Action required: Apply the fix for SNS firewall disks.
Please follow the procedure described in the How to update my SSD Firmware - Stormshield Knowledge Base article (authentication required).
Enabling and configuring the SSL VPN service
To enable the SSL VPN service on the SNS firewall:
Go to Configuration > VPN > SSL VPN.
Set the status cursor to ON.
Several sections are available for the configuration of the SNS firewall’s SSL VPN service.
Network settings section
In the UTM IP address (or FQDN) used field, indicate the IP address that users must use to reach the SNS firewall to set up SSL VPN tunnels.
If you enter an IP address, it must be public, and therefore accessible over the Internet,
If you enter an FQDN (e.g., ssl.company.tld), it must be declared on the DNS servers that the client device uses when it is outside the corporate network. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP. In this case, configure this FQDN on the SNS firewall in Configuration > Network > Dynamic DNS.
In the Available networks or hosts field, select the object representing the networks or hosts that will be reached through the SSL VPN tunnel. This object makes it possible to automatically set on the client device the routes needed to reach resources that can be accessed via the VPN.
You will need to set filter rules to more granularly allow or prohibit traffic between remote clients and internal resources. You may also need to set static routes for access to the network assigned to VPN clients on corporate network devices located between the SNS firewall and the internal resources provided.
In Network assigned to clients (UDP) and Network assigned to clients (TCP), select the object corresponding to the network that will be assigned to VPN clients. The network mask must not be smaller than /29 for SNS versions 3.x or 4.2 and below, or /28 for SNS versions 4.3 and above.
You can assign a network to VPN clients in UDP, and another network for clients in TCP, but they must both be different. The VPN client will always choose the UDP network first for better performance.
As for the network or sub-networks:
- Choose a network dedicated to SSL VPN clients that does not belong to any existing internal networks, or declared by a static route on the SNS firewall. Since the interface used for the SSL VPN is protected, the SNS firewall would then detect an IP spoofing attempt and block the corresponding traffic,
- Choose seldom-used sub-networks (e.g., 10.60.77.0/24) to prevent routing conflicts on client devices during the connection to the SSL VPN. Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.
- The maximum number of simultaneous tunnels allowed will appear automatically. This number corresponds to the minimum value between the maximum number of tunnels allowed on the SNS firewall SNS (see Operation and limitations) and the number of sub-networks available for VPN clients. For the number of sub-networks, depending on the SNS version, this represents:
3.x or 4.2 and higher a quarter of the number of IP addresses, minus 1. An SSL VPN tunnel consumes 4 IP addresses, but the server reserves 1 sub-network for its own use.
4.3 and higher a quarter of the number of IP addresses, minus 2. An SSL VPN tunnel takes up 4 IP addresses, but the server reserves 2 sub-networks for its own use.
DNS settings sent to client section
- In the Domain name field, enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.
- In the Primary DNS server and Secondary DNS server fields, select the object representing the DNS server to be assigned.
- In the UTM IP address for the SSL VPN (UDP) field, select the object representing the IP address used for setting up SSL VPN tunnels (UDP) if it is not the main IP address of the external interface, or if it is associated with an external interface that is not linked to the default gateway of the SNS firewall.
In the Port (UDP) and Port (TCP) fields, indicate the listening ports of the SSL VPN service based on UDP and TCP. Some ports are reserved for the SNS firewall’s internal use only and cannot be selected. If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels, public WiFi, etc.) on which Internet access is filtered.
- In the Interval before key renegotiation (seconds) field, you can change the length of time after which the keys used by the encryption algorithms will be renegotiated. The default value is 4 hours (14400 seconds). This operation is transparent for the user - the active tunnel will not be disrupted during renegotiation.
- When Use DNS servers provided by the firewall is selected, the SSL VPN client will save the DNS servers retrieved via the SSL VPN in the workstation’s network configuration (Windows only). If DNS servers are already defined on the workstation, they may be queried.
- When Prohibit use of third-party DNS servers is selected, the SSL VPN client will exclude DNS servers already defined in the workstation's configuration (Windows only). Only DNS servers sent by the SNS firewall can be queried.
Scripts to run on the client
The SN SSL VPN Client can run .bat scripts on Windows workstations when it connects to and disconnects from the SNS firewall. In these scripts, you can use Windows environment variables (%USERDOMAIN%, %SystemRoot%, etc.), as well as two variables specific to the SSL VPN tunnel:
%NS_USERNAME% represents the user name used for authentication,
%NS_ADDRESS% represents the IP address assigned to the SSL VPN client.
Example of a script to connect the Z: network drive to the \\myserver\myshare shared network:
NET USE Z: \\myserver\myshare
Example of a script to disconnect the Z: network drive from the \\myserver\myshare shared network:
NET USE Z: /delete
Select the certificates that the SNS firewall’s SSL VPN service and the SSL VPN client must present to set up a tunnel. The default suggestions are the certification authority dedicated to the SSL VPN, and a server certificate and a client certificate created when the firewall was initialized.
If you use your own certification authority, you must create a client identity and a server identity. If this CA is not the root authority, both peer certificates have to be issued from the same sub-authority.
The Export the configuration file button exports the SSL VPN configuration in .ovpn format.