COMPREHENSIVE INTERNET SECURITY SonicWALL Secure Remote Access Appliances SonicWALL SSL VPN 5.
Table of Contents Using This Guide About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organization of this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Guide Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Icons Used in this Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing NetExtender on Android Smartphones. . . . . . . . . . . . . . . . . . . . . . . . .59 Using NetExtender on Android Smartphones . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Related Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Using Virtual Assist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Understanding Virtual Assist . . . . . . . . . . . . . . . . . . . . . . .
Using This Guide About this Guide Welcome to the SonicWALL SSL VPN User’s Guide. This manual is a user's guide. It provides information on using the SonicWALL SSL VPN user portal called Virtual Office that allows you to create bookmarks and run services over the SonicWALL SSL-VPN security appliance. Note Always check http://www.sonicwall.com/us/Support.html for the latest version of this manual as well as other SonicWALL products and services documentation.
Guide Conventions Icons Used in this Manual These special messages refer to noteworthy information, and include a symbol for quick identification: Tip Useful information about security features and configurations on your SonicWALL. Note Important information on a feature that requires callout for special attention. SonicWALL Technical Support For timely resolution of technical support questions, visit SonicWALL on the Internet at http://www.sonicwall.com/us/Support.html.
Guide Conventions More Information on SonicWALL Products Contact SonicWALL, Inc. for information about SonicWALL products and services at: Web: Email: Phone: Fax: http://www.sonicwall.com sales@sonicwall.com (408) 745-9600 (408)745-9300 Current Documentation Check the SonicWALL documentation Web site for the latest versions of all SonicWALL product documentation at http://www.sonicwall.com/us/Support.
Guide Conventions 8 SonicWALL SSL VPN 5.
Virtual Office Overview This chapter provides an overview of the SonicWALL SSL VPN user portal. It also includes an introduction to the SSL-VPN and its features and applications.
Browser Requirements • Using the NetExtender SSL VPN client – The SonicWALL SSL VPN network extension client, NetExtender, is available through the SSL VPN Virtual Office portal via an ActiveX control or through stand-alone applications for Windows, Linux, MacOS, Windows Mobile, and Android smartphone platforms. To connect using the SSL VPN client, log into the portal, download the installer application and then launch the NetExtender connector to establish the SSL VPN tunnel.
Browser Requirements The following table provides specific browser requirements. How to read this table: Application Proxy Features and Browser Requirements NetExtender Windows XP Windows Vista Windows 7 Linux MacOS X browser browser independent independent (Java 1.6.0_10+)(Java 1.6.0_10+) RDP5 (Java 1.6.0_10) RDP5 (ActiveX) Feature Browser OS Platform RDP5 (Java 1.6.0_10+) Minimum Recommended Browser Versions: 7 3 6 7 3 6 7 3 6 6 3 5 6 VNC (Java 1.6.0_10+) Telnet (Java 1.6.
Web Management Interface Overview Virtual Assist is fully supported on Windows platforms. Virtual Assist is certified to work on Windows 7, Windows Vista and Windows XP. Limited functionality is supported on MAC OS where customers can request for assistance via web-requests. Web Management Interface Overview From your workstation at your remote location, launch an approved Web browser and browse to your SSL-VPN appliance at the URL provided to you by your network administrator.
Web Management Interface Overview Note From the Virtual Office portal home page, you cannot navigate to the administrator’s environment. If you have administrator’s privileges and want to enter the administrator environment, you need to go back to the login page and enter a username and password that have administrator privileges, and login again using the LocalDomain domain. Only the LocalDomain allows administrator access to the management interface.
Web Management Interface Overview The Virtual Office consists of the nodes described in the following table. 14 Node Description File Shares Provides access to the File Shares utility, which gives remote users with a secure Web interface access to Microsoft File Shares using the CIFS (Common Internet File System) or SMB (Server Message Block) protocols.
Web Management Interface Overview The Home page provides customized content and links to network resources. The Home Page may contain support contact information, VPN instructions, company news, or technical updates. Only a Web browser is required to access intranet Web sites, File Shares, and FTP sites. VNC, Telnet and SSHv1 require Java. SSHv2 provides stronger encryption than SSHv1, requires SUN JRE 1.4 or above and can only connect to servers that support SSHv2.
Web Management Interface Overview 16 SonicWALL SSL VPN 5.
Using Virtual Office Features This chapter provides details on how to use the features in the SonicWALL SSL VPN user portal, including NetExtender, configuring bookmarks, accessing services, and using file shares.
Using Two-Factor Authentication Using Two-Factor Authentication The following sections describe how to log in to the SSL VPN Virtual Office portal using twofactor authentication: • “User Prerequisites” on page 18 • “User Configuration Tasks” on page 18 User Prerequisites Before you can log in using two-factor authentication, you must meet the following prerequisites: • Your administrator has created your user account. • You have either an RSA SecurID token or a VASCO Digipass token.
Using Two-Factor Authentication Step 2 Enter your username in the Username field. Step 3 The first time you log in to the Virtual office, your entry in the password field depends on whether you have been given a PIN or if you need to create the PIN. – If you already have a PIN, enter the passcode in the Password field. The passcode is the user PIN and the SecurID token code. For example, if the user’s PIN is 8675 and the token code is 30966673, then the passcode is 867530966673.
Using Two-Factor Authentication Step 4 The RSA Authentication Manager verifies that the new PIN is an acceptable PIN. If the PIN is accepted, the user is prompted to log in with the new passcode. Waiting for the Next Token Mode If user authentication fails three consecutive times, the RSA server requires the user to generate and enter a new token. To complete authentication, the user is prompted to wait for the token to change and enter the next token.
Using One-Time Passwords Step 3 Enter the passcode in the Password field. The passcode is the user PIN and the VASCO Digipass token code. For example, if the users PIN is 8675 and the token code is 30966673, then the passcode is 867530966673. Step 4 Select the appropriate Domain. Note Step 5 If manually entering the Domain, it is case-sensitive. Click Login.
Using One-Time Passwords Step 2 The prompt “A temporary password has been sent to user@email.com” will appear, displaying your pre-configured email account. Step 3 Login to your email account to retrieve the one-time password. Step 4 Type or paste the one-time password into the Password: field where prompted and click Login. Step 5 You will be logged in to the Virtual Office. Note One-time passwords are immediately deleted after a successful login, and cannot be used again.
