Configuring client workstation verification (ZTNA)

This section explains how to configure a policy to verify the compliance of client workstations that set up SSL VPN tunnels with the SNS firewall. With this verification, workstations or users that do not comply with the criteria in the policy defined on the SNS firewall will not be able to set up SSL VPN tunnels with the SNS firewall.

You can click on Apply at any time to save your changes.

General information on zero trust network access (ZTNA)

ZTNA consists of trusting users and devices only after they have been verified. To do so, ZTNA can rely on the following components:

Guaranteed compliance of the communication channel through TLS encryption of SSL VPN tunnels.
User verification, for example through multifactor authentication, such as the Stormshield TOTP solution (see Multifactor authentication).
A policy verifying the compliance of client workstations and users. This configuration is covered in the section below.
Granular filtering to restrict users' access to only what is necessary (see Configuring the filter and NAT policy).

Requirements

To use a client workstation compliance verification policy, you must meet the following requirements:

An SNS firewall in version 4.8 LTSB or 5.
Compatible SSL VPN clients with the client workstation verification feature:
- The Stormshield SSL VPN client in version 4.0 and higher is compatible. It must be set to Stormshield mode for versions 5 or Automatic mode for versions 4.
- Third-party SSL VPN clients, such as OpenVPN Connect, are not compatible.

Configuring client workstation verification on SNS in version 5

Go to Configuration > VPN > SSL VPN. Settings for this version are configured in the Client workstation verification (ZTNA) and Windows client workstation verification (ZTNA) tabs.

Client workstation verification (ZTNA) tab

Stormshield SSL VPN client version

Select the checkbox to enable the settings section of the required versions.

Field	Description
Allow a version range (at least v4.0.0)	Select this option to allow multiple versions of the Stormshield SSL VPN client to set up SSL VPN tunnels (when there is a pool of varied Stormshield SSL VPN clients). By selecting this option: You must enter the Lowest version of Stormshield SSL VPN clients that are allowed to set up SSL VPN tunnels with the SNS firewall, You can enter the Highest version, or leave this field empty to allow all versions equal to or higher than the lowest version to set up SSL VPN tunnels with the SNS firewall.
Allow only one version	Select this option to exclusively allow one Stormshield SSL VPN client version. You must then enter the exact version of the Stormshield SSL VPN clients that are allowed to set up SSL VPN tunnels with the SNS firewall.

Field

Description

Allow a version range (at least v4.0.0)

Select this option to allow multiple versions of the Stormshield SSL VPN client to set up SSL VPN tunnels (when there is a pool of varied Stormshield SSL VPN clients). By selecting this option:

You must enter the Lowest version of Stormshield SSL VPN clients that are allowed to set up SSL VPN tunnels with the SNS firewall,
You can enter the Highest version, or leave this field empty to allow all versions equal to or higher than the lowest version to set up SSL VPN tunnels with the SNS firewall.

Allow only one version

Select this option to exclusively allow one Stormshield SSL VPN client version. You must then enter the exact version of the Stormshield SSL VPN clients that are allowed to set up SSL VPN tunnels with the SNS firewall.

Allow tunnels to be set up for the following additional clients

Field	Description
Stormshield SSL VPN clients (Linux or macOS)	Select the checkbox if your organization's pool of Stormshield SSL VPN clients includes Stormshield SSL VPN clients running in Linux and/or macOS. By doing so, specific Windows criteria will not be applied to these workstations.
SSL VPN clients incompatible with ZTNA	Select the checkbox to allow SSL VPN clients that are not compatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall, e.g., for use with mobile devices.

Customized message for incompatible workstations

If an SSL VPN tunnel fails to set up because it does not comply with the policy, the Stormshield SSL VPN Client displays the default message "For more information, please contact support" in English, French and German.

In the text entry section, you can change the message, or delete it if you do not wish to display an additional message. Do note that as automatic translation mechanisms have not been set up: you will need to have the message translated with your own means.

You can reset the additional message that you have written by clicking on Go back to messages suggested by default.

Screen to customize the message indicating non-compliance with the client workstation verification policy on an SNS firewall in version 5

Windows client workstation verification (ZTNA) tab

IMPORTANT
If you select multiple criteria below, they must all be met to allow the SSL VPN client to set up SSL VPN tunnels with the SNS firewall.

