Installing and configuring the SN SSL VPN Client

NOTE
For further information on the VPN solutions that Stormshield offers and how to configure them (IPsec VPN and SSL VPN), refer to the page Focus - VPN topologies.

Downloading the SN SSL VPN Client

  • From the Stormshield SSL VPN website.
    Log in to https://vpn.stormshield.eu/ and follow the instructions given.

  • From the MyStormshield personal area.
    Log in to your MyStormshield personal area and go to Downloads > Downloads > Stormshield Network Security > SSL VPN.

  • From the captive portal of the SNS firewall that hosts the SSL VPN service.
    Authenticate on https://firewall_IPaddress/auth, and in the Personal data tab, click on SSL VPN Client.

Captive portal on an SNS firewall in version 4 (similar in version 3).

Captive portal on an SNS firewall in version 4

Installing the SN SSL VPN Client

The SN SSL VPN Client can only be used by a single Windows user profile, and must be installed on its end user’s profile in one of the following ways. The installation requires local administrator privileges on the workstation or the user must enter the login and password of an administrator account.

Standard installation

  1. Run the msi package downloaded earlier on the workstation.

  2. Follow the steps in the installation wizard.

Deployment via a group policy (GPO)

By deploying the SN SSL VPN Client via a group policy (GPO), it will be automatically installed when the workstation connects to the company network. To set up this deployment, you must first retrieve the msi package.

Since the SN SSL VPN Client is not a multi-user application, you must set its installation policy in the User configuration tree of the domain controller: Group Policy Management editor > Default Domain Policy > User configuration > Policies > Software settings > Software installation.

To make it easier for users to connect to the SSL VPN, you can fill in the Firewall address field in the connection window of the SN SSL VPN Client by changing the value of the registry key HKEY_CURRENT_USER\Software\STORMSHIELD\SSL VPN Client\address.

Configuring the SN SSL VPN Client

There are several connection modes that the SN SSL VPN Client can use. Refer to the section Specific characteristics of Stormshield SSL VPN clients to check the compatibility of the modes with multifactor authentication.

Configuring Automatic mode

In Automatic mode, the SN SSL VPN Client automatically retrieves the VPN configuration after authenticating the user and validating permission to use the SSL VPN.

  1. Right-click on the SN SSL VPN Client SN SSL VPN Client icon icon in the Windows system tray.

  2. Click on Automatic mode to use this mode.

To enter connection information and set up SSL VPN tunnels, continue to the section Setting up SSL VPN tunnels with SN SSL VPN Client. You can also enter connection information in the address book (see following section).

Configuring the address book (Automatic mode required)

The SN SSL VPN Client has an address book with which it memorizes addresses for the user profile (firewall address, login and password). Automatic mode must be enabled in order to use the address book.

Opening the address book

  1. Right-click on the SN SSL VPN Client SN SSL VPN Client icon icon in the Windows system tray.

  2. Click on Address book.

  3. If the address book is protected by a password, enter it to open the address book. If it is not, you can protect access to the address book by using the options Protect the address book with a password and Modify password.

Address book window

Adding or changing an address in the address book

  1. Click on Add to add a new address. To change an existing address, select it and click on Edit.

  2. In the Name field, assign a name to the address.

  3. In the Firewall address field, indicate the IP address of the SNS firewall (IP or FQDN) to reach in order to set up the SSL VPN tunnel. If the port of the firewall’s captive portal is different from the default port (TCP/443), enter the address and listening port separated by colons (address:port),

  4. In the User name field, enter the user’s login.

  5. In the Password and Confirm fields, enter the user’s password. Leave these fields empty if an OTP only or Push mode multifactor authentication is used for the connection to the SSL VPN .

  6. In the Description field, provide a description of the address if necessary.

  7. Select OTP if a multifactor authentication method is used for the connection to the SSL VPN.

  8. Click on OK.

Window to add a connection profile to the address book

Once configuration is complete, go to Setting up an SSL VPN tunnel with SN SSL VPN Client.

Configuring Manual mode

In manual mode, import the configuration components (CA, certificate, private key, etc.) that the SN SSL VPN Client must use, compiled in an .ovpn file. Automatic mode must be disabled order to use this mode.

  1. To retrieve the .ovpn file:

    • From the captive portal of the SNS firewall that hosts the SSL VPN service.
      Authenticate on https://firewall_IPaddress/auth, and in the Personal data tab, click on SSL VPN profile for mobile OpenVPN Connect clients (single .ovpn file).

    • From the SNS firewall's administration interface.
      Go to Configuration > VPN > SSL VPN > Advanced configuration, and click on Export the configuration file.

  2. Right-click on the SN SSL VPN Client SN SSL VPN Client icon icon in the Windows system tray and click on Manual mode > Add a profile.

  3. Select the .ovpn file.

  4. Assign a name to the connection profile.

  5. Click on OK.

Once configuration is complete, go to Setting up an SSL VPN tunnel with SN SSL VPN Client.