SSL VPN

SSL VPN enables remote users to safely access internal corporate resources using communications encrypted in SSL. The use of SSL VPN requires the installation of an SSL VPN client installed on the workstation or on any type of mobile terminal (Windows, IOS, Android, etc.).

SSL VPN tunnels may be based on UDP or TCP protocols. Whenever a UDP-based tunnel fails, the connection will switch to TCP.

If the VPN client that has been provided is used, only the IP address of the firewall and its authentication information (login/password) will be needed for the connection. If an OpenVPN client is used, the client must retrieve configuration details from the authentication portal (“Personal data” menu) before inserting them into the client

In addition to the settings in this module, the Authentication section must define the method and allow the user in its policy. A filter rule must also specify ‘Via SSL VPN tunnel’ as the source (advanced configuration) in order to authorize traffic.

For further information, please refer to the Technical note SSL VPN tunnels available in your secure-access area.

This module consists of a single configuration screen split up into 4 zones:

  • Enable the service
  • Network settings: this zone contains elements for configuring the SSL VPN server, networks or contactable hosts, as well as the network assigned to clients.
  • DNS settings sent to client: this zone contains the DNS configuration elements that will be sent to the client.
  • Advanced configuration: an area for customizing the lifetime before SSL renegotiation, defining scripts to be executed where necessary when logging on to/off from the client and selecting client and server certificates for setting up the SSL tunnel.

This button makes it possible to enable or disable the SSL VPN server on the firewall.

Network settings

UTM IP address (or FQDN) used

Indicate the public IP address of the IPS-Firewall (or an FQDN associated with this address. Example: sslserver.company.com) through which clients will be able to contact the SSL VPN server.

Available networks or hosts

Indicate which network and hosts will be visible to clients. All packets from the client going towards these networks will go through the SSL tunnel.

This object can either be a “network”, “machine” or “group” object (containing several networks and/or hosts). It can be created directly in this window by clicking on 

The value of this field is “Network_internals” by default, offering connectivity with all networks protected by the firewall.

REMARK

This is only a network routing concept. Filter rules must be created to allow or block traffic between the remote client network and internal resources.

Network assigned to clients (UDP)

Select a “network” object (“IP address range” or “Group” objects are not accepted). Each client that sets up a UDP-based tunnel will be assigned an IP address belonging to this network.

This network must be different from the one assigned to the clients of TCP-based tunnels.

The object can be created directly in this window by clicking on the icon

IMPORTANT

In order to prevent routing conflicts on client workstations during the connection to the SSL VPN, select for your clients sub-networks that are less commonly used instead (example: 10.60.77.0/24, 192.168.38.0/24, etc.). Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks precisely use the first few address ranges reserved for these uses (example: 10.0.0.0/24, 192.168.0.0/24).

Network assigned to clients

Select a “network” object (“IP address range” or “Group” objects are not accepted). Each client that sets up a TCP-based tunnel will be assigned an IP address belonging to this network.

This network must be different from the one assigned to the clients of UDP-based tunnels.

The object can be created directly in this window by clicking on the icon

IMPORTANT

In order to prevent routing conflicts on client workstations during the connection to the SSL VPN, select for your clients sub-networks that are less commonly used instead (example: 10.60.77.0/24, 172.168.38.0/24, etc.). Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks precisely use the first few address ranges reserved for these uses (example: 10.0.0.0/24, 192.168.0.0/24).

Maximum number of simultaneous tunnels allowed

Depending on the size of the network chosen for clients and the model of the firewall, the number of tunnels that can be set up simultaneously will be indicated.

This number corresponds to the minimum of the two following values:

  • A quarter of the number of IP addresses includes in the selected client network (example: 63 for a Class C network). Each SSL tunnel takes up 4 IP addresses.
  • The maximum number of tunnels allowed on the IPS-Firewall used.

DNS settings sent to client

Domain name

Domain name assigned to the client to allow him to perform DNS resolutions.

Primary DNS server

Primary DNS server assigned to the client.

Secondary DNS server

Secondary DNS server assigned to the client.

Advanced properties

UTM IP address for the SSL VPN (UDP) Enter the public IP address of the IPS-Firewall through which clients will be able to contact the SSL VPN server over UDP.
Port (UDP) Select or create the object corresponding to the UDP port that will be used to set up tunnels.
Port (TCP) Select or create the object corresponding to the TCP port that will be used to set up tunnels. This port will also be used as a backup mechanism if tunnels cannot be set up via UDP.
Interval before key renegotiation (in seconds)

Period beyond which leys will be renegotiated. The default value is 14400 seconds, or 4 hours.

Use DNS servers provided by the firewall If this option is selected, the SSL VPN client will include the DNS servers retrieved via the SSL VPN in the workstation's network configuration. If DNS servers have already been defined on the workstation, they may be queried.
Prohibit use of third-party DNS servers

If this option is selected, the SSL VPN client will exclude DNS servers already defined in the workstation's configuration. Only DNS servers sent by the firewall can be queried.

These DNS servers must be contactable through an SSL VPN tunnel.

Script to run when connecting

Select a script that the client will execute locally when connecting to the SSL tunnel (example: connecting a disk to a remote shared network).

 

Script to run when disconnecting

Select a script that the client will execute locally when disconnecting from the SSL tunnel (example: disconnecting a disk from a remote shared network).

 

NOTE

Only client hosts running under Windows and with the Stormshield Network client can use the executable script service. The format of files must be “.bat”.

NOTE

All Windows environment variables can be used in connection/disconnection scripts (example: %USERDOMAIN%, %SystemRoot%, etc.).

Two environment variables relating to the SSL VPN tunnel can also be used:

  • %NS_USERNAME%: the user name used for authentication,
  • %NS_ADDRESS%: the IP address assigned to the client.

Used certificates

Server certificate

Select the certificate submitted by the server to set up the SSL tunnel.

By default, the server certificate suggested is the one created during the initialization of the firewall. It is issued by the CA dedicated to the default SSL VPN.

Client certificate

Select the certificate submitted by the client to set up the SSL tunnel.

By default, the client certificate suggested is the one created during the initialization of the firewall. It is issued by the CA dedicated to the default SSL VPN.

This certificate is the same for all clients. They can be authenticated once the SSL connection has been established.

IMPORTANT

If you choose to create your own CA, you will need to use two certificates signed by it. If this CA is not a root authority, both certificates have to be issued by the same sub-authority.

Configuration

Download the configuration file

Click on this button to obtain an archive containing the SSL VPN server's configuration file.