SonicOS Enhanced Wizards

SonicOS Enhanced 2.1 introduces two wizards—A Setup Wizard, and a

Public Server Wizard—designed to automate some of the more complex
features of SonicOS Enhanced. These wizards were designed in direct
response to feedback from end-users, resellers, SE’s and SonicWALL
Support Services to address the relative involvedness of performing
these two perfectly commonplace operations on SonicOS Enhanced as
compared to SonicOS Standard. This document will review the new wizard
processes, and will describe their intended behavior.

Accessing the Wizards

The main Wizards access area is the newly added “Wizards” tab in the
outlookView.html navigational panel. Clicking the Wizards tab will
launch “SonicWALL – Configuration Wizard” (metaWizIntro.html) popup
window, allowing for the selection of the Setup Wizard or the Public
Server Wizard:

• The meta-launch page “SonicWALL – Configuration Wizard” can also

be accessed from the “Wizards” button on the top right of the
System > Status (main) page.
• The Setup Wizard is directly accessible from the Network >
Interface page.
• The Public Server Wizard is directly accessible from the Network
> Address Objects, Network > NAT Policies, and any Firewall >
Access Rules > Zone to Zone pages.

The Setup Wizard

The Setup Wizard follows closely the format of the existing Setup
Wizard, beginning with the Password page – prompting the administrator
to change the password, followed by the Time Zone settings page:

1
The next step prompts the administrator to select the type of WAN
connection (Static IP, DHCP, PPPoE, or PPTP) and provides hyperlinked
descriptions via popup windows to each of these connection types.
Selecting a type, for example “Static IP” and clicking “Next” will
bring up the appropriate configuration screen:

This is followed by the LAN Settings configuration and, when

applicable, the DHCP Server configuration screens:

2
Note: The Wizard will query the LAN for an DHCP server prior to
presenting the DHCP Server configuration screen; if an existing DHCP
server is detected on the LAN segment by the Wizard, the internal DHCP
server configuration screen will not be presented so as to avoid a
potential DHCP server conflict.

The next page will summarize the values assigned by the Wizard, and
will prompt the user to Apply the settings. While the settings are
being applied, which should take approximately 5 seconds, a status
window will show an animated progress indicator:

Once complete, a final page will be presented showing the applied

values, and explaining how to access the management GUI. The SonicWALL
should not require a restart for the values to be applied. A link
(“Next, you should click here…”) will also be provided to the System >
Licenses page so that the administrator may register the unit:

3
The Public Server Wizard
The Public Server Wizard is the most ambitious and functional wizard
developed to date. It simplifies the complex process of creating a
publicly and internally accessible server resource by automating the
following steps:

• Creating the necessary Address Objects

• Creating a group of Service Objects
• Creating the necessary WAN > Zone Access Rules for public access
• Creating the necessary Zone > Zone Access Rules for internal
access
• Defining the appropriate NAT Policies for external access
• Defining the appropriate NAT Policies for internal (Firewalled
Subnets) Loopback access.

The first page of the Public Server Wizard prompts the administrator
to select the kind of server to make available. Predefined types, and
their individually selectable included services are:

1. Web Server – includes HTTP (TCP 80) and HTTPS (TCP 443)
2. FTP Server – includes FTP (TCP 21)
3. Mail Server – includes SMTP (TCP 25), POP3 (TCP 110) and IMAP
(TCP 143)
4. Terminal Services Server – includes MS RDP (TCP 3389) and Citrix
ICA (TCP 1494)
5. Other - allows the administrator to select or define their own
Services or Service Groups.

Notes:
• At least one service must be selected for any Server type.
• If enabled, WAN Access to the Web GUI will take precedence over a
Public Web Server using the Primary WAN IP as a public (external)
address. WAN Access to the Web GUI should be disabled, or the

4
 port values should be changed from their defaults if a Public Web
Server is being configured on the Primary WAN IP.

The second page prompts the administrator to provide the private

(internal) IP address for the server, and to provide a name and a
comment. The name provided will be used in the construction of the
resulting Objects, Rules, and Policies, so it should be appropriately
named:

The third page prompts the administrator to select the public

(external) IP address for the server. By default, the WAN Primary IP
address will be provided, and the object of the same name will be re-
used. Specifying a different value will create a new Address Object as
needed, and will name it serverName_public (for example,
myWebServer_public). The final screen will provide a summary of values
provided, and a description of actions to be taken:

Quite a bit of information is provided in this last screen, because

the Wizard is doing a significant amount of work:

Server Address Objects

5
1. Create 'myWebServer_private'
assigned to LAN Zone for Host
192.168.168.80.
2. Reuse 'WAN Primary IP' address
object assigned to WAN Zone for
10.50.165.11.
Server Service Group Object
1. Create 'myWebServer_services'
with HTTP and HTTPS Services.
Server NAT Policies
1. Create Server NAT Policy to
rewrite packets to original
destination 'WAN Primary IP' to
translated destination
'myWebServer_private' for Service
Group 'myWebServer_services'.
2. Create Loopback NAT Policy to
allow access from all internal
zones to the server at public IP
address 10.50.165.11.
Server Access Rules
1. WAN > LAN - Allow 'Any' to 'WAN
Primary IP' for Service Group
'myWebServer_services'.
The address object will be created
and name serverName_private, and
will be assigned to the correct
Zone as determined by the address
provided.
If the IP provided is that of the
WAN interface, the WAN Primary IP
object will be reused, otherwise a
new object will be created and
name serverName_public, assigned
to the WAN Zone.
Rather than creating individual
NAT policies and Access Rules for
each service, a single service
group, name serverName_services
will be created. The administrator
can then add additional services
to this group to easily enable
more public service accessibility.
A NAT rule is created allowing
hosts on the Internet (WANÆZone)
to reach the public server by
translating from the Public IP
object to the Private IP object
for the appropriate services.
Solving one of the more prevalent
issues with SonicOS Enhanced, a
Loopback NAT policy will be
created, allowing the new Address
Object “Firewalled Subnet”
(inclusive of all existing non-WAN
subnets) to reach the Public
Server via its public (external)
address. No NAT Policy is
necessary to allow access from the
“Firewalled Subnets” via the
private (internal) address.
An Access Rule is created allowing
access from the WANÆZone (e.g.
LAN) via the appropriate Public IP
Address Object (in this case, the
WAN Primary IP) for the required
services group.
6
Similar rules will be created from
all lower security zones to the
LAN zone.
If the Public Server resides on a
Trusted Zone instance (e.g. the
LAN), Access Rules will be created
as needed to allow LANÆLAN and
DMZÆLAN access. If the Public
Server resides on a Public Zone
instance (e.g. the DMZ), Access
Rules will be created as needed to
allow DMZÆDMZ access; Trusted
Zones will have access to Public
Zones by default.

Clicking “Apply” will show the animated progress screen while the
settings are applied, followed by the final summary screen:

Testing the Public Server

You may wish to verify that all Objects, Rules, and Policies were
created as described above. After doing so, access from the WAN should
be tested from an external host, and internal (“Firewalled Subnets”)
access should be tested from all applicable zones and interfaces via
both the private and public addresses.