Using NetExtender Verifying User One-Time Password Configuration If you are successfully logged in to Virtual Office, you have correctly used the One-Time Password feature. If you cannot login using the One-Time Password feature, verify the following: • Are you able to login to the Virtual Office without being prompted to check your email for a one-time password? You have not been enabled to use the One-Time Password feature. Contact your SSL VPN administrator.
Using NetExtender • One of the following browsers: – Internet Explorer 7.0 and higher – Mozilla Firefox 3.0 and higher – Google Chrome 6.0 and higher • To initially install the NetExtender client, the user must be logged in to the PC with administrative privileges. • Downloading and running scripted ActiveX files must be enabled on Internet Explorer.
Using NetExtender As new features are added, users must install the updated client to access all the features supported by the new firmware. Likewise, if a new client is used with older firmware, some client features may not be functional. For best results, the latest firmware should always be used with the latest client. Note Only rooted devices are supported for NetExtender Android in SonicWALL SSL VPN 5.0. The rooting requirement is due to limitations and restrictions of the Android platform.
Using NetExtender Windows Mobile Platform • “Installing and Using NetExtender for Windows Mobile” section on page 55 Android Smartphone Platform • “Installing NetExtender on Android Smartphones” section on page 59 • “Using NetExtender on Android Smartphones” section on page 62 Installing NetExtender Using the Mozilla Firefox Browser To use NetExtender for the first time using the Mozilla Firefox browser, perform the following: 26 Step 1 To launch NetExtender, first log in to the SSL VPN portal.
Using NetExtender Step 4 The Allowed Sites - Software Installation window may appear, with the address of the Virtual Office server in the address window. Click Allow to allow Virtual Office to install NetExtender, and click Close. Step 5 The Allowed Sites window displays. Click Allow to add the SSL-VPN appliance to the list of allowed sites. Step 6 Return to the Virtual Office window and click NetExtender again. Step 7 You may see a security warning. Click Install.
Using NetExtender Step 9 You may see a Security Error: Domain Name Mismatch warning. Click OK. Step 10 The Software Installation window is displayed. After a five second countdown, the Install Now button will become active. Click it. Step 11 You may be prompted to re-start Firefox in order to install NetExtender. Click Restart FireFox. Step 12 Firefox will restart and you will need to login again. NetExtender will then install as a Firefox extension. 28 SonicWALL SSL VPN 5.
Using NetExtender Step 13 When NetExtender completes installing, the NetExtender Status window displays, indicating that NetExtender successfully connected. Closing the windows (clicking on the x icon in the upper right corner of the window) will not close the NetExtender session, but will minimize it to the system tray for continued operation. Step 14 Review the following table to understand the fields in the NetExtender Status window.
Using NetExtender Installing NetExtender Using the Internet Explorer Browser SonicWALL SSL VPN NetExtender is fully compatible with Microsoft Windows Vista 32-bit and 64-bit, and supports the same functionality as with other Windows operating systems. Note It may be necessary to restart your computer when installing NetExtender on Windows Vista or Windows 7.
Using NetExtender Step 2 Click the NetExtender button. Step 3 The first time you launch NetExtender, you must first add the SSL VPN portal to your list of trusted sites. If you have not done so, the follow message will display. SonicWALL SSL VPN 5.
Using NetExtender 32 Step 4 Click Instructions to add SSL VPN server address into trusted sites for help. Step 5 In Internet Explorer, go to Tools > Internet Options. Step 6 Click on the Security tab. Step 7 Click on the Trusted Sites icon and click on the Sites... button to open the Trusted sites window. SonicWALL SSL VPN 5.
Using NetExtender Step 8 Enter the URL or domain name of your SSL VPN server in the Add this Web site to the zone field and click Add. Step 9 Click OK in the Trusted Sites and Internet Options windows. Step 10 Return to the SSL VPN portal and click on the NetExtender button. The portal will automatically install the NetExtender stand-alone application on your computer. The NetExtender installer window opens.
Using NetExtender Step 13 When NetExtender completes installing, the NetExtender Status window displays, indicating that NetExtender successfully connected. Launching NetExtender Directly from Your Computer After the first access and installation of NetExtender, you can launch NetExtender directly from your computer without first navigating to the SSL VPN portal. To launch NetExtender, complete the following procedure: 34 Step 1 Navigate to Start > All Programs.
Using NetExtender Step 4 Enter your username and password. Step 5 The last domain you connected to is displayed in the Domain field. Note Step 6 The NetExtender client will report an error message if the provided domain is invalid when you attempt to connect. Please keep in mind that domain names are case-sensitive.
Using NetExtender Step 5 The Settings tab allows you to customize the behavior of NetExtender. Step 6 To have NetExtender launch when you log in to your computer, check the Automatically start NetExtender UI. NetExtender will start, but will only be displayed in the system tray. To have the NetExtender log-in window display, check the Display NetExtender UI checkbox. Step 7 Select Minimize to the tray icon when NetExtender window is closed to have the NetExtender icon display in the system tray.
Using NetExtender Step 2 Click on Connection Scripts. Step 3 To enable the domain login script, select the Attempt to execute domain logon script checkbox. When enabled, NetExtender will attempt to contact the domain controller and execute the login script. Optionally, you may now also select to Hide the console window. If this checkbox is not selected, the DOS console window will remain open while the script runs.
Using NetExtender net use drive-letter\\server\share password /user:Domain\name For example to if the drive letter is z, the server name is engineering, the share is docs, the password is 1234, the user’s domain is eng and the username is admin, the command would be the following: net use z\\engineering\docs 1234 /user:eng\admin Step 5 To disconnect a network drive, enter a command in the following format: net use drive-letter: /delete For example, to disconnect network drive z, enter the following comm
Using NetExtender Step 2 Click on Proxy. Step 3 Select the Enable proxy settings checkbox. Step 4 NetExtender provides three options for configuring proxy settings: – Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.
Using NetExtender Configuring NetExtender Log Properties Within the NetExtender Properties dialog box, click on the Log heading in the menu on the left panel. The available options provide basic control over the NetExtender Log and Debug Log. 40 Step 1 To establish the size of the NetExtender Log, select either the Unlimited log file size radio button or the Set maximum log file size to radio button. If you choose to set a maximum size, use the adjoining arrows.
