Limitations and explanations on usage

This section lists the limitations and explanations on usage with the Stormshield SSL VPN client.

Installation

Installing version 5 in Windows when it is blocked by a previous version 3

When attempts to install version 5 of the Stormshield SSL VPN client are blocked due to a prior version 3, even if it has been uninstalled, you will need to use a script provided by Stormshield to clean up residual registry keys and files that were not correctly deleted by the version 3 uninstaller.

For more information, refer to the article Unable to install SSL VPN Client v5 on Windows due to previous v3 installation in the Stormshield knowledge base.

Multi-account installation under Linux and macOS

We recommend that individual users who share a Linux or macOS workstation with other users ensure that they shut down their SSL VPN connection after each use on the workstation.

Connection

Verifying Windows client workstations (ZTNA) - Firewall and antivirus

When client workstation verification (ZTNA) is enabled on the SNS firewall, and at least one of the criteria "Client workstation antivirus enabled and up to date" or "Active firewall on the client workstation" is selected, users have to wait for several minutes after opening their Windows sessions before they can set up a connection with the Stormshield VPN SSL client.

This is because the Windows service that checks the status of the antivirus and Windows firewall takes several minutes to start up after a session is opened. As long as this service has not started up, the Stormshield SSL VPN client will not be able to check the status of these criteria. The SNS firewall will then refuse to set up the connection because the workstation is considered non-compliant.

Certificates signed with SHA-1

When the OpenVPN gateway (e.g., the SNS firewall) presents a certificate that is signed with SHA-1, an error message appears in the Stormshield SSL VPN Client connection window, prompting you to check the credentials used to connect. Ignore the reason given in the message: the connection failed because SHA-1 is no longer supported on the Stormshield SSL VPN client.

Single sign-on - Minimum authentication duration allowed on the SNS firewall captive portal

When single sign-on is used to set up SSL VPN tunnels with the SNS firewall, we advise against configuring the allowed minimum authentication duration below 15 minutes (default value). This value can be configured in Authentication > Captive portal profiles on the SNS firewall.

If you choose to lower the duration anyway, indicate to users that they must not select a value lower than or equal to 5 minutes in the "Authentication duration" field on the captive portal, as the Stormshield SSL VPN client would need more time to set up the connection. The Stormshield SSL VPN client cannot set up a connection if the authentication duration chosen by the user is lower than or equal to 5 minutes.

Usage

DCO feature on SNS v5 firewalls

The table below indicates whether Stormshield SSL VPN clients in Windows, Linux and macOS are eligible to benefit from enhancements to the DCO feature on SNS v5 firewalls.

Stormshield SSL VPN client in DCO feature on SNS v5 firewalls
Windows

Benefits from enhancements to the DCO feature
Linux

Benefits from enhancements to the DCO feature, only if both of these conditions are met:

  • OpenVPN is in version 2.6.0 or higher,
  • The openvpn-dco package has been installed.
macOS

Does not benefit from enhancements to the DCO feature

For more information on the DCO feature, refer to the section Configuring the SSL VPN service in the SSL VPN administration guide for Stormshield SNS firewalls and SSL VPN clients.