Configuring the SSL VPN service

This section explains how to enable and configure the SSL VPN service.

Go to Configuration > VPN > SSL VPN.

Screen showing SSL VPN activation on an SNS firewall in version 4

NOTE
As of SNS version 4.8.5, if the LZ4 compression feature in the SSL VPN service is enabled, a warning message will automatically appear when the module opens, encouraging you to disable the feature. This scenario is described in the section Troubleshooting.

Enabling the SSL VPN service

Field Description

Enable SSL VPN


Set the selector to ON to enable the SSL VPN service.

Configuring the general settings of the SSL VPN service

On SNS in versions 4.8 and higher, these settings can be configured in the General settings tab. On SNS 4.3 LTSB versions, there is no tab.

Field Description

Enable client workstation verification (ZTNA)


On SNS in version 5, set the selector to ON to enable the verification of client workstation compliance. When it is enabled:

  • Compatible SSL VPN clients can set up SSL VPN tunnels with the firewall only if all the criteria defined in the policy have been met,

  • Incompatible SSL VPN clients cannot set up SSL VPN tunnels with the firewall, unless permissive mode has been enabled.

On SNS 4.8 versions, the verification can be enabled in the Client workstation verification (ZTNA) tab (see Configuring client workstation verification (ZTNA)). On SNS 4.3 LTSB versions, this feature is not available.

Network settings section

Field Description
Public IP address (or FQDN) of the UTM used

Indicate the IP address that users must use to reach the SNS firewall in order to set up VPN tunnels. You can indicate either an IP address or FQDN.

  • For IP addresses: they must be public, and therefore accessible over the Internet,

  • For FQDNs: they must be declared on the DNS servers that the workstation uses when it is outside the corporate network. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP dynamic, and then configure this FQDN in the module Configuration > Network > Dynamic DNS.

Available networks or hosts

Select the object representing the networks or hosts that will be reached through the VPN tunnel. This object makes it possible to automatically set on the workstation the routes needed to reach resources that can be accessed via the VPN.

 

You will need to set filter rules to more granularly allow or prohibit traffic between remote workstations and internal resources. You may also need to set static routes for access to the network assigned to VPN clients on corporate network devices located between the SNS firewall and the internal resources provided.

Network assigned to clients (UDP)

 

Network assigned to clients (TCP)

Select the object corresponding to the network that has been assigned to VPN clients in UDP and TCP. The network mask must not be smaller than /28. If you assign two networks, VPN client will always choose the UDP network first to ensure better performance. Choosing the network or sub-networks:

  • The assigned network must not belong to any existing internal networks, or networks declared by a static route on the SNS firewall. Since the interface used for the SSL VPN is protected, the firewall would then detect an IP spoofing attempt and block the corresponding traffic.
  • To avoid routing conflicts, select less commonly used sub-networks (such as 10.60.77.0/24) as many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.
  • On SNS in version 5, if you are using TCP-based SSL VPN tunnels, ensure that the DCO kernel acceleration feature is disabled in the Advanced properties section. Otherwise, the performance of such tunnels will be downgraded.
Maximum number of simultaneous tunnels allowed

The number appears automatically. This number corresponds to the lowest value, either the number of tunnels allowed on the SNS firewall (see Requirements), or the number of sub-networks available for VPN clients. For sub-networks:

  • On SNS in version 5: this shows the total number of IP addresses, minus 3.
  • On SNS in version 4.3 LTSB and 4.8: this represents 1/4 of the IP addresses, minus 2. An SSL VPN tunnel takes up 4 IP addresses and the server reserves 2 sub-networks for its own use.

DNS settings sent to client section

Field Description
Domain name Enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.

Primary DNS server

 

Secondary DNS server

Select the object representing the DNS server to be assigned.

Advanced properties section

Field Description
Enable DCO kernel acceleration

On SNS in version 5, select the checkbox to enable the DCO (Data Channel Offload) kernel acceleration feature. This option is enabled by default in factory configuration. On SNS in version 4, this feature is not available.