Using NetExtender Configuring NetExtender Advanced Properties Within the NetExtender Properties dialog box, click on the Advanced heading in the menu on the left panel. The available options allow you to adjust advanced settings on NetExtender network properties and protocols. NetExtender allows users to customize the link speed that the NetExtender adapter reports to the operating system.
Using NetExtender Viewing the NetExtender Log The NetExtender log displays information on NetExtender session events. The log is a file named NetExtender.dbg. It is stored in the directory: C:\Program Files\SonicWALL\SSL VPN\NetExtender. To view the NetExtender log, right click on the NetExtender icon in the system tray, and click View Log, click on the Log icon on the main status page. To view details of a log message, double-click on a log entry, or go to View > Log Detail to open the Log Detail pane.
Using NetExtender To filter the log by type of entry, go to Filter > Level and select one of the level categories. The available options are Fatal, Error, Warning, and Info, in descending order of severity. The log displays all entries that match or exceed the severity level. For example, when selecting the Error level, the log displays all Error and Fatal entries, but not Warning or Info entries. To view the Debug Log, either click the Debug Log icon or go to Log > Debug Log.
Using NetExtender Disconnecting NetExtender To disconnect NetExtender, perform the following steps: Step 1 Right click on the NetExtender icon in the system tray to display the NetExtender icon menu and click Disconnect. Step 2 Wait several seconds. The NetExtender session disconnects. You can also disconnect by double clicking on the NetExtender icon to open the NetExtender window and then clicking the Disconnect button.
Using NetExtender If an administrator has configured RSA pin-mode authentication to be required to connect through NetExtender, users will be asked whether they want to create their own pin, or receive one that is system-generated. Once the pin has been accepted, you must wait for the token to change before logging in to NetExtender with the new passcode. During authentication, the SSL VPN server may be configured by the administrator to request a client certificate.
Using NetExtender Uninstalling NetExtender The NetExtender utility is automatically installed on your computer. To remove NetExtender, click on Start > All Programs, click on SonicWALL SSL VPN NetExtender, and then click on Uninstall. You can also configure NetExtender to automatically uninstall when your session is disconnected. To do so, perform the following steps: Step 1 Right click on the NetExtender icon in the system tray and click on Properties... The NetExtender Properties window is displayed.
Using NetExtender To launch the NetExtender CLI, perform the following tasks: Step 1 Launch the Windows Command Prompt by going to the Start menu, select Run, enter cmd, and click OK. Step 2 Change directory to where NetExtender is installed. To do this, you first must enter cd ../.. to move up to the root drive. The enter cd Program Files\SonicWALL\SSL-VPN\NetExtender. Step 3 Enter NECLI.exe. The NetExtender CLI launches and displays a summary of the available commands.
Using NetExtender Table 1 NetExtender CLI Commands NECLI displayprofile Displays all NetExtender profiles. -s server (Optional) Displays only the profiles that are saved for the specified server. -u user-name (Optional) Displays only the profiles that are saved for the specified user name. -d domain-name (Optional) Displays only the profiles that are saved for the specified domain name. NECLI queryproxy Checks the connect to the proxy server. NECLI reconnect Attempts to reconnect to the server.
Using NetExtender Step 3 The Virtual Office displays the status of NetExtender installation. A pop-up window may appear, prompting you to accept a certificate. Click Trust. Step 4 A second pop-up window may appear, prompting you to accept a certificate. Click Trust. SonicWALL SSL VPN 5.
Using NetExtender Step 5 When NetExtender is successfully installed and connected, the NetExtender status window displays. Using NetExtender on MacOS 50 Step 1 To launch NetExtender, go the Applications folder in the Finder and double click on NetExtender.app. Step 2 The first time you connect, you must enter the SonicWALL SSL VPN server name in the SSL VPN Server field. Step 3 Enter your username and password. Step 4 The first time you connect, you must enter the domain name.
Using NetExtender Step 7 When NetExtender is connected, the NetExtender icon is displayed in the status bar at the top right of your display. Click on the icon to display NetExtender options. Step 8 To display a summary of your NetExtender session, click Connection Status. Step 9 To view the routes that NetExtender has installed, select the Routes tab in the main NetExtender window. Step 10 To view the NetExtender Log, go to Window > Log. SonicWALL SSL VPN 5.
Using NetExtender Step 11 To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report. Step 12 Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory. Installing and Using NetExtender on Linux SonicWALL SSL VPN supports NetExtender on Linux.
Using NetExtender Step 2 Click the NetExtender button. A pop-up window indicates that you have chosen to open the NetExtender.tgz file. Click OK to save it to your default download directory. Step 3 To install NetExtender from the CLI, navigate to the directory where you saved NetExtender.tgz and enter the tar -zxf NetExtender.tgz command. Step 4 Type the cd netExtenderClient command. Step 5 Type ./install to install NetExtender. SonicWALL SSL VPN 5.
Using NetExtender Step 6 Launch the NetExtender.tgz file and follow the instructions in the NetExtender installer. The new netExtender directory contains a NetExtender shortcut that can be dragged to your desktop or toolbar. Step 7 The first time you connect, you must enter the SonicWALL SSL VPN server name in the SSL VPN Server field. NetExtender will remember the server name in the future. Step 8 Enter your username and password. Step 9 The first time you connect, you must enter the domain name.
Using NetExtender Step 10 To view the NetExtender routes, select the Routes tab in the main NetExtender window. Step 11 To view the NetExtender Log, go to NetExtender > Log. Step 12 To generate a diagnostic report with detailed information on NetExtender performance, go to Help > Generate diagnostic report. Step 13 Click Save to save the diagnostic report using the default nxdiag.txt file name in your NetExtender directory.
Using NetExtender • Connection profiles NetExtender supports the following Windows Mobile platforms: Note • Windows Mobile 5 PocketPC version • Windows Mobile 6 Professional/Classic version Windows Mobile 5 Smart Phone version and Windows Mobile 6 Standard version are not currently supported. To use NetExtender on your Windows Mobile device, perform the following tasks: Step 1 Navigate to the URL or IP address for your SSL VPN Virtual Office using the browser in your Windows Mobile device.
