Enabling and configuring the SSL VPN service

To enable the SSL VPN service on the SNS firewall:

  1. Go to Configuration > VPN > SSL VPN.

  2. Set the status cursor to ON.

Several sections are available for the configuration of the SNS firewall’s SSL VPN service.

Network settings section

  1. In the UTM IP address (or FQDN) used field, indicate the IP address that users must use to reach the SNS firewall to set up SSL VPN tunnels.

    • If you enter an IP address, it must be public, and therefore accessible over the Internet,

    • If you enter an FQDN (e.g., ssl.company.tld), it must be declared on the DNS servers that the client device uses when it is outside the corporate network. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP. In this case, configure this FQDN on the SNS firewall in Configuration > Network > Dynamic DNS.

  2. In the Available networks or hosts field, select the object representing the networks or hosts that will be reached through the SSL VPN tunnel. This object makes it possible to automatically set on the client device the routes needed to reach resources that can be accessed via the VPN.

    You will need to set filter rules to more granularly allow or prohibit traffic between remote clients and internal resources. You may also need to set static routes for access to the network assigned to VPN clients on corporate network devices located between the SNS firewall and the internal resources provided.

  3. In Network assigned to clients (UDP) and Network assigned to clients (TCP), select the object corresponding to the network that will be assigned to VPN clients. The network mask must not be smaller than /29 for SNS versions 3.x or 4.2 and below, or /28 for SNS versions 4.3 and above.

    You can assign different networks to VPN clients in UDP and TCP. The VPN client will always choose the UDP network first for better performance.

    As for the network or sub-networks:

    • Choose a network dedicated to SSL VPN clients that does not belong to any existing internal networks, or declared by a static route on the SNS firewall. Since the interface used for the SSL VPN is protected, the SNS firewall would then detect an IP spoofing attempt and block the corresponding traffic,
    • Choose seldom-used sub-networks (e.g., 10.60.77.0/24) to prevent routing conflicts on client devices during the connection to the SSL VPN. Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.
  4. The maximum number of simultaneous tunnels allowed will appear automatically. This number corresponds to the minimum value between the maximum number of tunnels allowed on the SNS firewall (see Operation and limitations) and the number of sub-networks available for VPN clients. For the number of sub-networks, depending on the SNS version, this represents:

    • 3.x or 4.2 and higher a quarter of the number of IP addresses, minus 1. An SSL VPN tunnel consumes 4 IP addresses, but the server reserves 1 sub-network for its own use.

    • 4.3 and higher a quarter of the number of IP addresses, minus 2. An SSL VPN tunnel takes up 4 IP addresses, but the server reserves 2 sub-networks for its own use.

DNS settings sent to client section

  1. In the Domain name field, enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.
  2. In the Primary DNS server and Secondary DNS server fields, select the object representing the DNS server to be assigned.

Advanced properties section

  1. In the UTM IP address for the SSL VPN (UDP) field, especially in one of the following cases:

    • The IP address used for setting up the SSL VPN tunnels (UDP) is not the main IP address of the external interface.

    • The IP address used for setting up the SSL VPN tunnels (UDP) belongs to an external interface that is not linked to the default gateway of the firewall.

    Select the object representing the IP address used for setting up SSL VPN tunnels (UDP). The SSL VPN service listens on all of the SNS firewall's IP addresses by default.

  2. In the Port (UDP) and Port (TCP) fields, you can modify the listening ports of the SSL VPN service. Some ports are reserved for the SNS firewall’s internal use only and cannot be selected. If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels or public WiFi) on which Internet access is filtered. On 4.3 versions and higher, port 443 is the only port below 1024 that can be used.

  3. In the Interval before key renegotiation (seconds) field, you can change the length of time after which the keys used by the encryption algorithms will be renegotiated. The default value is 4 hours (14400 seconds). This operation is transparent for the user - the active tunnel will not be disrupted during renegotiation.
  4. When Use DNS servers provided by the firewall is selected, the SSL VPN client will save the DNS servers retrieved via the SSL VPN in the workstation’s network configuration (Windows only). If DNS servers are already defined on the workstation, they may be queried.
  5. When Prohibit use of third-party DNS servers is selected, the SSL VPN client will exclude DNS servers already defined in the workstation's configuration (Windows only). Only DNS servers sent by the SNS firewall can be queried.

Scripts to run on the client

On Windows workstations, SN SSL VPN Client can run .bat scripts when a VPN tunnel is opened or closed. In these scripts, you can use:

  • Windows environment variables (%USERDOMAIN%, %SystemRoot%, etc.),

  • Variables relating to the SSL VPN tunnel: %NS_USERNAME% (user name used for authentication) and %NS_ADDRESS% (IP address assigned to the SSL VPN client).

Example of a script to connect the Z: network drive to the \\myserver\myshare shared network:

NET USE Z: \\myserver\myshare

Example of a script to disconnect the Z: network drive from the \\myserver\myshare shared network:

NET USE Z: /delete

Certificates used

Select the certificates that the SNS firewall’s SSL VPN service and the SSL VPN client must present to set up a tunnel. The default suggestions are the certification authority dedicated to the SSL VPN, and a server certificate and a client certificate created when the firewall was initialized.

If you use your own certification authority, you must create a client identity and a server identity. If this CA is not the root authority, both peer certificates have to be issued from the same sub-authority.

On firewalls that are equipped with a TPM and are in SNS version 4.7 and higher:

  • You can select a server certificate with a TPM-protected private key. The icon indicates certificates with a TPM-protected private key,
  • Client certificates with a TPM-protected private key cannot be selected as the private keys of such certificates must be available in plaintext (unencrypted) in the VPN configuration that is distributed to VPN clients.

For more information ranging from TPM protection of private keys in the firewall's certificates, to the configuration of such certificates in the firewall's modules, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Configuration

The Export the configuration file button exports the SSL VPN configuration in .ovpn format.