I’ve been supporting Sonicwalls for a little over 8 years now, and have always recommended NetExtender for VPN. When I first started, I remember thinking something along the lines of "NetExtender is the newer (and therefore better) solution, Global VPN is being phased out.
Obviously, this was not the case, as they still offer Global VPN 8 years later with no signs of putting it out to pasture anytime soon. So my question is, Why would I choose one client over the other? I have seen vague references that GlobalVPN is faster, but how much faster? Is the licensing less expensive?
I know NetExtender only works on Windows, but mostly, so do I and so do my clients. If someone has a mac, we use the mobile connect app. Am I missing something by ignoring GlobalVPN?
Both different protocols. GlobalVPN is ipsec over UDP so faster and more stable in theory. Netextender is SSL/tls vpn over tcp so more overhead (slower) and prone to connection loss.
SSLvpn has the advantage of saml with an idp and web portal association.
GlobalVPN is likely to be phased out by wireguard eventually, see the SMA solution incorporating it.
The biggest reason we still use GlobalVPN is speed. It can be quite drastic actually.
At our main office we use a NSa 4700 with symmetrical 1gb fiber connection. We have a video production team and graphic design department with PC’s and Mac’s which is when speed is needed. Awhile back I did a lot of tweaking and testing SSLVPN capabilities because of our Mac users.
Roughly looking through my screenshots/documentation quick here, but using GlobalVPN/IPSec I have on a few occasions been able to download a file from the office at 50-60mb/sec which is pretty dang fast.
SSLVPN (NetExtender, Mobile Connect) was all over the place, but majority of Mobile Connect users couldn’t surpass about 6-7mb/sec. There were a few users that could max at about 13mb/sec. I would say thats the fastest I have seen. NetExtender on PC was much worse. I would say about 2-5mb/sec.
Unfortunately I gave up on testing some more with SSLVPN, because I would need to purchase some equipment to test out some ideas on why SSLVPN speeds are slower and why some people could get a little higher speeds than others. (Yes all my tests people had home internet speeds of 500mbps or 1gb)
The one idea I wanted to test was if you had better performance coming from routers/modems that have AES hardware acceleration in the chips. Most likely BCM58** chips and ARMv8-A chips. Also older Intel PUMA cable modems. Maybe someone smarter than me can tell me if that makes sense? It seems to me that AES hardware acceleration could handle SSLVPN connections better? Idk.
Lastly for a few select Mac users I have set them up with IPSecuritas to our SonicWall for an IPSec VPN on a Mac to get them 50-60mb/sec transfers which seems to work well.
from a functionality point of view - they accomplish the same goal.you can use mobileconnect on windows if you wish.
GlobalVPN is the legacy, less secure, option.sslvpn is the modern more secure option.
Licensing is cheaper for global VPN as you can have more than 2 concurrent sessions that are included with the base sslvpn license.
you should be using sslvpn because with global VPN you are giving your (shared) credentials to everyone,. One stolen laptop, or connection to untrustworthy WIFI, and your network is now infected and you have to inform every single user to update their credentials.
Using SSLVPN, with two factor authentication, and a stolen laptop or questionable wifi is of less of a concern. In a worst case scenario, you are only changing 1 user account.
SSLVPN is for security
GlobalVPN is for the lazy man.
We pretty much have to use NetExtender at all clients now due to cyber insurance 2FA requirements. Global does not support 2FA. Haven’t noticed any performance differences and SSLVPN is nice because it works better with iPads and Macs in my opinion, rather than trying to use L2TP.
Curious the less secure and shared credential mentions here - it’s IPSEC and you can configure the phases to be more secure than defaults, and you should never have shared credentials, each user should always have their own account. Pair with that you shouldn’t have the VPN (SSL or Global either one) setup to allow saving of credentials.
I do agree on the MFA portion though, natively and without a third party RADIUS or similar, the GVPN doesn’t have that available.
Only issue I have had with the GVPN setup (aside from the missing MFA) is some residential ISP connections block this traffic and it will never connect/hangs.
My IT MSP just did this same test for us. SSL vs Global. Global smoked SSL. Global also smoked OpenVPN. It’s how the software is written, there is little you can do. As others have said, security is not an issue if you set it up correctly.
you are still sharing a static shared secret, and leaving a half authenticated session while your radius server is contacted. Duo is integrated on the radius server, not the SonicWALL, so that cannot be contributed to sonicwall feature security.
I didn’t mean to imply that you cannot add more technology to make globalvpn safer to use - but that doesn’t change the fact that between the two, globalvpn is less secure.
Giving a single static shared secret to many users is cause for failure in the compliancy circles I run in - especially when an infinitely more-secure option is available on the same hardware. Not to mention that you also need to worry about radius and Duo (cloud) vulnerabilities.
People are still using them… its not their job to tell us what to do, only to provide the resources to do it the right way. Having the feature there isn’t causing any performance impact for those of us that don’t use it, so there is no harm in keeping it around and keeping it around gives reason for users who still use it from switching vendors.
You’re not sharing credentials, you’re sharing a PSK. Totally different. Each user still has their own credentials to connect, the only common items is that PSK, which alone doesn’t allow you to connect. There is no requirement to share credentials to use the GVPN.
I have been through a number of audits with customers and never had one fail from that - the larger issue is always if MFA is required for external access. The two questions usually asked in these scenarios are (1) do users have their own unique credentials and (2) is MFA required.
We’ve moved away from GVPN primarily for that reason, lack of native MFA support without bringing in RADIUS or other third parties that just add to the complexity/have their own security concerns - the builtin MFA with SSLVPN is much easier and “just works”
If you throw enough compensating controls at the scenario -they will give you a pass on just about anything.
yes, we share credentials - but only with internal employees, for desktop workstations with (XYZ) software installed that never leave the home office. IF your documented policies and procedures match this, and are being followed, you might sneak by. In your case, have no issues at all… However, we should always be striving towards best business practices - SonicWALL recommends that we use SSLVPN for best business practices.