Specific characteristics of Stormshield SSL VPN clients

This section presents some of the specific characteristics of Stormshield SSL VPN clients.

Compatible versions and operating systems

For more information on operating systems and compatible versions, refer to the section SSL VPN Client in the Network Security & Tools Product Life Cycle document.

Connection modes

Connection mode	Description
Stormshield mode	This mode has to be used with a Stormshield SNS firewall. In this mode: The Stormshield SSL VPN Client automatically retrieves the SSL VPN configuration on the first connection to the SNS firewall, or on subsequent connections if the SSL VPN configuration has been modified. Every time the Stormshield SSL VPN client connects to the SNS firewall, it checks whether the local SSL VPN configuration of the connection in use has to be updated. The Stormshield SSL VPN client sends information to the SNS firewall every time it connects, making it possible it to check the compliance of the client workstation (ZTNA).
Import OVPN file	This mode makes it possible to import an OpenVPN configuration file (OVPN format), and to connect to the OpenVPN gateway that provided the configuration file.

Connection mode

Description

Stormshield mode

This mode has to be used with a Stormshield SNS firewall. In this mode:

The Stormshield SSL VPN Client automatically retrieves the SSL VPN configuration on the first connection to the SNS firewall, or on subsequent connections if the SSL VPN configuration has been modified. Every time the Stormshield SSL VPN client connects to the SNS firewall, it checks whether the local SSL VPN configuration of the connection in use has to be updated.
The Stormshield SSL VPN client sends information to the SNS firewall every time it connects, making it possible it to check the compliance of the client workstation (ZTNA).

Import OVPN file

This mode makes it possible to import an OpenVPN configuration file (OVPN format), and to connect to the OpenVPN gateway that provided the configuration file.

Ports and protocols

In a default configuration, the Stormshield SSL VPN client must be able to contact the following ports to set up SSL VPN connections.

Source	Destination	Protocol/Port (default)	Purpose of the connection
Client (SSLVPNService) Stormshield mode only	OpenVPN gateway	TCP/443 (captive portal)	Retrieve SSL VPN configuration and send information to the SNS firewall to verify the compliance of the client workstation (ZTNA).
Client (OpenVPN)	OpenVPN gateway	UDP/1194 (SSL VPN)	Set up the SSL VPN connection
Client (OpenVPN)	OpenVPN gateway	TCP/443 (SSL VPN)	Set up the SSL VPN connection (compatibility)

Source

Destination

Protocol/Port (default)

Purpose of the connection

Client (SSLVPNService)

Stormshield mode only

OpenVPN gateway

TCP/443
(captive portal)

Retrieve SSL VPN configuration and send information to the SNS firewall to verify the compliance of the client workstation (ZTNA).

Client (OpenVPN)

OpenVPN gateway

UDP/1194
(SSL VPN)

Set up the SSL VPN connection

Client (OpenVPN)

OpenVPN gateway

TCP/443
(SSL VPN)

Set up the SSL VPN connection (compatibility)

To set up an SSL VPN connection, the Stormshield SSL VPN client always chooses the UDP network first to ensure optimal performance.

Running scripts

The Stormshield SSL VPN client can automatically run scripts on the user's workstation every time an SSL VPN connection is opened or closed.

Operating system	Operation/Implementation
Windows	The scripts to be run must be added to the configuration of the SNS firewall’s SSL VPN service.
Linux	The scripts sslvpn_connect.sh and sslvpn_disconnect.sh have to be added on each workstation, and at this location: /opt/stormshield/sslvpnclient/modules/ssl-vpn/etc/
macOS	The scripts sslvpn_connect.sh and sslvpn_disconnect.sh have to be added on each workstation, and at this location: /Applications/Stormshield/SSL VPN Client.app/Contents/MacOS/Modules/ssl-vpn/etc/

Operating system

Operation/Implementation

Windows

The scripts to be run must be added to the configuration of the SNS firewall’s SSL VPN service.

Linux

The scripts sslvpn_connect.sh and sslvpn_disconnect.sh have to be added on each workstation, and at this location:

/opt/stormshield/sslvpnclient/modules/ssl-vpn/etc/

macOS

The scripts sslvpn_connect.sh and sslvpn_disconnect.sh have to be added on each workstation, and at this location:

/Applications/Stormshield/SSL VPN Client.app/Contents/MacOS/Modules/ssl-vpn/etc/

In Linux and macOS environments, you have to comply with the location and script names mentioned.

Limitations and explanations on usage

For more information, refer to the section Limitations and explanations on usage in the SSL VPN Client release notes.