Field	Description
Client workstation antivirus enabled and up to date	When this checkbox is selected, the workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center, which means that third-party antivirus modules can be supported as long as their status is recognized. NOTE The Windows service that checks the status of the antivirus takes several minutes to start up after a session is opened. Users therefore need to wait for a few minutes after opening their Windows session before they can set up an SSL VPN tunnel.
Active firewall on the client workstation	If this checkbox is selected, the workstation's Windows firewall must be running, and the Domain network, Private network and Public network profiles must be enabled. If a profile is inactive, this criterion will be considered non-compliant. NOTE The Windows service that checks the status of the Windows firewall takes several minutes to start up after a session is opened. Users therefore need to wait for a few minutes after opening their Windows session before they can set up an SSL VPN tunnel.
SES installed on the client workstation	If this checkbox is selected, the SES Evolution agent must be installed on the workstation. Do note that the configuration and status of the SES agent are not taken into account.
Prohibit users holding administration privileges on the client workstation	When this checkbox is selected, users who hold administrator privileges on the workstation cannot set up SSL VPN tunnels with the firewall SNS.

Check the Windows 10/Windows 11 version (build number)

Select the checkbox to enable the settings section of the required Windows 10 and Windows 11 versions. Settings are configured in the tab corresponding to the version in question.

Field	Description
Allow a version range (builds)	Select this option to allow multiple versions of Windows (when there is a pool of varied Windows workstations). By selecting this option: You must enter the Lowest version that the workstation must run, so that it can set up SSL VPN tunnels with the SNS firewall. The default versions are: 10000 for Windows 10 and 20000 for Windows 11. You can enter the Highest version, or leave this field empty to allow all versions equal to or higher than the lowest version to set up SSL VPN tunnels with the SNS firewall.
Allow only one version	Select this option to exclusively allow one single Windows version. You must then enter the exact Windows version of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall.

Field

Description

Allow a version range (builds)

Select this option to allow multiple versions of Windows (when there is a pool of varied Windows workstations). By selecting this option:

You must enter the Lowest version that the workstation must run, so that it can set up SSL VPN tunnels with the SNS firewall. The default versions are: 10000 for Windows 10 and 20000 for Windows 11.
You can enter the Highest version, or leave this field empty to allow all versions equal to or higher than the lowest version to set up SSL VPN tunnels with the SNS firewall.

Allow only one version

Select this option to exclusively allow one single Windows version. You must then enter the exact Windows version of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall.

Membership in a company domain

Field	Description
Ensure that the host is connected to a company domain	When this option is selected, you have to add to the grid the domains of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall. Do note that this criterion is not related to the configuration of directories on the SNS firewall.
Ensure that the user belongs to a company domain	When this option is selected, you have to add to the grid the domains of users who are allowed to set up SSL VPN tunnels with the SNS firewall. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels. Do note that this criterion is not related to the configuration of directories on the SNS firewall.

Field

Description

Ensure that the host is connected to a company domain

When this option is selected, you have to add to the grid the domains of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall.

Do note that this criterion is not related to the configuration of directories on the SNS firewall.

Ensure that the user belongs to a company domain

When this option is selected, you have to add to the grid the domains of users who are allowed to set up SSL VPN tunnels with the SNS firewall. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels.

Do note that this criterion is not related to the configuration of directories on the SNS firewall.

Configuring client workstation verification on SNS in version 4.8 LTSB

Go to Configuration > VPN > SSL VPN. Settings are configured in the Client workstation verification (ZTNA) tab.

Field	Description
Enable client workstation verification (ZTNA)	Select the checkbox to enable verification of client workstation compliance. When it is enabled: SSL VPN clients that are compatible with this feature can set up SSL VPN tunnels with the SNS firewall only if all the criteria defined in the policy have been met, SSL VPN clients that are not compatible with this feature cannot set up SSL VPN tunnels with the SNS firewall, unless they are explicitly allowed to do so by enabling the SSL VPN clients incompatible with ZTNA setting.
Allow tunnels to be set up for Linux or Mac Stormshield SSL VPN clients	Select the checkbox if your organization's pool of Stormshield SSL VPN clients includes Stormshield SSL VPN clients running in Linux and/or macOS. By doing so, specific Windows criteria will not be applied to these workstations.
Allow tunnels to be set up for clients that are not compatible with ZTNA	Select the checkbox to allow SSL VPN clients that are not compatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall, e.g., for use with mobile devices.

