I have a SonicWall TZ-210.
I want an extremely easy way to limit external remote access to the VPN beyond just username and password, but I do not wish to buy/deploy a OTP appliance because that is overkill for my situation.
I also do not want to use IPSec because my remote users are roaming.
I want the user to be in physical possession of something, whether that is a pre-configured client with an encrypted key or a certificate .cer/.pfx of some sort.
SonicWall used to offer "Certificate Services" for authentication, but apparently discontinued that a long time ago. So, what is everyone using in its place?
Beyond the "Fortune 500" expensive solution, how do I limit access to the VPN to only those users who have possession of a certificate file or some other file or something beyond passwords?
Thanks.
Best Answer
According to the "SonicOS Enhanced 5.6 Administrator's Guide" they support Entrust, Microsoft, OpenCA, OpenSSL, and Verisign CA's. Here is a document entitled "Using OpenSSL to Create a Private Certificate Authority". Here is another document entitled "Using Microsoft’s CA Server with SonicWALL Devices". Roaming users do not prevent you from using ipsec. See the vpn section of the administrators guide linked above. Other than the SonicWall licensing cost and having an Certificate Authority set up there are no other costs besides time. Granted setting up a CA is a non-trivial task.