Using NetExtender Step 11 Click on the Menu button to see the NetExtender properties menu. Step 12 Select the Sent & Received menu tab to adjust the metric used for sent and received statistics on the status window. Select the Throughput menu tab to adjust the throughput measurement displayed on the status window. Step 13 To configure NetExtender options, click the Menu button.
Using NetExtender – Display precise number in status - Displays the exact numbers of sent and receive data. – Automatically establish the underlying connection - Uses the Windows Mobile Connection Manager to establish the device’s connection to the mobile network. The Connection Manage is designed to determine the optimum network type (such as 3g or wi-fi). If this option is disabled, the user manages the connection manually.
Using NetExtender Passwords in NetExtender Mobile NetExtender Mobile supports the ability for users to change passwords. Also, if configured by an administrator, users can be alerted that the their password is scheduled to expire soon. If a user must change their password, a screen prompt will ask for the user’s old password, along with a new password and re-verification of the new password.
Using NetExtender The following features are not supported or not applicable on NetExtender Android in SonicWALL SSL VPN 5.
Using NetExtender Step 8 Tap USB connected to connect to the computer. The next screen shows the connection. Step 9 Tap Turn on USB storage to prepare for copying the apk installer to the Android smartphone. Step 10 On the computer, copy the apk file to the Android SD card. Step 11 Unmount the Android SD card from your computer. On Windows, it will show up under "My Computer" as a new drive. On Mac, a new drive will show up on the desktop.
Using NetExtender Step 14 Using the file browser, locate the apk file and run it to install NetExtender Android. After installation, the NetExtender icon appears on the applications page of the smartphone.
Using NetExtender Connecting to NetExtender To launch NetExtender on your Android smartphone and connect to the network through the SonicWALL SRA or SSL-VPN appliance, perform the following steps: Step 1 On your Android smartphone, start NetExtender by tapping the application icon. The NetExtender connection options screen displays. Enter the information into the Server, User, Password, and Domain fields. Step 2 Tap Connect to accept the default option (Save user name & password) or select a Save...
Using NetExtender After a successful connection, the entered values are saved as a profile that you can select when starting NetExtender. NetExtender saves the information in a secure file on the smartphone. Step 4 If One Time Password is enabled on the SonicWALL SRA or SSL-VPN appliance, the One Time Password prompt is displayed. Enter the temporary password that was emailed to your configured account, and tap OK.
Using NetExtender If no PIN has yet been configured, or if the administrator has reset the account, the following screen asks if the system should generate a new PIN. To allow the system to generate it, tap Yes. To type in a PIN yourself, tap No and skip to Step 7. Step 6 If you chose to allow the system to generate the PIN, the display then prompts you to accept the generated PIN. Tap Yes to accept it, or tap No to have the system generate a different PIN. You are prompted each time until you tap Yes.
Using NetExtender 66 Step 7 If you chose to generate the PIN yourself, type a PIN into the PIN field and again in the second field to confirm it. Typically, PINs are required to be 4 to 8 digits. Tap OK. Step 8 After entering the PIN or creating a new PIN, the Two Factor Authentication process requires you to enter the token code shown on your token device. Wait for the token code to change on the device, and then type the code into the field on your smartphone and tap OK. SonicWALL SSL VPN 5.
Using NetExtender Step 9 If a proxy server is configured in the smartphone (via Preferences), the Proxy Authentication screen is displayed next. Enter the username and password for the proxy and tap OK. Step 10 NetExtender will connect at this point, unless there is a problem or error. You will see the NetExtender traffic indicator appear in the notification bar at the top of the display, unless it is disabled in Preferences.
Using NetExtender Exiting or Disconnecting from NetExtender EXIT Exiting and restarting NetExtender is useful when NetExtender cannot connect, possibly after a long period of disuse. To exit from NetExtender, perform the following steps: Step 1 To access the Exit option, press the options or menu button while on the NetExtender screen. The options are displayed at the bottom of the screen.
Using NetExtender Step 2 In the NetExtender user interface, tap the Disconnect button and tap OK to confirm. NetExtender notifies you while disconnecting. SonicWALL SSL VPN 5.
Using NetExtender Checking Status, Routes, and DNS Settings While NetExtender is connected, you can view status information, routes, and DNS settings on your smartphone. Step 1 To open the NetExtender user interface, pull down the notification bar and tap NetExtender. Step 2 To view status information, tap the Status tab. You can tap on the Sent, Received, or Throughput fields to change the units between bytes and packets. If you are connected to a SonicWALL SRA or SSL-VPN appliance running 5.
Using NetExtender Step 3 To view NetExtender routes, tap the Routes tab. The display shows all subnets currently available from the smartphone. Step 4 To view the configured DNS servers, tap the DNS tab. NetExtender Android supports DNS only; WINS or DNS suffix are not supported.
Using NetExtender PROFILES 72 Step 2 To display the NetExtender Profiles screen, start NetExtender and then press the options or menu button on the smartphone and tap Profiles. Step 3 To display the Remove selected, Remove all, and Close options on this NetExtender Profiles screen, press the options button while on the screen. Step 4 Tap Remove selected to remove the profiles that have check marks next to them. Step 5 Tap Remove all to remove all profiles from the smartphone.
Using NetExtender Step 7 To display the Remove this profile, Remove selected profiles, and Remove all profiles options, press and hold the NetExtender Profiles screen. Step 8 Tap Remove this profile to remove the profile that you pressed on to bring up this screen. Step 9 Tap Remove selected to remove the profiles that have check marks next to them. Step 10 Tap Remove all to remove all profiles from the smartphone. Step 11 Tap Close to close the option display on this screen.
Using NetExtender PREFERENCES / PROXY SETTINGS Step 14 To configure NetExtender preferences including proxy and notification settings, select the Preferences option. Step 15 Under General settings, select the Connection notification checkbox to display the NetExtender traffic indicator in the notification bar. Clear the checkbox to prevent the indicator from being displayed.
Using NetExtender NetExtender Android supports basic authentication using a username and password for proxy servers. Microsoft NTLM authentication is not currently supported. Step 20 When finished configuring the proxy server settings, tap OK. Changing Your Password To change your password when prompted by NetExtender, perform the following steps: Step 1 After connecting, a password expiration notice may be displayed on your Android smartphone.
