Configuring client workstation verification (ZTNA)
This section explains how to configure a policy to verify the compliance of client workstations that set up SSL VPN tunnels with the SNS firewall.
General information on zero trust network access (ZTNA)
ZTNA consists of trusting users and devices only after they have been verified. To do so, ZTNA can rely on the following components:
- Guaranteed compliance of the communication channel through TLS encryption of SSL VPN tunnels.
- User verification, for example through multifactor authentication, such as the Stormshield TOTP solution (see Configuring multifactor authentication (TOTP)).
- A policy verifying the compliance of client workstations and users. This configuration is covered in the section below.
- Granular filtering to restrict users' access to only what is necessary (see Configuring the filter and NAT policy).
How client workstation verification (ZTNA) works
When client workstation verification is enabled:
-
SSL VPN clients that are compatible with this feature can set up SSL VPN tunnels with the SNS firewall only if they are compliant (all the criteria defined in the policy have been met),
-
SSL VPN clients that are not compatible with this feature cannot set up SSL VPN tunnels with the SNS firewall, unless they are explicitly allowed to do so by enabling the SSL VPN clients incompatible with ZTNA setting.
Requirements
- An SNS firewall in version 4.8 LTSB or 5.
- SSL VPN clients that are compatible with client workstation verification:
- The Stormshield SSL VPN client in version 4.0 and higher is compatible. It must be set to Stormshield mode for versions 5 or Automatic mode for versions 4.
- Third-party SSL VPN clients, such as OpenVPN Connect, are not compatible.
Configuring client workstation verification
Go to Configuration > VPN > SSL VPN.
The order of the fields described below corresponds to the order on SNS in version 5. While there are differences with SNS in version 4.8 LTSB, the titles should allow you to identify the fields.
Client workstation verification (ZTNA) tab
| Field | Description |
|---|---|
|
Enable client workstation verification (ZTNA) |
This field appears in this tab on SNS in version 4.8 LTSB. On SNS in version 5, this feature can enabled in the General settings tab. Select the checkbox to enable verification of client workstation compliance. If you have not yet set the criteria for client workstation verification, define them before enabling verification. |
Version of the Stormshield SSL VPN client / Checking the Stormshield SSL VPN client version
Select the checkbox to enable the settings section of the required versions.
| Field | Description |
|---|---|
| Allow a version range (at least v4.0.0) |
Select this option to allow multiple versions of the Stormshield SSL VPN client to set up SSL VPN tunnels (when there is a pool of varied Stormshield SSL VPN clients). By selecting this option:
|
| Allow only one version |
Select this option to exclusively allow one Stormshield SSL VPN client version. You must then enter the exact version of the Stormshield SSL VPN clients that are allowed to set up SSL VPN tunnels with the SNS firewall. |
Allow tunnels to be set up for the following additional clients
| Field | Description |
|---|---|
| Stormshield SSL VPN clients (Linux or macOS) |
Select the checkbox if your organization's pool of Stormshield SSL VPN clients includes Stormshield SSL VPN clients running in Linux and/or macOS. By doing so, specific Windows criteria will not be applied to these workstations. |
| SSL VPN clients incompatible with ZTNA |
Select the checkbox to allow SSL VPN clients that are not compatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall, e.g., for use with mobile devices. |
Customized message for non-compliant workstations
If an SSL VPN tunnel fails to set up because it does not comply with the policy, the Stormshield SSL VPN Client displays the default message "For more information, please contact support" in English, French and German.
If you prefer a different message, you can customize it by editing it in the text entry section. You can also delete the message so that it will no longer be shown. Do note that as automatic translation mechanisms have not been set up: you will need to have the message translated with your own means.
You can revert to the default message by clicking on Go back to messages suggested by default.
Windows client workstation verification (ZTNA) tab
On SNS in version 4.8 LTSB, this tab does not exist. The fields that are described below are found in the Client workstation verification (ZTNA) tab.
IMPORTANT
If you select multiple criteria below, they must all be met to allow the SSL VPN client to set up SSL VPN tunnels with the SNS firewall.
| Field | Description |
|---|---|
| Client workstation antivirus enabled and up to date |
When this checkbox is selected, the workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center, which means that third-party antivirus modules can be supported as long as their status is recognized. NOTE
|
| Active firewall on the client workstation |
If this checkbox is selected, the workstation's Windows firewall must be running, and the Domain network, Private network and Public network profiles must be enabled. If a profile is inactive, this criterion will be considered non-compliant. NOTE
|
| SES installed on the client workstation |
If this checkbox is selected, the SES Evolution agent must be installed on the workstation. Do note that the configuration and status of the SES agent are not taken into account. |
| Prohibit users holding administration privileges on the client workstation |
When this checkbox is selected, users who hold administrator privileges on the workstation cannot set up SSL VPN tunnels with the firewall SNS. |
Check the Windows 10/Windows 11 version (build number)
Select the checkbox to enable the settings section of the required Windows 10 and Windows 11 versions. Settings are configured in the tab corresponding to the version in question.
| Field | Description |
|---|---|
| Allow a version range (builds) |
Select this option to allow multiple versions of Windows (when there is a pool of varied Windows workstations). By selecting this option:
|
| Allow only one version |
Select this option to exclusively allow one single Windows version. You must then enter the exact Windows version of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall. |
Membership in a company domain
On SNS in version 4.8 LTSB, the visible field changes, depending on whether the Host connected to a domain or User connected to a domain tab has been selected.
| Field | Description |
|---|---|
|
Ensure that the host is connected to a company domain (SNS v5) |
When this option is selected, you have to add to the grid the domains of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall. Do note that this criterion is not related to the configuration of directories on the SNS firewall. |
|
Connect the host to a company domain (SNS v4.8 LTSB) |
|
|
Ensure that the user belongs to a company domain (SNS v5) |
When this option is selected, you have to add to the grid the domains of users who are allowed to set up SSL VPN tunnels with the SNS firewall. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels. Do note that this criterion is not related to the configuration of directories on the SNS firewall. |
| The user is connected to a company domain (SNS v4.8 LTSB) |