Configuring the SSL VPN service

Indicate the IP address that users must use to reach the SNS firewall in order to set up VPN tunnels. You can indicate either an IP address or FQDN.

• For IP addresses: they must be public, and therefore accessible over the Internet,

• For FQDNs: they must be declared on the DNS servers that the workstation uses when it is outside the corporate network. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP dynamic, and then configure this FQDN in the module Configuration > Network > Dynamic DNS.

Select the object representing the networks or hosts that will be reached through the VPN tunnel. This object makes it possible to automatically set on the workstation the routes needed to reach resources that can be accessed via the VPN.

You will need to set filter rules to more granularly allow or prohibit traffic between remote workstations and internal resources. You may also need to set static routes for access to the network assigned to VPN clients on corporate network devices located between the SNS firewall and the internal resources provided.

Select the object corresponding to the network that has been assigned to VPN clients in UDP and TCP. The network mask must not be smaller than /28. If you assign two networks, VPN client will always choose the UDP network first to ensure better performance. Choosing the network or sub-networks:

• The assigned network must not belong to any existing internal networks, or networks declared by a static route on the SNS firewall. Since the interface used for the SSL VPN is protected, the firewall would then detect an IP spoofing attempt and block the corresponding traffic.
• To avoid routing conflicts, select less commonly used sub-networks (such as 10.60.77.0/24) as many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.
• On SNS in version 5, if you are using TCP-based SSL VPN tunnels, ensure that the DCO kernel acceleration feature is disabled in the Advanced properties section. Otherwise, the performance of such tunnels will be downgraded.

On SNS in version 5, select the checkbox to enable the DCO (Data Channel Offload) kernel acceleration feature. This option is enabled by default in factory configuration. On SNS in version 4, this feature is not available.

This feature transfers the encryption/decryption of data packets passing through SSL VPN tunnels to the operating system kernel. This increases the performance of UDP-based tunnels and enables the SSL VPN service to process the setup of many more UDP tunnels.

However, this feature is not compatible with TCP-based tunnels, and downgrades their performance. Ensure that you disable it if you are using such tunnels.

NOTE
When the checkbox is selected, if the encryption suite used by the SSL VPN service is incompatible with the DCO kernel acceleration feature, a window appears, encouraging you to use the AES-256-GCM encryption suite. Accept the change to enable the feature.

In either of the following cases, you need to select the object representing the IP address used for setting up UDP SSL VPN tunnels:

• The IP address used for setting up the SSL VPN tunnels (UDP) is not the main IP address of the external interface.

• The IP address used for setting up the SSL VPN tunnels (UDP) belongs to an external interface that is not linked to the default gateway of the firewall.

The listening ports of the SSL VPN service can be changed. Note:

• Some ports are reserved for the SNS firewall’s internal use only and cannot be selected,
• Port 443 is the only port below 1024 that can be used,
• If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels or public WiFi) on which Internet access is filtered.

You can change the length of time (14400 seconds by default, or 4 hours) after which the keys used by the encryption algorithms will be renegotiated. During this operation:

• The SSL VPN tunnel will not respond for several seconds,
• If multifactor authentication is used, the user will need to enter a new OTP, or approve the new connection on the third-party application (in push mode), in order to stay connected. It would be helpful to set an interval that corresponds to the average length of a workday, such as 28800 seconds (8 hours).

You can instruct VPN clients to include the DNS servers retrieved via the SSL VPN in the workstation's (Windows only) network configuration. If DNS servers are already defined on the workstation, they may be queried.

Select the script to run when the VPN tunnel is opened. Example of a script that makes it possible to connect the Z: network drive to the shared network:

NET USE Z: \\myserver\myshare

Select the desired certificate. The icon indicates certificates with a TPM-protected private key. For more information, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.