Configuring the SSL VPN service

This section explains how to enable the SSL VPN service in order for its general settings to be configured. In the case of zero trust network access (ZTNA), this section also explains how to configure a policy verifying the compliance of client workstations and users.

Go to Configuration > VPN > SSL VPN.

Enabling the SSL VPN service

Set the status cursor to ON to enable the SSL VPN service.

In SNS version 4.8 and higher, two tabs allow you to respectively configure general SSL VPN service settings, and the policy verifying the compliance of client workstations (in ZTNA).

Screen showing SSL VPN activation on an SNS firewall in version 4

Configuring the general settings of the service

Several sections are available. Edit the configuration based on the information given below.

Network settings section

Field Description
UTM IP address (or FQDN) used

Indicate the IP address that users must use to reach the SNS firewall to set up SSL VPN tunnels.

  • For IP addresses: they must be public, and therefore accessible over the Internet,

  • For FQDNs (e.g., ssl.company.tld): they must be declared on the DNS servers that the workstation uses when it is outside the corporate network.
    If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP. In this case, configure this FQDN in the module Configuration > Network > Dynamic DNS.
Available networks or hosts

Select the object representing the networks or hosts that will be reached through the VPN tunnel. This object makes it possible to automatically set on the workstation the routes needed to reach resources that can be accessed via the VPN.

 

You will need to set filter rules to more granularly allow or prohibit traffic between remote workstations and internal resources. You may also need to set static routes for access to the network assigned to VPN clients on corporate network devices located between the SNS firewall and the internal resources provided.
Network assigned to clients (UDP)

 

Network assigned to clients (TCP)

Select the object corresponding to the network that will be assigned to VPN clients in UDP and TCP. While you can assign a different network, the VPN client will always choose the UDP network first to ensure better performance.

 

Choosing the network or sub-networks:

  • The network mask must not be smaller than /28,
  • The network dedicated to VPN clients must not belong to any existing internal networks, or networks declared by a static route on the firewall. Since the interface used for the SSL VPN is protected, the firewall would then detect an IP spoofing attempt and block the corresponding traffic,
  • To avoid routing conflicts, select less commonly used sub-networks (such as 10.60.77.0/24) as many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.
Maximum number of simultaneous tunnels allowed

The number appears automatically, and corresponds to the lowest value between:

  • The maximum number of tunnels allowed on the SNS firewall (see Requirements),
  • The number of sub-networks available for VPN clients. This represents 1/4 of the IP addresses, minus 2. An SSL VPN tunnel takes up 4 IP addresses and the server reserves 2 sub-networks for its own use.

DNS settings sent to client section

Field Description
Domain name Enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.

Primary DNS server

Secondary DNS server

Select the object representing the DNS server to be assigned.

Advanced properties section

Field Description
UTM IP address for the SSL VPN (UDP)

In either of the following cases, you need to select the object representing the IP address used for setting up UDP SSL VPN tunnels:

  • The IP address used for setting up the SSL VPN tunnels (UDP) is not the main IP address of the external interface.

  • The IP address used for setting up the SSL VPN tunnels (UDP) belongs to an external interface that is not linked to the default gateway of the firewall.
Port (UDP)

 

Port (TCP)

The listening ports of the SSL VPN service can be changed. Note:

  • Some ports are reserved for the SNS firewall’s internal use only and cannot be selected,
  • Port 443 is the only port below 1024 that can be used,
  • If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels or public WiFi) on which Internet access is filtered.
Interval before key renegotiation (seconds)

You can change the length of time (14400 seconds by default, or 4 hours) after which the keys used by the encryption algorithms will be renegotiated. During this operation:

  • The SSL VPN tunnel will not respond for several seconds,
  • If multifactor authentication is used, the user will need to enter a new OTP, or approve the new connection on the third-party application (in push mode), in order to stay connected. It would be helpful to set an interval that corresponds to the average length of a workday, such as 28800 seconds (8 hours).
Use DNS servers provided by the firewall

You can instruct VPN clients to include the DNS servers retrieved via the SSL VPN in the workstation's (Windows only) network configuration. If DNS servers are already defined on the workstation, they may be queried.
Prohibit use of third-party DNS servers

You can instruct VPN clients to exclude the DNS servers that have already been defined in the workstation's (Windows only) configuration. Only DNS servers sent by the SNS firewall can be queried.

Scripts to run on the client

In Windows, the Stormshield SSL VPN client can run .bat scripts when an SSL VPN tunnel is opened or closed. In these scripts, you can use:

  • Windows environment variables (%USERDOMAIN%, %SystemRoot%, etc.),

  • Variables relating to the Stormshield SSL VPN client: %NS_USERNAME% (user name used for authentication) and %NS_ADDRESS% (IP address assigned to the SSL VPN client).

Field Description
Script to run when connecting

Select the script to run when the VPN tunnel is opened. Example of a script that makes it possible to connect the Z: network drive to the shared network:

NET USE Z: \\myserver\myshare
Script to run when disconnecting

Select the script to run when the VPN tunnel is closed. Example of a script that makes it possible to disconnect the Z: network drive from a shared network:

NET USE Z: /delete

Used certificates

Select the certificates that the SNS firewall’s SSL VPN service and the Stormshield SSL VPN client must present to set up a tunnel. They must be issued from the same certification authority. The default suggestions are the certification authority dedicated to the SSL VPN, and a server certificate and a client certificate created when the firewall was initialized.

