepopulated with your specified server and domain values if set. Silent install reference for other deployments

3

What type of VPN is this? A S2S or P2S? Is it running in the Azure Cloud or on an appliance?

4

I have only a few client computers that need the SonicWall and I just give them the IP and domain and say, “enter this…”

I suspect you have far more people to support.

Could you add the profile as a separate task/app in Intune?

5

can you do something similar to FortiClient?

6

I have this working… I added my required IP and domain by modifying the registry settings. I have it pushed out via Powershell script from Intune right now, but it does say that it “fails”, however, the registry changes are made and the connection information is visible in NE. I added a profile on a test machine, then copied the registry keys from there. Below are the registry keys I add to each new machine. (XXXX would be your info).

New-Item -Path “HKLM:\SOFTWARE” -name “SonicWall”

New-Item -Path “HKLM:\SOFTWARE\SonicWall” -name “SSL-VPN NetExtender”

New-Item -Path “HKLM:\SOFTWARE\SonicWall\SSL-VPN NetExtender” -name “Standalone”

New-Item -Path “HKLM:\SOFTWARE\SonicWall\SSL-VPN NetExtender\Standalone” -name “Profiles”

New-Item -Path “HKLM:\SOFTWARE\SonicWall\SSL-VPN NetExtender\Standalone\Profiles” -name “XXXXXXXXXXXXXX”

New-ItemProperty “HKLM:\SOFTWARE\SonicWall\SSL-VPN NetExtender\Standalone\Profiles” -Name defaultProfile -Value “XXXXXXXXXXXXXXXXXXXXXX” -Type String

New-ItemProperty “HKLM:\SOFTWARE\SonicWall\SSL-VPN NetExtender\Standalone\Profiles\XXXXXXXXXXXXXX” -Name server -Value “XXXXXXXXXXXXXXXX” -Type String

New-ItemProperty “HKLM:\SOFTWARE\SonicWall\SSL-VPN NetExtender\Standalone\Profiles\XXXXXXXXXXXXXX” -Name domain -Value “XXXXXXXXXXXXX” -Type String

7

Thanks for this. Do you know if you can also edit the netextender .msi to set “Save user name & password if server allows” as default?

397×127 11.7 KB

8

Might not be possible but do you know if its possible to do this and also have a secondary profile?

9

It’s a Windows SSL client that uses PPP. Azure cloud

10

About 280 endpoints. Yes, I have the profiles configured to deploy separately.

11

Modifying the msi is interesting, would be a last resort - I’ll try tinkering with deployment scripts and if no joy, I’ll explore this. Thank you.

12

Ah, wonderful, thank you. I actually did end up getting it working, with one caveat. I converted the script to Powershell, then deployed via intune and set it to run in the USER profile (not system profile). It works, but may be problematic when we deploy to users that do not have admin rights (the vast majority of users). I’ll try this if it doesn’t work out. Thank you!

13

I will try to test later, but I believe a second profile is just a dropdown in the UI for the Server box, so just adding 2 entries on the field may work. Not sure the separator that should be used, but it only takes a few mins to edit the msi and install/uninstall

14

Have you tried running the VPN on Azure Client to confirm it’s not the Sonic Wall application? Also, did you check your Intune logs at all?

Have you tried to upload it via Microsoft Store (Company Portal)?

15

Update: setting the script to run in the user profile WORKS even when deploying to user’s that don’t have admin rights (99% of them). It seems admin rights are not necessary to run the NECLI command line profile add rules. So we are all set!

16

That would be amazing. Ive been digging around but could find where to put it.

17

You could deploy the MSI with specific flags to add the server and domain. Use ORCA to open up the MSI you’ll see everything that can be customized

18

I asked this in a previous thread

https://www.reddit.com/r/sonicwall/comments/y1gutk/netextender_deployment/?utm_source=share&utm_medium=ios_app&utm_name=iossmf