 

This feature transfers the encryption/decryption of data packets passing through SSL VPN tunnels to the operating system kernel. This increases the performance of UDP-based tunnels and enables the SSL VPN service to process the setup of many more UDP tunnels.

However, this feature is not compatible with TCP-based tunnels, and downgrades their performance. Ensure that you disable it if you are using such tunnels.

NOTE
When the checkbox is selected, if the encryption suite used by the SSL VPN service is incompatible with the DCO kernel acceleration feature, a window appears, encouraging you to use the AES-256-GCM encryption suite. Accept the change to enable the feature.

Public IP address of the UTM for the SSL VPN (UDP)

In either of the following cases, you need to select the object representing the IP address used for setting up UDP SSL VPN tunnels:

  • The IP address used for setting up the SSL VPN tunnels (UDP) is not the main IP address of the external interface.

  • The IP address used for setting up the SSL VPN tunnels (UDP) belongs to an external interface that is not linked to the default gateway of the firewall.

Port (UDP)

 

Port (TCP)

The listening ports of the SSL VPN service can be changed. Note:

  • Some ports are reserved for the SNS firewall’s internal use only and cannot be selected,
  • Port 443 is the only port below 1024 that can be used,
  • If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels or public WiFi) on which Internet access is filtered.
Interval before key renegotiation (seconds)

You can change the length of time (14400 seconds by default, or 4 hours) after which the keys used by the encryption algorithms will be renegotiated. During this operation:

  • The SSL VPN tunnel will not respond for several seconds,
  • If multifactor authentication is used, the user will need to enter a new OTP, or approve the new connection on the third-party application (in push mode), in order to stay connected. It would be helpful to set an interval that corresponds to the average length of a workday, such as 28800 seconds (8 hours).
Use DNS servers provided by the firewall

You can instruct VPN clients to include the DNS servers retrieved via the SSL VPN in the workstation's (Windows only) network configuration. If DNS servers are already defined on the workstation, they may be queried.

Prohibit use of third-party DNS servers

You can instruct VPN clients to exclude the DNS servers that have already been defined in the workstation's (Windows only) configuration. Only DNS servers sent by the SNS firewall can be queried.

Scripts to run on the client

In Windows, the Stormshield SSL VPN client can run .bat scripts when an SSL VPN tunnel is opened or closed. In these scripts, you can use:

  • Windows environment variables (%USERDOMAIN%, %SystemRoot%, etc.),

  • Variables relating to the Stormshield SSL VPN client: %NS_USERNAME% (user name used for authentication) and %NS_ADDRESS% (IP address assigned to the SSL VPN client).

Field Description
Script to run when connecting

Select the script to run when the VPN tunnel is opened. Example of a script that makes it possible to connect the Z: network drive to the shared network:

NET USE Z: \\myserver\myshare

Script to run when disconnecting

Select the script to run when the VPN tunnel is closed. Example of a script that makes it possible to disconnect the Z: network drive from a shared network:

NET USE Z: /delete

Certificates

Select the certificates that the SNS firewall’s SSL VPN service and the Stormshield SSL VPN client must present to set up a tunnel. They must be issued from the same certification authority.

The default suggestions are the certification authority dedicated to the SSL VPN, and a server certificate and a client certificate created when the firewall was initialized.

Field Description
Server certificate

Select the desired certificate. The icon indicates certificates with a TPM-protected private key. For more information, refer to the technical note Configuring the TPM and protecting private keys in SNS firewall certificates.

Client certificate Select the desired certificate. Client certificates with a TPM-protected private key cannot be selected as the private keys of such certificates must be available in plaintext (unencrypted) in the VPN configuration that is distributed to VPN clients.

Configuration

Field Description
Export the configuration file

Click on this button to export the SSL VPN configuration in .ovpn format.