Using NetExtender Step 2 If you select Yes, the Change password screen is displayed. Type your password into the Current Password field, then type a new password into the New password field and again into the Type it again field. Tap OK. Step 3 If your password expires before you change it, the Change password screen is displayed when you connect, with the message “Login failed – you must change your password.
Using Virtual Assist • Running NetExtender on a Different TCP Port • Using the SonicWALL CDP Agent over a SonicWALL NetExtender Connection • Using SonicWALL NetExtender to Access FTP Servers • Resolving NetExtender Error With McAfee Enterprise 8.5 Using Virtual Assist Virtual Assist is an easy to use tool that allows SonicWALL SSL VPN users to remotely support customers by taking control of their computers while the customer observes.
Using Virtual Assist – Receives an email invitation from the technician and clicks on the link to launch Virtual Assist. – Navigate directly to the URL of the Virtual Assist home page that is provided by the technician. 4. The Virtual Assist application installs and runs on the customer’s system. 5. The customer appears in the Virtual Assist Assistance Queue. 6. The technician clicks on the customers name and launches a Virtual Assist session. 7.
Using Virtual Assist Step 4 Click on the Allow button. A plugin installation window displays. Click Install Now. The Virtual Assist plugin and client installs. You may be prompted to restart your browser. Step 5 You can now launch Virtual Assist either from the Virtual Office window or from a shortcut that is added your Programs list under Window’s start button.
Using Virtual Assist • Proxy Settings - Allows users to configure a Proxy server to access the SSL-VPN appliance. There are three options for configuring proxy settings. – Automatically detect settings - To use this setting, the proxy server must support Web Proxy Auto Discovery Protocol (WPAD)), which can push the proxy settings script to the client automatically.
Using Virtual Assist • Connection Profiles - Displays all of the Virtual Assist connection profiles that have been used on this computer. To remove a profile, select it and click the Remove button. • Connection Settings - Allows users to customize how they are identified in Virtual Assist and the default settings of Virtual Assist customer sessions. – Display Name - The name that will be displayed in the user queue. By default, the users SSL VPN username is displayed.
Using Virtual Assist Selecting a Virtual Assist Mode When you first launch Virtual Assist, by default it will be in customer mode. To change the mode, perform the following steps. Step 1 Click Change Mode to select one of four possible modes. Step 2 Select one of the following four Virtual Assist modes: Step 3 82 • Customer - Select this mode to request support. For information on customer mode, see the “Using Virtual Assist from the Customer View” section on page 90.
Using Virtual Assist Launching a Virtual Assist Technician Session To launch a Virtual Assist technician session to remotely assist customers, perform the following steps. Step 1 Launch Virtual Assist and select the Technician Mode. Step 2 In the Server pulldown menu, select the IP address or domain name of the SonicWALL SSLVPN appliance. Step 3 Enter the Username and Password for the technician account on the appliance. Step 4 Click Login.The Select Domain window displays.
Using Virtual Assist Step 6 The Virtual Assist standalone application launches. The technician is now ready to assist customers. Performing Virtual Assist Technician Tasks To get started, the technician logs into the SonicWALL SSL-VPN appliance and launches the Virtual Assist application. Note Each technician can only assist one customer at a time. By default, the Virtual Assist window launches with the Virtual Assist toolbar at the top and the rest of the window dedicated to the customer’s screen.
Using Virtual Assist Inviting Customers by Email Step 1 Note To invite a customer to Virtual Assist, use the email invitation form on the left of the Virtual Assist window. If it is not displayed, click the Invite button in the toolbar. Customers who launch Virtual Assist from an email invitation can only be assisted by the technician who sent the invitation. Customers who manually launch Virtual Assist can be assisted by any technician.
Using Virtual Assist Step 2 The customer’s entire desktop is displayed in the bottom right window of the Virtual Assist application. The technician now has complete control of the customer’s keyboard and mouse. The customer can see all of the actions that the technician performs. During a Virtual Assist session, the customer is not locked out of their computer.
Using Virtual Assist Using the Virtual Assist Taskbar and Tab Controls The Technician’s view of Virtual Assist includes a Taskbar with a number of options. Note • Invite - Displays the Email Invite pane. • Chat - Displays the chat window to communicate with the customer. • Service - Displays the service queue of customers awaiting service. • Logging - Displays the log window. • Viewer - Displays or hide the entire Virtual Assist window.
Using Virtual Assist • System Info -Displays detailed information about the customer’s computer. • Reboot Customer - Reboot the customer’s computer. Unless you have Requested full control, the customer will be warned about and given the opportunity to deny the reboot. You can select either a basic reboot or to reboot into Safe Mode. • Active Screens - Allows the technician to switch to a second monitor if the customer’s computer has more than one monitor configured, or display all monitors.
Using Virtual Assist Viewing Virtual Assist Session Log The Virtual Assist Session Log window can be displayed by clicking the Logging button in the Taskbar. The log displays a history of timestamped events for the session, such as opening Chat or File Transfer, requesting Full Control, etc. Using the Virtual Assist File Transfer The File Transfer window is used to transfer files to and from the customer’s computer.
Using Virtual Assist Note • Upload transfers the selected file or files from the customer’s computer to the technician’s computer. • Delete deletes the selected file or files. When deleting or over-writing files, the customer is warned and must give the technician permission unless the technician has clicked the Request Full Control button and the customer has confirmed. • New folder • Rename creates a new folder in the selected directory. renames the selected file or directory.
Using Virtual Assist Step 2 • The login page of your Virtual Office may include a direct link to Virtual Assist as shown below. • Or you may need to login to the Virtual Office and click the Virtual Assist button. The first time you launch Virtual Assist, you will be prompted to install the Virtual Assist plugin and client. SonicWALL SSL VPN 5.
Using Virtual Assist Step 3 Click on the Allow button. A plugin installation window displays. Click Install Now. The Virtual Assist plugin and client installs. You may be prompted to restart your browser. Step 4 You can now launch Virtual Assist either from the Virtual Office window or from a shortcut that is added your Programs list under Window’s start button.
