Enabling and configuring the SSL VPN service
Enabling the SSL VPN service
Go to Configuration > VPN > SSL VPN and set the status cursor to ON.
Configuring the SSL VPN service
Network settings section
In the UTM IP address (or FQDN) used field: indicate the IP address that users must use to reach the SNS firewall to set up SSL VPN tunnels.
If you enter an IP address: it must be public, and therefore accessible over the Internet,
If you enter an FQDN (e.g., ssl.company.tld): it must be declared on the DNS servers that the client device uses when it is outside the corporate network. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP. In this case, configure this FQDN on the SNS firewall in Configuration > Network > Dynamic DNS.
In the Available networks or hosts field: select the object (e.g., network,host or group) representing the networks or hosts that will be reached through the SSL VPN tunnel.
The selected object makes it possible to automatically set on the client device the routes needed to reach resources that can be accessed via the SSL VPN. However, you will need to set filter rules to more granularly allow or prohibit traffic between remote clients originating from an SSL VPN tunnel and internal resources.
In Network assigned to clients (UDP) and Network assigned to clients (TCP): select the object corresponding to the network that will be assigned to SSL VPN clients in UDP and TCP:
You can assign a network to SSL VPN clients in UDP, and another network to SSL VPN clients in TCP, but they must both be different. In this configuration, the SSL VPN client will choose the UDP network first to ensure better performance,
- Choose a network dedicated to SSL VPN clients that does not belong to any existing internal networks, or declared by a static route on the SNS firewall. Since the interface used for the SSL VPN is protected, the SNS firewall would then detect an IP spoofing attempt and block the corresponding traffic,
- Choose seldom-used sub-networks (e.g., 10.60.77.0/24) to prevent routing conflicts on client devices during the connection to the SSL VPN. Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.
The mask for the network object must not be smaller than /28 for SNS versions 4.3 and above, or /29 for SNS versions 4.2 and lower.
The maximum number of simultaneous tunnels allowed is calculated automatically and corresponds to the lowest of the two following values:
- The maximum number of tunnels allowed on the SNS firewall (see Requirements),
The number of sub-networks available for SSL VPN clients representing a quarter of the number of IP addresses minus two for a network in /28, or minus one for a network in /29. An SSL VPN tunnel consumes four IP addresses, but the server reserves for its own use two sub-networks for a network in /28 or a sub-network for a network in /29.
If there are corporate network devices located between the SNS firewall and the internal resources provided, you may need to set static routes for access to the network assigned to SSL VPN clients.
DNS settings sent to client section
- In the Domain name field: enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.
- In the Primary DNS server and Secondary DNS server fields: select the object representing the DNS server to be assigned.
- In the UTM IP address for the SSL VPN (UDP) field: select the object representing the IP address used for setting up SSL VPN tunnels (UDP) if it is not the main IP address of the external interface, or if it is associated with an external interface that is not linked to the default gateway of the SNS firewall.
In the Port (UDP) and Port (TCP) fields: indicate the listening ports of the SSL VPN service based on UDP and TCP. Ports are suggested by default in the selection area. Some ports are reserved for the SNS firewall’s internal use only and cannot be selected.
If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels, public WiFi, etc.) on which Internet access is filtered.
- In the Interval before key renegotiation (seconds) field: you can change the length of time after which the keys used by the encryption algorithms will be renegotiated. The default value is 4 hours (14400 seconds). This operation is transparent for the user - the active tunnel will not be disrupted during renegotiation.
- When Use DNS servers provided by the firewall is selected, the SSL VPN client will save the DNS servers retrieved via the SSL VPN in the workstation’s network configuration (Windows only). If DNS servers are already defined on the workstation, they may be queried.
- When Prohibit use of third-party DNS servers is selected, the SSL VPN client will exclude DNS servers already defined in the workstation's configuration (Windows only). Only DNS servers sent by the SNS firewall can be queried.
Scripts to run on the client
The SN SSL VPN Client can run .bat scripts on Windows workstations when it connects to and disconnects from the SNS firewall. Windows environment variables such as %USERDOMAIN% and %SystemRoot can be used in these scripts, as well as two variables specific to the SSL VPN tunnel:
%NS_USERNAME%: represents the user name used for authentication,
%NS_ADDRESS%: represents the IP address assigned to the SSL VPN client.
The following are examples of script that you can adapt to your requirements:
Script that makes it possible to connect the Z: network drive to the \\myserver\myshare shared network:
NET USE Z: \\myserver\myshare
Script that makes it possible to disconnect the Z: network drive from the \\myserver\myshare shared network:
NET USE Z: /delete
Select the certificates that the SNS firewall’s SSL VPN service and the SSL VPN client must present to set up a tunnel. The default suggestions are the certification authority dedicated to the SSL VPN, and a server certificate and a client certificate created when the firewall was initialized.
If you use your own certification authority, you must create a client identity and a server identity. If this CA is not the root authority, both peer certificates have to be issued from the same sub-authority.
The Export the configuration file button exports the SSL VPN configuration in .ovpn format.