Field

Description

Enable client workstation verification (ZTNA)

Select the checkbox to enable verification of client workstation compliance. When it is enabled:

SSL VPN clients that are compatible with this feature can set up SSL VPN tunnels with the SNS firewall only if all the criteria defined in the policy have been met,
SSL VPN clients that are not compatible with this feature cannot set up SSL VPN tunnels with the SNS firewall, unless they are explicitly allowed to do so by enabling the SSL VPN clients incompatible with ZTNA setting.

Allow tunnels to be set up for Linux or Mac Stormshield SSL VPN clients

Select the checkbox if your organization's pool of Stormshield SSL VPN clients includes Stormshield SSL VPN clients running in Linux and/or macOS. By doing so, specific Windows criteria will not be applied to these workstations.

Allow tunnels to be set up for clients that are not compatible with ZTNA

Select the checkbox to allow SSL VPN clients that are not compatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall, e.g., for use with mobile devices.

Client workstation verification (ZTNA) settings

IMPORTANT
If you select multiple criteria below, they must all be met to allow the SSL VPN client to set up SSL VPN tunnels with the SNS firewall.

Field/Criterion	Description
Client workstation antivirus enabled and up to date	When this checkbox is selected, the workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center, which means that third-party antivirus modules can be supported as long as their status is recognized. NOTE The Windows service that checks the status of the antivirus takes several minutes to start up after a session is opened. Users therefore need to wait for a few minutes after opening their Windows session before they can set up an SSL VPN tunnel.
Active firewall on the client workstation	If this checkbox is selected, the workstation's Windows firewall must be running, and the Domain network, Private network and Public network profiles must be enabled. If a profile is inactive, this criterion will be considered non-compliant. NOTE The Windows service that checks the status of the Windows firewall takes several minutes to start up after a session is opened. Users therefore need to wait for a few minutes after opening their Windows session before they can set up an SSL VPN tunnel.
SES installed on the client workstation	If this checkbox is selected, the SES Evolution agent must be installed on the workstation. Do note that the configuration and status of the SES agent are not taken into account.
Prohibit users holding administration privileges on the client workstation	When this checkbox is selected, users who hold administrator privileges on the workstation cannot set up SSL VPN tunnels with the firewall SNS.
Check the Windows 10/Windows 11 versions (build number)	Select the checkbox to enable the settings section of the required Windows 10 and Windows 11 versions. Settings are configured in the tab corresponding to the version in question. Allow a version range (builds): select this option to authorize several versions of Windows (case of a heterogeneous fleet of Windows workstations). By selecting this option: You must enter the Lowest version that the workstation must run, so that it can set up SSL VPN tunnels with the SNS firewall. The default versions are: 10000 for Windows 10 and 20000 for Windows 11. You can enter the Highest version, or leave this field empty to allow all versions equal to or higher than the lowest version to set up SSL VPN tunnels with the SNS firewall. Allow only one version: select this option to exclusively allow one single Windows version. You must then enter the exact Windows version of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall.
Host connected to a domain tab	If Connect the host to a company domain is selected, in the grid, add the domains of the workstations that are allowed to set up SSL VPN tunnels with the SNS firewall. Do note that this criterion is not related to the configuration of directories on the SNS firewall.
User connected to a domain tab	If Connect the user to a company domain is selected, in the grid, add the domains of the users that are allowed to set up SSL VPN tunnels with the SNS firewall. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels. Do note that this criterion is not related to the configuration of directories on the SNS firewall.
Stormshield SSL VPN client version	Select Check Stormshield SSL VPN client version to enable the settings section of the required versions. Allow a version range (builds): select this option to allow multiple versions of the Stormshield SSL VPN client to set up SSL VPN tunnels (when there is a pool of varied Stormshield SSL VPN clients). By selecting this option: You must enter the Lowest version of Stormshield SSL VPN clients that are allowed to set up SSL VPN tunnels with the SNS firewall. You can enter the Highest version, or leave this field empty to allow all versions equal to or higher than the lowest version to set up SSL VPN tunnels with the SNS firewall. Allow only one version: select this option to exclusively allow one single Stormshield SSL VPN client version. You must then enter the exact version of the Stormshield SSL VPN clients that are allowed to set up SSL VPN tunnels with the SNS firewall.

Customized message

You can reset the additional message that you have written by clicking on Go back to messages suggested by default.

Screen to customize the message indicating non-compliance with the client workstation verification policy on an SNS firewall in version 4