Using Virtual Assist Step 7 If you receive the following security alert, click Unblock to allow Virtual Assist traffic through the Windows firewall. Step 8 A pop-up window indicates that you are in the Virtual Assist queue. The technician will be alerted that you are ready. Click Cancel to cancel the Virtual Assist request. Step 9 When the technician initiates the session, the Virtual Assist toolbar appears in the bottom right of your screen. The technician now has control of your computer.
Using Virtual Assist Changing the Virtual Assist Level of Control There are three levels of control that a customer can grant to the technician: • View Only - The technician can view the customer’s computer but cannot control it. To switch to View Only mode, click the Status (Active) button. The Status switches to (View Only).
Using Virtual Assist Step 2 Click Change Mode, select Unattended, and click Change Mode again. Step 3 Select or enter the IP address or domain name of the SSL VPN server. Step 4 Enter a Password and click Login. The Waiting window displays and shows the length of time you have been in the queue. Step 5 You need to provide the technician with the password you just defined. An easy way to do this is to click Add Information and give the technician your password.
Using Virtual Assist Note Step 3 Step 4 Running the file directly from this dialog box may not work on some systems. Save the file to the system and then run the application. Fill in the necessary information in the provided fields to set-up the system in Virtual Access mode and click OK. • Server: This should be the name or IP address of the appliance the technician normally accesses the Virtual Office from outside the management interface (Do not include “https://”).
Using File Shares Using the Request Assistance Feature If the Display Request Help Button option has been enabled on the Virtual Assist tab on the Portals > Portals page of the management interface, users will see the Request Assistance button on the Virtual Office portal. By clicking this button on the portal, the user is placed in the Virtual Assist support queue for assistance.
Using File Shares • “Configuration Examples” section on page 103 User Prerequisites The SonicWALL SSL VPN File Shares Applet is a Java application that supports Java 1.3.1 and newer, and the JRE Version 5.0 Update 10 or newer is recommended. To download the latest Java and JRE versions, visit http://www.java.com. Internet Explorer 6.0, Firefox 1.5 or newer, Opera 8 or newer, and Safari RSS are recommended Web browsers of optimal performance of the Java File Shares feature.
Using File Shares Step 3 Click the New Bookmark tab in the portal page. Step 4 The Add Bookmark screen displays. Enter a friendly name for the bookmark in the Bookmark Name field. Step 5 Enter the IP address and file directory path to the File Share in the Name or IP Address field. Note When using the Java applet, the Name or IP Address field must be to a file directory and end with a / or \ character. Step 6 In the Service pull down menu, select the File Shares (CIFS) option.
Using File Shares Using the Java File Shares Applet While loading the browser interface, warning messages might display. These messages will look different for different browsers. For the purpose of these examples, Internet Explorer 6.0 was used. Step 1 If you are not logged into the SSL VPN Virtual Office user interface, open a Web browser and type the Virtual Office interface URL in the Location or Address bar and press Enter.
Using File Shares The File Shares Applet displays. Note The File Shares Applet window will not automatically refresh when its contents have changed or if it has been previously viewed. To refresh, click the Refresh icon from the toolbar, or use the Refresh option from the right-click menu. Note The remote network can be browsed from the remote window’s address bar. The local directory can not be changed from the address bar. The remote path is capped at 1024 characters.
Using File Shares Note Step 7 Note The File Shares Applet supports overwriting existing files. If a file exists with the same name as the one you are trying to copy over, the Applet will prompt you to rename the file being copied. If the name is kept the same, the copied file will overwrite the existing one. Double click on a file to launch it with the proper application.
Using File Shares • Note Delete: Deletes the selected file(s)/folder(s). Deleting a folder will delete everything within the folder. Files deleted this way are fully removed from the original machine they were on. These files are not sent to the recycling bin and are in no way recoverable. Configuration Examples The following configuration examples provide a demonstration of the usefulness and flexibility of the File Shares Applet.
Using File Shares Step 4 Once loaded, double click on a folder or enter the target directory path within the address bar. This can take some time as the File Shares Applet must browse through the network after every change. Note Step 5 To set a bookmark to the current directory, right-click in an empty location in the remote directory and select Add Bookmark. Note Step 6 104 Only the remote window can use the address bar to navigate through a computer’s file hierarchy.
Using File Shares Step 7 Click OK. The bookmark is added to the Virtual Office portal. Clicking on the bookmark accesses the selected folder or file. Using Bookmarks from Within the File Shares Applet In Addition to accessing bookmarks from the Virtual Office portal, bookmarks can be easily accessed from within the File Shares Applet. Step 1 Launch the File Shares Applet by clicking on the File Shares button in the Virtual Office portal.
Using File Shares This section provides an example of a folder that is copied from a remote machine onto the local machine’s desktop, deleted from the remote machine, and moved back from the local machine unto the remote machine, all from the File Shares Applet. 106 Step 1 Launch the File Shares Applet by clicking on a bookmark in the Virtual Office portal.
Using File Shares Note Step 5 Warning The item still exists on the remote machine. To initiate a move, not a copy, you must use the Move command from the right-click menu. To delete the original file or folder, select it by clicking on it once, and press the Delete button on the tool bar. Alternatively, the item can be deleted by using the right-click menu. The File Shares Applet displays a delete confirmation window. Click the Delete button in the pop-up to delete the item.
Using File Shares Step 6 Once the file or folder has been deleted, the File Shares Applet will automatically refresh, removing the item from the current directory. To copy it from the local machine back to the remote machine, click-and-drag like in Step 2, or use the Copy icon from the local machine’s tool bar. Note 108 The Copy icon in the toolbar automatically moves the selected file to whatever directory is currently open.
Using File Shares Launching a File Directly from the File Shares Applet Files can be launched from within the File Shares Applet. This section provides an example where a remote file is queried for its properties, bookmarked and opened. Step 1 Launch the File Shares Applet by clicking on a bookmark in the Virtual Office portal. Step 2 Right click the file and select Properties. SonicWALL SSL VPN 5.
Using File Shares The file’s properties will be displayed in a separate window. Step 3 110 To open the file, double-click on the file. Alternatively, create a bookmark to it, and launch the file from the bookmark menu. To create a bookmark, select the Add Bookmark option from the right-click menu. The name of the file is the default name of the new bookmark, but a new name can be entered if so desired. SonicWALL SSL VPN 5.
