I'm trying to get SonicWALL NetExtender installed and operational using automated software that lets me upload files to a target computer, and run commands on that computer. So, I upload SonicWALL's certificates, upload NetExtender, run it, and try connecting.
The entire process works fine except for ONE part that requires manual involvement, which is breaking my ability to cause lots of stuff to be automated. The NetExtender software is asking about a certificate. How do I stop this?
Here's a log I've created.
"C:\Program Files (x86)\SonicWall\SSL-VPN\NetExtender\NECLI.exe" connect -s DNSNAME:#### -u vpnconn -d LocalDomain -p "NotPublic"
Connecting...
There is a problem with the site's security certificate.
Warning: The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.
Warning: The name on the security certificate is invalid or does not match the name of the site.
Do you want to proceed? (Y:Yes, N:No, A:Always trust, V:View Certificate)
Note: If I choose "A", and press Enter, then everything works fine. Furthermore, I can then repeat the process on that same machine.
I tried putting this into a batch file and running:
mybatch.bat > output.log
The result was a log file that kept showing the warning and prompt over and over again, growing to gigabytes within minute(s).
I haven't yet tried the approach of "echo A | NETCLI.EXE ...." (as suggested by Vlad's answer) because I don't see that as a desirable solution anyway. What if the software asked me something else unexpected? I feel like there should be a better way to handle this, causing the question to just be entirely avoided. So, I've been avoiding that approach, though my other attempts haven't yet been bringing fruition.
Note: Uploading a certificate file, or using a thumbprint from a known certificate, are options if that would help.
The certificate does appear to be self-signed. This question is nearly a duplicate of How could I prevent NetExtender Cli to asking certificate confirmation?. However, that question is tagged Linux, whereas I'm trying to use a Professional variant of Microsoft Windows. Also, that question seems focused on the software asking about a self-signed cert, whereas the question I am getting is about a name mismatch. (Maybe it's really the same thing, just different versions of client software?)
I've tried running:
REG ADD "HKLM\SOFTWARE\SonicWALL\SSL-VPN NetExtender\Standalone\TrustCerts" /v %CLI_SITE%:4433 /t REG_SZ /d %CLI_THUMB_DATA%
I've tried making other registry entries looking like a profile under "HKLM\SOFTWARE\SonicWALL\SSL-VPN NetExtender\"
I've tried importing the certificate to TrustedPublisher using "certutil -addstore TrustedPublisher filename"
Either the solution eludes me, or I attempted something and did it wrong. I'm not finding a lot of relevant documentation on this.
Best Answer
The DNSName in the command should be the same as the DNS name of the certificate or you will get this prompt. Getting a public certificate for the Sonicwall is inexpensive.