New Stormshield SSL VPN client behavior

This section lists the changes made to the automatic behavior of the Stormshield SSL VPN client when it is updated from the latest 4 version available to version 5.1.2.

Changes introduced in version 5.1.1 EA

Find out more

Available languages - The Stormshield SSL VPN client is available in French and English. It is no longer available in German.
Obsolete certificates - SHA-1 and MD5 are no longer supported on the Stormshield SSL VPN client. In the SSL VPN configuration on the SNS firewall, if you are using a certificate that was signed with an algorithm that is no longer supported, you will need to change it.

This regards certificates for the SSL VPN service, and if you are using Stormshield SSL VPN clients that have been configured in Stormshield mode (formerly Automatic mode), this also concerns the captive portal's certificate. You can check the signature algorithm of your certificates in the SNS firewall web administration interface, in Certificates and PKI.

If you need to change:
- Certificates for the SSL VPN service, refer to the section Configuring the SSL VPN service in the SSL VPN administration guide. To update SSL VPN certificates that are generated by default on the SNS firewall, refer to the Stormshield knowledge base article How can I regenerate the sslvpn-full-default-authority?.
- The certificate of the captive portal, refer to the section Customizing the captive portal certificate in the SSL VPN administration guide.
Certificates - During the initial connection, some users will need to indicate once again that the SNS firewall certificate has to be trusted.
Manual mode/Imported OVPN files - A new method of importing OVPN files is now available. During an update from version 4 or lower to version 5, older imported OVPN files will not be retrieved. You therefore need to import them again after the update is complete.
Address book/Saved connections - The "Address book" is now named "Saved connections". During an update from version 4 or lower to version 5, address book entries are added to saved connections, either automatically, or by entering the address book password the first time that the Stormshield SSL VPN client starts up, if the address book is protected. The original address book is not modified, and will be kept at its original location.
Update from a version lower than version 5 - The version 5 installation program no longer manages the uninstallation of version 3 and lower versions. During an update from one of these versions, you need to uninstall the original version in advance, before installing version 5.
The Stormshield SSL VPN client's traffic is now initiated by a service account. If a hardened configuration is used on workstations (e.g., when a firewall is used), the Stormshield SSL VPN client must be able to contact the following ports to set up SSL VPN connections. As the listed ports are from a default configuration, adapt them if necessary.

Source	Destination	Protocol/Port (default)	Purpose of the connection
Client (SSLVPNService) Stormshield mode only	OpenVPN gateway on the SNS firewall	TCP/443 (captive portal)	Retrieve SSL VPN configuration and send information to the SNS firewall to verify the compliance of the client workstation (ZTNA).
Client (OpenVPN)	OpenVPN gateway on the SNS firewall	UDP/1194 (SSL VPN)	Set up the SSL VPN connection
Client (OpenVPN)	OpenVPN gateway on the SNS firewall	TCP/443 (SSL VPN)	Set up the SSL VPN connection (compatibility)

Source

Destination

Protocol/Port (default)

Purpose of the connection

Client (SSLVPNService)

Stormshield mode only

OpenVPN gateway on the SNS firewall

TCP/443
(captive portal)

Retrieve SSL VPN configuration and send information to the SNS firewall to verify the compliance of the client workstation (ZTNA).

Client (OpenVPN)

OpenVPN gateway on the SNS firewall

UDP/1194
(SSL VPN)

Set up the SSL VPN connection

Client (OpenVPN)

OpenVPN gateway on the SNS firewall

TCP/443
(SSL VPN)

Set up the SSL VPN connection (compatibility)