New Stormshield SSL VPN client behavior

This section lists the changes made to the automatic behavior of the Stormshield SSL VPN client when it is updated from the latest 4 version available to version 5.1.3.

Changes introduced in version 5.1.1 EA

Find out more

Certificates

During the initial connection, some users will need to indicate once again that the SNS firewall certificate has to be trusted.
SHA-1 and MD5 are no longer supported on the Stormshield SSL VPN client in version 5. In the SSL VPN configuration on the SNS firewall, if you are using a certificate that was signed with an algorithm that is no longer supported, you will need to change it.

This regards certificates for the SSL VPN service, and if you are using Stormshield SSL VPN clients that have been configured in Stormshield mode (formerly Automatic mode), this also concerns the captive portal's certificate. You can check the signature algorithm of your certificates in the SNS firewall web administration interface, in Certificates and PKI.

If you need to change:
- Certificates for the SSL VPN service, refer to the section Configuring the SSL VPN service in the SSL VPN administration guide. To update SSL VPN certificates that are generated by default on the SNS firewall, refer to the Stormshield knowledge base article How can I regenerate the sslvpn-full-default-authority?.
- The certificate of the captive portal, refer to the section Customizing the captive portal certificate in the SSL VPN administration guide.

Connection

The "Address book" is now named "Saved connections" in version 5. During an update to version 5, address book entries in older versions are added to saved connections, either automatically, or by entering the address book password the first time that the Stormshield SSL VPN client starts up, if the address book is protected. The original address book will be kept as it is.
There is a new method of importing OVPN files in version 5. OVPN files that were imported in prior versions will not be retrieved during an update to version 5. You will need to import them again by selecting "OpenVPN mode" in the information regarding a connection.

System

The Stormshield SSL VPN client is available in French and English. It is no longer available in German.
The version 5 installation program no longer manages the uninstallation of version 3 and lower versions. During an update from one of these versions, you need to uninstall the original version in advance, before installing version 5.
The Stormshield SSL VPN client's traffic is now initiated by a service account. If a hardened configuration is used on workstations (e.g., when a firewall is used), the Stormshield SSL VPN client must be able to contact the following ports to set up connections. As the listed ports are from a default configuration, adapt them if necessary.

Source	Destination	Protocol/Port (default)	Purpose of the connection
Client (SSLVPNService) Stormshield mode only	SNS firewall	TCP/443 (captive portal)	Retrieve VPN configuration and send information to the SNS firewall to verify the compliance of the client workstation (ZTNA)
Client (OpenVPN)	SNS firewall	UDP/1194 (SSL VPN)	Setting up the connection
Client (OpenVPN)	SNS firewall	TCP/443 (SSL VPN)	Setting up the connection (compatibility)

Source

Destination

Protocol/Port (default)

Purpose of the connection

Client (SSLVPNService)

Stormshield mode only

SNS firewall

TCP/443
(captive portal)

Retrieve VPN configuration and send information to the SNS firewall to verify the compliance of the client workstation (ZTNA)

Client (OpenVPN)

SNS firewall

UDP/1194
(SSL VPN)

Setting up the connection

Client (OpenVPN)

SNS firewall

TCP/443
(SSL VPN)

Setting up the connection (compatibility)