Using File Shares Step 4 Then select the bookmark, either from the portal or from the bookmark tab in the toolbar. Note Files launched from within the File Shares Applet must be downloaded to the local machine before they can be opened. The File Shares Applet will store the file in a temporary directory while it is being used. The File Shares Applet will also try to delete the file after use, but may be unable to do so depending on whether or not another program is accessing it.
Using File Shares To create a file share, perform the following steps: Step 1 Click on the File Shares button. Virtual Office displays a dialog box that provides a hot link to a login prompt. Address Login Note 112 Pop-up window blockers may prevent File Shares from functioning properly. Configure your browser to allow pop-up windows on the SSL VPN portal site. Step 2 To specify a new share path (as an example, \\moosedc) in the Address field.
Using File Shares Step 6 Virtual Office displays the home File Share screen that you have specified, displaying folders on the network to which you can navigate. Table 2 describes the controls at the top of the File Share window. Table 2 File Share Controls Button Description Back Navigate to the previous File Share location. Forward Navigates forward to the previous File Share location after you have pressed the Back button. Reload Reloads the current folder to display any changes.
Managing Bookmarks Managing Bookmarks Bookmarks are objects that enable you to connect to a location or application conveniently and quickly. The Virtual Office Bookmark system allows bookmarks to be created at the group and user levels. The administrator can create both group and user bookmarks which will apply to applicable users while individual users can create only personal (user-level) bookmarks.
Managing Bookmarks Adding Bookmarks Bookmarks provide a convenient way for you to access Web, FTP, or other services on the remote network that you will connect to frequently. To define bookmarks, perform the following: Step 1 In the Virtual Office window at the top of the bookmarks table, click Show Edit Controls and then click Create a new bookmark. SonicWALL SSL VPN 5.
Managing Bookmarks Step 2 In the Add Bookmark screen, enter a descriptive name in the Bookmark Name field. Step 3 Enter the domain name, IP address, or IPv6 address of a host machine on the LAN in the Name or IP Address field. IPv6 addresses should be enclosed in brackets (i.e. the [ and ] symbols). You may also enter the wildcard variable %USERNAME% to display the current user name. Variables are case-sensitive.
Managing Bookmarks Step 7 For Citrix bookmarks, you can select the following options: • Designate that it be a secure Citrix connection by selecting the HTTPS Mode checkbox. • Select Always use Java in Internet Explorer to use Java to access the Citrix Portal when using Internet Explorer. Without this setting, a Citrix ICA client or XenApp Web plug-in (an ActiveX client) must be used with IE.
Managing Bookmarks Configuring RDP ActiveX and Java Bookmarks ActiveX and Java RDP bookmarks offer several features that are not available in other bookmarks. Tip 118 The ActiveX client is only supported on the Internet Explorer browser, while the Java client is supported on all platforms and browsers that are compatible with SonicWALL SSL VPN. Step 1 Enter the desired Bookmark Name. Step 2 Enter the Name or IP Address of the resource you are trying to reach. You can also use an IPv6 address.
Managing Bookmarks Option Usage Application and Path To have the RDP session launch an application when the bookmark is initiated, enter the path to the application in the Application and Path (optional): field. For example, C:\Program Files\Example\app.exe (optional). Start in the following folder Enter the local folder to execute application commands in (optional). Login as console/admin session Check this option to enable console and admin commands on login.
Managing Bookmarks Step 5 When you are finished. Click the Add button to add this bookmark to your Virtual Office list. Determining the Remote Computer’s Full Name or IP Address Complete the following steps to determine the full name of the computer to which the RDP bookmark is pointing: Step 1 Right click on the My Computer icon on the desktop of the remote computer, and select Properties. Step 2 Click the Remote tab. Step 3 The full computer name will be listed under Remote Desktop.
Using Bookmarks Step 6 Optionally enable or disable the Automatically log in setting, or change the credentials selection. Step 7 Click Apply. The Virtual Office home page displays with the new IP address or domain name. Removing Bookmarks To remove a bookmark, perform the following steps: Step 1 Identify a bookmark in the Virtual Office Bookmarks list that you want to remove. Step 2 In the Virtual Office Bookmarks list, click on the delete icon remove. The bookmark disappears from the list.
Using Bookmarks • Themes • Bitmap caching If the Java client application is RDP 6, it also supports: 122 • Dual monitors • Font smoothing • Desktop composition Note RDP bookmarks can use a port designation if the service is not running on the default port. Tip To terminate your remote desktop session, be sure to log off from the Terminal Server session. If you wish to suspend the Terminal Server session (so that it can be resumed later) you may simply close the remote desktop window.
Using Bookmarks Step 3 Note A window is displayed indicating that the Remote Desktop Client is loading. The remote desktop then loads in its own windows. You can now access all of the applications and files on the remote computer. For information on configuring options for RDP bookmarks, see “Configuring RDP ActiveX and Java Bookmarks” on page 118. Using VNC Bookmarks Step 1 Click the VNC bookmark. The following window is displayed while the VNC client is loading. SonicWALL SSL VPN 5.
Using Bookmarks Note 124 VNC can have a port designation if the service is running on a different port. Step 2 When the VNC client has loaded, you will be prompted to enter your password in the VNC Authentication window. Step 3 To configure VNC options, click the Options button. The Options window is displayed. SonicWALL SSL VPN 5.
Using Bookmarks Table 3 describes the options that can be configured for VNC. Table 3 VNC Options Option Default Description of Options Encoding Tight Hextile is a good choice for fast networks, while Tight is better suited for low-bandwidth connections. From the other side, the Tight decoder in TightVNC Java viewer is more efficient than Hextile decoder so this default setting can also be acceptable for fast networks.
Using Bookmarks Using FTP Bookmarks Note 126 FTP bookmarks can use a port designation if the service is not running on the default port. Step 1 Click the FTP bookmark. The FTP Session dialog box displays. Step 2 Enter your username and password. If you want to use your Virtual Office username and password, simply leave the fields blank. SonicWALL SSL VPN 5.
