Configure the SSL VPN service

This section explains how to enable and configure the SSL VPN service on the SNS firewall.

Go to Configuration > VPN > SSL VPN. There are variations between SNS versions. Whenever these variations are relevant, they will be indicated. You can click on Apply at any time to save your changes.

Enabling the SSL VPN service

Field	Description
Enable SSL VPN	Set the selector to ON to enable the SSL VPN service.

Field

Description

Enable SSL VPN

Set the selector to ON to enable the SSL VPN service.

Screen showing the configuration of the SSL VPN service on an SNS firewall in version 5

Configuring the general settings of the SSL VPN service

On SNS in versions SNS 4.8 LTSB and 5, these settings can be configured in the General settings tab. On SNS in version 4.3 LTSB version, there is no tab.

NOTE
As of SNS version 4.8.5, a warning will prompt you to disable the LZ4 compression feature if it is enabled. This scenario is described in the section Troubleshooting.

Field	Description
Enable client workstation verification (ZTNA)	On SNS in version 5, set the selector to ON to enable the verification of client workstation compliance. On SNS in version 4.8 LTSB, the feature can be enabled in the Client workstation verification (ZTNA) tab. This feature is not available on SNS 4.3 LTSB versions. When client workstation verification is enabled: SSL VPN clients that are compatible with this feature (see Configuring client workstation verification (ZTNA)) can set up SSL VPN tunnels with the SNS firewall only if all the criteria defined in the policy have been met, SSL VPN clients that are not compatible with this feature cannot set up SSL VPN tunnels with the SNS firewall, unless they are explicitly allowed to do so by enabling the SSL VPN clients incompatible with ZTNA setting.

Field

Description

Enable client workstation verification (ZTNA)

On SNS in version 5, set the selector to ON to enable the verification of client workstation compliance. On SNS in version 4.8 LTSB, the feature can be enabled in the Client workstation verification (ZTNA) tab. This feature is not available on SNS 4.3 LTSB versions.

When client workstation verification is enabled:

SSL VPN clients that are compatible with this feature (see Configuring client workstation verification (ZTNA)) can set up SSL VPN tunnels with the SNS firewall only if all the criteria defined in the policy have been met,
SSL VPN clients that are not compatible with this feature cannot set up SSL VPN tunnels with the SNS firewall, unless they are explicitly allowed to do so by enabling the SSL VPN clients incompatible with ZTNA setting.

Network settings section

Field	Description
Public IP address (or FQDN) of the UTM used	Indicate the IP address that users must use in their SSL VPN client to reach the SNS firewall and set up SSL VPN tunnels. You can specify an FQDN or IP address. For an FQDN: it must be declared in the DNS servers used by the user's device. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP. Next, configure this FQDN in Configuration > Network > Dynamic DNS. For IP addresses: they must be public, and therefore accessible over the Internet.
Available networks or hosts	Select the object representing the networks or hosts that will be reached through the SSL VPN tunnel. This object makes it possible to automatically set on your organization's devices the routes needed to reach resources that can be accessed through the SSL VPN tunnel. To more granularly allow or prohibit traffic between your users' devices and internal resources, you need to define filter rules (see Configuring the filter and NAT policy). If some of your organization's devices are located between the SNS firewall and accessible internal resources, you can set static routes on these devices for access to the network assigned to SSL VPN clients.
Network assigned to clients (UDP) Network assigned to clients (TCP)	Select the object corresponding to the TCP and UDP networks assigned to SSL VPN clients. Select the network or sub-networks according to the following criteria: The network mask must not be smaller than /28. If you assign two networks, the SSL VPN client will always use the UDP-based SSL VPN tunnel first to ensure better performance. This order is defined in the SSL VPN (OpenVPN) configuration that the SNS firewall provides to SSL VPN clients. The assigned network must not belong to any existing internal networks, or networks declared by a static route on the SNS firewall. Since the interface used for the SSL VPN is protected, the SNS firewall would then detect an IP spoofing attempt and block the corresponding traffic. To avoid routing conflicts, select less commonly used sub-networks, such as 10.60.77.0/24, as many filtered Internet access networks (public Wi-Fi, hotels,, or private local networks already use the first few reserved address ranges.
Maximum number of simultaneous tunnels allowed	The number appears automatically. This number corresponds to the lowest value, either the number of tunnels allowed on the SNS firewall (see Requirements), or the number of sub-networks available for SSL VPN clients. For sub-networks: On SNS in version 5: this shows the total number of IP addresses, minus 3. On SNS in version SNS 4.3 LTSB and 4.8 LTSB: this represents 1/4 of the IP addresses, minus 2. An SSL VPN tunnel takes up 4 IP addresses and the server reserves 2 sub-networks for its own use.

DNS settings sent to client section

Field	Description
Domain name	Enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.
Primary DNS server Secondary DNS server	Select the object representing the DNS server to be assigned.

Field

Description

Domain name

Enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.

Primary DNS server

Secondary DNS server

Select the object representing the DNS server to be assigned.

