Configuring client workstation verification (ZTNA)
A policy can be set up to verify the compliance of client workstations (ZTNA) that set up SSL VPN tunnels with the SNS firewall. With this verification, workstations or users that do not comply with the criteria in the policy will not be able to set up SSL VPN tunnels with the SNS firewall.
This use case requires an SNS firewall in version 4.8 or higher, and the Stormshield SSL VPN client in version 4.0 or higher on each workstation in the corporate network.
Go to Configuration > VPN > SSL VPN. Continue according to the relevant SNS version.
On SNS firewalls in version 5
Settings for this version are configured in the Client workstation verification (ZTNA) and Windows client workstation verification (ZTNA) tabs.
Client workstation verification (ZTNA) tab
Stormshield SSL VPN client version
Select the checkbox to enable the settings section of the required versions.
| Field | Description |
|---|---|
| Allow a version range (at least v4.0.0) |
Select this option if you have a varied pool of Stormshield SSL VPN clients, and wish to allow several versions of the client to set up tunnels with the firewall. You must then enter the Lowest version of Stormshield SSL VPN clients that are allowed to set up tunnels. You can enter the Highest version or leave this field empty to allow all versions equal to or higher than the lowest specified version. |
| Allow only one version | Select this option to exclusively allow one Stormshield SSL VPN client version. You must then enter the exact version of Stormshield SSL VPN clients that are allowed to set up tunnels. |
Allow tunnels to be set up for the following additional clients
| Field | Description |
|---|---|
| Stormshield SSL VPN clients for (Linux or macOS) | Select the option if you have client workstations with a Linux or Mac Stormshield SSL VPN client (available soon). By doing so, specific Windows criteria will not be applied to these workstations, and you will not need to adapt your criteria to them. |
| SSL VPN clients incompatible with ZTNA |
Select the checkbox to enable permissive mode, which allows SSL VPN clients that are incompatible with the client workstation verification feature to set up tunnels with the SNS firewall. With this permissive mode, it is possible to:
|
Customized message for incompatible workstations
If an SSL VPN tunnel fails to set up because the workstation or user is non-compliant, the Stormshield SSL VPN Client displays the default message "For more information, please contact support" in English, French and German.
In the text entry section, you can change the message, or delete it if you do not wish to display an additional message. Do note that as automatic translation mechanisms have not been set up: you will need to have the message translated with your own means.
You can reset the additional message that you have written by clicking on Go back to messages suggested by default.
Windows client workstation verification (ZTNA) tab
Windows client workstations are verified based on different criteria. Do note that if you select several criteria from those described below, the SSL VPN client has to meet all the defined criteria to be allowed to set up tunnels with the SNS firewall.
| Field | Description |
|---|---|
| Client workstation antivirus enabled and up to date |
The workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center. Third-party antiviruses are therefore supported as long as the Windows Security center recognizes their status. |
| Active firewall on the client workstation |
The Windows firewall must be running on the workstation, and the domain network, private network and public network profiles must be enabled. If a profile is disabled, the criterion will be considered non-compliant. |
| SES installed on the client workstation |
In infrastructures that have deployed SES Evolution, the SES agent must be installed on the workstation. Do note that the configuration and status of the SES agent are not taken into account. |
| Prohibit users holding administration privileges on the client workstation |
Users who hold administrator privileges on the workstation cannot set up tunnels with the SNS firewall. |
Check the Windows 10/Windows 11 version (build number)
Select the checkbox to enable the settings section of the required Windows 10 and Windows 11 versions. Two tabs are available, depending on the Windows version in question.
| Field | Description |
|---|---|
| Allow a version range (builds) |
When this option is selected, you have to enter the Lowest version that the workstation must run (by default 10000 for Windows 10 and 20000 for Windows 11). You can enter the Highest version that the workstation must run, or leave this field empty to allow all versions equal to or higher than the lowest specified version. |
| Allow only one version |
|
Membership in a company domain
| Field | Description |
|---|---|
| Ensure that the host is connected to a company domain |
When this option is selected, you have to add to the grid the domains of the workstations that are allowed to set up tunnels. Do note that this criterion is not related to the configuration of directories on the firewall. |
| Ensure that the user belongs to a company domain |
When this option is selected, you have to add to the grid the domains of users who are allowed to set up tunnels. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up tunnels. Do note that this criterion is not related to the configuration of directories on the firewall. |
On SNS firewalls in version 4.8
Settings are configured in the Client workstation verification (ZTNA) tab.
| Field | Description |
|---|---|
|
Enable client workstation verification (ZTNA) |
Select the checkbox to enable verification of client workstation compliance. When it is enabled:
|
| Allow tunnels to be set up for Linux or Mac Stormshield SSL VPN clients | Select the option if you have client workstations with a Linux or Mac Stormshield SSL VPN client (available soon). By doing so, specific Windows criteria will not be applied to these workstations, and you will not need to adapt your criteria to them. |
| Allow tunnels to be set up for clients that are not compatible with ZTNA |
Select the checkbox to enable permissive mode, which allows SSL VPN clients that are incompatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall. With this permissive mode, it is possible to:
|
Client workstation verification (ZTNA) settings
Client workstations are verified based on different criteria. Do note that if you select several criteria from those described below, the SSL VPN client has to meet all the defined criteria to be allowed to set up tunnels with the SNS firewall.
| Field/Criterion | Description |
|---|---|
| Client workstation antivirus enabled and up to date |
The workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center. Third-party antiviruses are therefore supported as long as the Windows Security center recognizes their status. |
| Active firewall on the client workstation |
The Windows firewall must be running on the workstation, and the domain network, private network and public network profiles must be enabled. If a profile is disabled, the criterion will be considered non-compliant. |
| SES installed on the client workstation |
In infrastructures that have deployed SES Evolution, the SES agent must be installed on the workstation. Do note that the configuration and status of the SES agent are not taken into account. |
| Prohibit users holding administration privileges on the client workstation |
Users who hold administrator privileges on the workstation cannot set up tunnels with the SNS firewall. |
| Check the Windows 10/Windows 11 versions (build number) |
Select the checkbox to enable the settings section of the required Windows 10 and Windows 11 versions. Two tabs are available, depending on the Windows version in question.
|
| Host connected to a domain tab |
When you select Connect the host to a company domain, in the List of Active Directory domains grid, add the domains of the workstations that are allowed to set up tunnels. Do note that this criterion is not related to the configuration of directories on the firewall. |
| User connected to a domain tab |
When you select Connect the user to a company domain, in the List of Active Directory domains grid, add the domains of the users that are allowed to set up tunnels. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels with the firewall. Do note that this criterion is not related to the configuration of directories on the firewall. |
| Stormshield SSL VPN client version |
Select Check Stormshield SSL VPN client version to enable the settings section of the required versions.
|
Customized message
If an SSL VPN tunnel fails to set up because the workstation or user is non-compliant, the Stormshield SSL VPN Client displays the default message "For more information, please contact support" in English, French and German.
In the text entry section, you can change the message, or delete it if you do not wish to display an additional message. Do note that as automatic translation mechanisms have not been set up: you will need to have the message translated with your own means.
You can reset the additional message that you have written by clicking on Go back to messages suggested by default.