Using Bookmarks Step 3 Click Submit. An FTP session displays. . Go to directory Utility Create new folder Utility Delete Marked Rename Utility Step 4 You can use the following utilities in the FTP site: – To manually navigate to a folder, enter the folder name in the Go to directory field and click Submit. – To create new folders in the directory, use the Create new folder fields. – To delete multiple files, click in the checkboxes of files or folders you want to remove and click Delete Marked.
Using Bookmarks Step 2 Click on the name of the file in the Filename column. The File Download window displays. Step 3 Click Run to launch the file. Click Save to save it to your computer. Uploading Files To upload a file, perform the following: 128 Step 1 Click Upload Files in the navigation bar. The Upload FTP Files window will be displayed. Step 2 The current directory is displayed in the Upload files to: field.
Using Bookmarks Note Step 4 To navigate between uploads, click the Sessions link. Click Import to upload the files. Using Telnet Bookmarks Step 1 Note Click on the Telnet bookmark. Telnet bookmarks can use a port designation for servers not running on the default port. Step 2 Click OK to any warning messages that are displayed. A Java-based Telnet window launches. Step 3 If the device you are Telnetting to is configured for authentication, enter your username and password. SonicWALL SSL VPN 5.
Using Bookmarks Using SSHv1 Bookmarks Note Step 1 Click on the SSHv1 bookmark. A Java-based SSH window is launched. Step 2 Enter your username and password. Step 3 A SSH session is launched in the Java applet. Tip 130 SSH bookmarks can use a port designation for servers not running on the default port. Some versions of the JRE may cause the SSH authentication window to pop up behind the SSH window. SonicWALL SSL VPN 5.
Using Bookmarks Using SSHv2 Bookmarks Note SSH bookmarks can use a port designation for servers not running on the default port. Step 1 Click on the SSHv2 bookmark. A Java-based SSH window displays. Type your user name in the Username field and click Login. Step 2 A hostkey popup displays. Click Yes to accept and proceed with the login process. SonicWALL SSL VPN 5.
Using Bookmarks Step 3 Enter your password and click OK. Step 4 The SSH terminal launches in a new screen. Using HTTP and HTTPS Bookmarks Note 132 HTTP bookmarks can have a port designation and a path. Step 1 Click on the HTTP or HTTPS bookmark. Step 2 A new window is launched in your default browser that connects to the domain name or IP address specified in the bookmark. SonicWALL SSL VPN 5.
Using Bookmarks Note OWA Premium 2010/2007/2003, Lotus Domino Web Access 7.0, Novell Groupwise Web Access 7.0, Sharepoint 2007, and Sharepoint Services 3.0/2.0 are supported in SSL VPN release 5.0. Other applications may work but there may be problems accessing pages that are malformed, have advanced HTML features, use an unsupported authentication method (for example, Windows Integrated Authentication) and URLs that are embedded in Macromedia Flash, Java or ActiveX.
Using Bookmarks 134 Step 3 The Citrix Web Client begins to install. If prompted, click the banner to grant ActiveX control to the Citrix Web Client. Step 4 Click Yes to the Security Warning message that is displayed. Step 5 The Citrix Web Client installs. SonicWALL SSL VPN 5.
Using Bookmarks Step 6 Click Yes to the Citrix license agreement. Step 7 When the Citrix Web Client has installed, click OK If the Citrix Web Interface login window does not display, restart your Web browser and launch the Citrix bookmark again. Step 8 Enter your username, password, and domain in the Citrix Web Interface login window. SonicWALL SSL VPN 5.
Using Bookmarks Step 9 The Citrix Web Interface home page is displayed. Click on the application you want to use. Step 10 You may be prompted to install additional Citrix software. Step 11 The shared application is now launched. Java Citrix Bookmark When using a non-Internet Explorer web browser, Citrix bookmarks launch the Java Citrix client. The following steps describe how to launch and use the Java Citrix client. 136 Step 1 Click on the Citrix bookmark. The login window displays.
Using Bookmarks Step 3 Click the Log On button. The Citrix Java applet displays. The default applications will display in the Applications section in the middle of the window. Step 4 Click on Messages to view any Citrix messages you have received. Step 5 Click on Preferences to customize the Citrix Java applet settings. Step 6 Select Display Settings to change the language and to specify if Citrix hints should be displayed.
Using Bookmarks Step 8 Step 9 In the Window Size pulldown menu, select one of the following options: • No preference: Uses the default setting configured by your administrator. • Full screen: Resources are maximized to fill your screen. • Seamless: Resources that support resizing appear in resizable windows. • Custom dimensions: Enables you to specify the width and height of the resource window in pixels.
Using Bookmarks Note Fileshares will use the configured domain name of which the user is a member to supply to the backend server. HTTP, HTTPS, FTP, RDP - ActiveX, RDP- Java will supply the username and password that was used to login. If the server is expecting a domain-prefixed username, SSO will fail. In some cases, a default domain can be specified at the server to allow SSO to succeed.
Using Bookmarks You can enter the custom credentials as text or use dynamic variables such as those shown below: Step 6 140 Text Usage Variable Example Usage Login Name %USERNAME% US\%USERNAME% Domain Name %USERDOMAIN% %USERDOMAIN\%USERNAME% Group Name %USERGROUP% %USERGROUP%\%USERNAME% Password %PASSWORD% %PASSWORD% or leave the field blank For Web (HTTP) and Secure Web (HTTPS) bookmarks, select the Forms-based Authentication checkbox to use this method for SSO, and then fill in the foll
Logging Out of the Virtual Office Logging Out of the Virtual Office To end your session, simply return to the Virtual Office home page from wherever you are within the portal and click on the Logout button. Logout Note When using the Virtual Office with the admin username, the Logout button is not displayed. This is a security measure to ensure that administrators log out of the administrative interface, and not the Virtual Office. Trademarks SonicWALL is a registered trademark of SonicWALL, Inc.
Logging Out of the Virtual Office This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWALL. DISCLAIMER OF WARRANTY.
SonicWALL, Inc. 2001 Logic Drive T +1 408.745.9600 San Jose, CA 95124-3452 F +1 408.745.9300 www.sonicwall.com PN: 232-001961-00 Rev B 01/11 © 2 0 1 1 SonicWALL, Inc. is a registered trademark of SonicWALL, Inc. Other product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice.