Advanced properties section

Field	Description
Enable DCO kernel acceleration	On SNS in version 5 in factory configuration, the DCO (Data Channel Offload) kernel acceleration feature is enabled by default. Select or unselect the checkbox to enable or disable this feature. On SNS in version 4, this feature is not available. This feature improves the performance of UDP-based SSL VPN tunnels. It is not compatible with TCP-based SSL VPN tunnels. The SSL VPN client used must be compatible with the DCO feature to benefit from enhancements. As for the Stormshield SSL VPN client: The Windows version benefits from enhancements. The Linux version benefits from enhancements only if OpenVPN is in version 2.6.0 or higher, and the openvpn-dco package has been installed. The macOS version does not benefit from enhancements. NOTE When you enable the DCO feature, a message may appear, prompting you to change the encryption suite if the one you are using is incompatible. Accept the change to enable the feature.
Public IP address of the UTM for the SSL VPN (UDP)	In the following cases, you need to select the object representing the IP address to reach in order to set up UDP SSL VPN tunnels: The IP address to reach is not the main IP address of the external interface, The IP address to reach belongs to an external interface that is not linked to the default gateway of the SNS firewall.
Port (UDP) Port (TCP)	The listening ports of the SSL VPN service can be changed. Note: Some ports are reserved for the SNS firewall’s internal use only and cannot be selected, Port 443 is the only port below 1024 that can be used, If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels or public WiFi) on which Internet access is filtered.
Interval before key renegotiation (seconds)	You can change the length of time after which the keys used by the encryption algorithms will be renegotiated. By default, it is set to 14400 seconds, or 4 hours. During this operation: The SSL VPN tunnel will not respond for several seconds. If multifactor authentication is used, the user will need to enter a new OTP, or approve the new connection on the third-party application, in order to stay connected. In this use case, we advise increasing the interval before key renegotiation so that it aligns with the average length of a workday, such as 28800 seconds, or 8 hours.
Use DNS servers provided by the firewall	You can instruct SSL VPN clients to include the DNS servers retrieved via the SSL VPN in the workstation's (Windows only) network configuration. If DNS servers are already defined on the workstation, they may be queried.
Prohibit use of third-party DNS servers	You can instruct SSL VPN clients to exclude the DNS servers that have already been defined in the workstation's (Windows only) configuration. Only DNS servers sent by the SNS firewall can be queried.

Scripts to run on the client

The Stormshield SSL VPN client In Windows can run .bat scripts when an SSL VPN tunnel is opened or closed. In these scripts, you can use:

Windows environment variables (%USERDOMAIN%, %SystemRoot%, etc.),
Variables relating to the Stormshield SSL VPN client: %NS_USERNAME% (user name used for authentication) and %NS_ADDRESS% (IP address assigned to the SSL VPN client).

Field	Description
Script to run when connecting	Select the script to run when the SSL VPN tunnel is opened. Example of a script that makes it possible to connect the Z: network drive to the shared network: NET USE Z: \\myserver\myshare
Script to run when disconnecting	Select the script to run when the SSL VPN tunnel is closed. Example of a script that makes it possible to disconnect the Z: network drive from a shared network: NET USE Z: /delete

Field

Description

Script to run when connecting

Select the script to run when the SSL VPN tunnel is opened. Example of a script that makes it possible to connect the Z: network drive to the shared network:

NET USE Z: \\myserver\myshare

Script to run when disconnecting

Select the script to run when the SSL VPN tunnel is closed. Example of a script that makes it possible to disconnect the Z: network drive from a shared network:

NET USE Z: /delete

The Stormshield SSL VPN client in Linux and macOS can also run scripts when an SSL VPN tunnel is opened or closed. These scripts are generally used to accommodate the DNS configuration when OpenVPN does not manage it natively. For further information on the use of these scripts, refer to the Stormshield SSL VPN client v5 installation guide.

Certificates

Select the certificates that the SNS firewall’s SSL VPN service and SSL VPN clients must present to set up SSL VPN tunnels. These certificates must be issued from the same certification authority.

By default, a server certificate and a client certificate, issued by the same certification authority dedicated to the SSL VPN, are suggested. These certificates and the certification authority were created when the SNS firewall was initialized.

Field	Description
Server certificate	Select the desired certificate. The icon indicates certificates with a TPM-protected private key. For more information on this protection, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.
Client certificate	Select the desired certificate. Client certificates with a TPM-protected private key cannot be selected as the private keys of such certificates must be available in plaintext (unencrypted) in the SSL VPN configuration that is distributed to SSL VPN clients.

Field

Description

Server certificate

Select the desired certificate.

The icon indicates certificates with a TPM-protected private key. For more information on this protection, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Client certificate

Select the desired certificate.

Client certificates with a TPM-protected private key cannot be selected as the private keys of such certificates must be available in plaintext (unencrypted) in the SSL VPN configuration that is distributed to SSL VPN clients.

Configuration

Field	Description
Export the configuration file	Click on this button to export the SSL VPN configuration in OVPN format. You can then import this file into your organization's SSL VPN clients to add a new connection. As for the Stormshield SSL VPN client, this configuration is automatically retrieved for connections that are set up in Stormshield mode. For OpenVPN connections (imported OVPN file), the file must be imported to set up or save the connection. For more information, refer to the Stormshield SSL VPN client v5 user and configuration guide.

Field

Description

Export the configuration file

Click on this button to export the SSL VPN configuration in OVPN format. You can then import this file into your organization's SSL VPN clients to add a new connection.

As for the Stormshield SSL VPN client, this configuration is automatically retrieved for connections that are set up in Stormshield mode. For OpenVPN connections (imported OVPN file), the file must be imported to set up or save the connection. For more information, refer to the Stormshield SSL VPN client v5 user and configuration guide.