Field Description
Server certificate

Select the desired certificate. The icon indicates certificates with a TPM-protected private key. For more information, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.
Client certificate Select the desired certificate. Client certificates with a TPM-protected private key cannot be selected as the private keys of such certificates must be available in plaintext (unencrypted) in the VPN configuration that is distributed to VPN clients.

Configuration

Field Description
Export the configuration file

Click on this button to export the SSL VPN configuration in .ovpn format.

Configuring the policy verifying the compliance of client workstations (in ZTNA)

When ZTNA is used, in the Client workstation verification (ZTNA) tab. you need to set a policy to verify the compliance of client workstations and users. When it is enabled, workstations or users that do not comply with the criteria in the policy will not be able to set up SSL VPN tunnels with the SNS firewall.

This use case requires an SNS firewall in version 4.8 or higher, and the Stormshield SSL VPN client in version 4.0 or higher on each workstation in the corporate network.

Screen showing the policy verifying the compliance of client workstations on an SNS firewall in version 4

Edit the configuration based on the information given below.

Field Description
Enable client workstation verification (ZTNA)

Select the checkbox to enable verification of client workstation and user compliance. When it is enabled:

  • Compatible SSL VPN clients can set up SSL VPN tunnels with the firewall only if all the criteria defined in the policy have been met,

  • Incompatible SSL VPN clients cannot set up SSL VPN tunnels with the firewall, unless permissive mode has been enabled (see below).
Allow tunnels to be set up for clients that are not compatible with ZTNA

Select the checkbox to enable permissive mode, which allows SSL VPN clients that are incompatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall. With this permissive mode, it is possible to:

  • Progressively update a pool of Stormshield SSL VPN clients to a compatible version,
  • Continue using other SSL VPN clients on operating systems that are not compatible with the Stormshield SSL VPN client.

Client workstation and user verification settings section

Select at least one criterion to verify client workstations and users.

Field/Criterion Description
Client workstation antivirus enabled and up to date

The workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center. Third-party antiviruses are therefore supported as long as the Windows Security center recognizes their status.
Active firewall on the client workstation

The Windows firewall must be running on the workstation, and the domain network, private network and public network profiles must be enabled. If a profile is disabled, the criterion will be considered non-compliant.
SES installed on the client workstation

In infrastructures that have deployed SES Evolution, the SES agent must be installed on the workstation. 

Do note that the configuration and status of the SES agent are not taken into account.
Prohibit users holding administration privileges on the client workstation

Users who hold administrator privileges on the workstation cannot set up SSL VPN tunnels with the firewall.
Check the Windows 10/Windows 11 versions (build number)

Workstations in Windows 10 or Windows 11 must be equipped with the Windows versions specified (build numbers) to set up an SSL VPN tunnel with the firewall. If this option is selected, you will be enabling the settings section of the required versions.

 

Windows 10 and Windows 11 tabs

  • Allow a version range: if this option is selected:
    • You have to specify the Minimum version that the workstation must run (by default 10000 for Windows 10 and 20000 for Windows 11),
    • You can specify the Maximum version that the workstation must run. Leave this field empty to allow all versions equal to or higher than the minimum specified version.
  • Allow only one version: if this option is selected, you have to specify the exact Windows version that the workstation must run.
Host connected to a domain tab

If you select Connect the host to a company domain, in the List of Active Directory domains grid, add the domains of the workstations that are allowed to set up SSL VPN tunnels with the firewall.

Do note that this criterion is not related to the configuration of directories on the firewall.
User connected to a domain tab

If you select Connect the user to a company domain, in the List of Active Directory domains grid, add the domains of the users that are allowed to set up SSL VPN tunnels with the firewall.

With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels with the firewall. Do note that this criterion is not related to the configuration of directories on the firewall.
Stormshield SSL VPN client version

Workstations must be equipped with the Stormshield SSL VPN client versions specified to set up an SSL VPN tunnel with the firewall. By selecting Check Stormshield SSL VPN client version, you will be enabling the settings section of the required versions.

  • Allow a version range: if this option is selected:
    • The Minimum version of the Stormshield SSL VPN client allowed (the minimum version allowed is 4.0.0) has to be specified,
    • The Maximum version of the Stormshield SSL VPN client allowed has to be specified. Leave this field empty to allow all versions equal to or higher than the minimum specified version.
  • Allow only one version: if this option is selected, you have to specify the exact version of the Stormshield SSL VPN client allowed (the lowest version allowed is 4.0.0).

Customized message section

If the SSL VPN tunnel setup process fails due to the non-compliance of the workstation or user, the Stormshield SSL VPN client will display the message "The connection was denied as the user or workstation used does not comply with the policy defined on the firewall", followed by an additional message in English, French and German.

In the text entry section, you can:

  • Edit the additional message to customize it. As automatic translation mechanisms have not been set up, you will need to have the message translated with your own means,
  • Delete the content if you do not wish to display an additional message.

You can reset the additional message by clicking on Go back to messages suggested by default.

Screen to customize the message indicating non-compliance with the client workstation verification policy on an SNS firewall in version 4