Configuring client workstation verification (ZTNA)

A policy can be set up to verify the compliance of client workstations (ZTNA) that set up SSL VPN tunnels with the SNS firewall. With this verification, workstations or users that do not comply with the criteria in the policy will not be able to set up SSL VPN tunnels with the SNS firewall.

This use case requires an SNS firewall in version 4.8 or higher, and the Stormshield SSL VPN client in version 4.0 or higher on each workstation in the corporate network.

Go to Configuration > VPN > SSL VPN. Continue according to the relevant SNS version.

Screen showing the policy verifying the compliance of client workstations on an SNS firewall in version 4

On SNS firewalls in version 5

Settings for this version are configured in the Client workstation verification (ZTNA) and Windows client workstation verification (ZTNA) tabs.

Client workstation verification (ZTNA) tab

Stormshield SSL VPN client version

Select the checkbox to enable the settings section of the required versions.

Field Description
Allow a version range (at least v4.0.0)

Select this option if you have a varied pool of Stormshield SSL VPN clients, and wish to allow several versions of the client to set up tunnels with the firewall.

You must then enter the Lowest version of Stormshield SSL VPN clients that are allowed to set up tunnels. You can enter the Highest version or leave this field empty to allow all versions equal to or higher than the lowest specified version.

Allow only one version Select this option to exclusively allow one Stormshield SSL VPN client version. You must then enter the exact version of Stormshield SSL VPN clients that are allowed to set up tunnels.

Allow tunnels to be set up for the following additional clients

Field Description
Stormshield SSL VPN clients for (Linux or macOS) Select the option if you have client workstations with a Linux or Mac Stormshield SSL VPN client (available soon). By doing so, specific Windows criteria will not be applied to these workstations, and you will not need to adapt your criteria to them.
SSL VPN clients incompatible with ZTNA

Select the checkbox to enable permissive mode, which allows SSL VPN clients that are incompatible with the client workstation verification feature to set up tunnels with the SNS firewall. With this permissive mode, it is possible to:

  • Progressively update a pool of Stormshield SSL VPN clients to a compatible version,
  • Continue using third-party SSL VPN clients.

Customized message for incompatible workstations

If an SSL VPN tunnel fails to set up because the workstation or user is non-compliant, the Stormshield SSL VPN Client displays the default message "For more information, please contact support" in English, French and German.

In the text entry section, you can change the message, or delete it if you do not wish to display an additional message. Do note that as automatic translation mechanisms have not been set up: you will need to have the message translated with your own means.

You can reset the additional message that you have written by clicking on Go back to messages suggested by default.

Screen to customize the message indicating non-compliance with the client workstation verification policy on an SNS firewall in version 4

Windows client workstation verification (ZTNA) tab

Windows client workstations are verified based on different criteria. Do note that if you select several criteria from those described below, the SSL VPN client has to meet all the defined criteria to be allowed to set up tunnels with the SNS firewall.

Field Description
Client workstation antivirus enabled and up to date

The workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center. Third-party antiviruses are therefore supported as long as the Windows Security center recognizes their status.

Active firewall on the client workstation

The Windows firewall must be running on the workstation, and the domain network, private network and public network profiles must be enabled. If a profile is disabled, the criterion will be considered non-compliant.

SES installed on the client workstation

In infrastructures that have deployed SES Evolution, the SES agent must be installed on the workstation. 

Do note that the configuration and status of the SES agent are not taken into account.

Prohibit users holding administration privileges on the client workstation

Users who hold administrator privileges on the workstation cannot set up tunnels with the SNS firewall.

Check the Windows 10/Windows 11 version (build number)

Select the checkbox to enable the settings section of the required Windows 10 and Windows 11 versions. Two tabs are available, depending on the Windows version in question.

Field Description
Allow a version range (builds)

When this option is selected, you have to enter the Lowest version that the workstation must run (by default 10000 for Windows 10 and 20000 for Windows 11).

You can enter the Highest version that the workstation must run, or leave this field empty to allow all versions equal to or higher than the lowest specified version.

Allow only one version
  • When this option is selected, you have to enter the exact Windows version of workstations that are allowed to set up tunnels.
  • Membership in a company domain

    Field Description
    Ensure that the host is connected to a company domain

    When this option is selected, you have to add to the grid the domains of the workstations that are allowed to set up tunnels.

    Do note that this criterion is not related to the configuration of directories on the firewall.

    Ensure that the user belongs to a company domain

    When this option is selected, you have to add to the grid the domains of users who are allowed to set up tunnels. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up tunnels.

    Do note that this criterion is not related to the configuration of directories on the firewall.

    On SNS firewalls in version 4.8

    Settings are configured in the Client workstation verification (ZTNA) tab.

    Field Description

    Enable client workstation verification (ZTNA)

    Select the checkbox to enable verification of client workstation compliance. When it is enabled:

    • Compatible SSL VPN clients can set up SSL VPN tunnels with the firewall only if all the criteria defined in the policy have been met,

    • Incompatible SSL VPN clients cannot set up SSL VPN tunnels with the firewall, unless permissive mode has been enabled (see below).

    Allow tunnels to be set up for Linux or Mac Stormshield SSL VPN clients Select the option if you have client workstations with a Linux or Mac Stormshield SSL VPN client (available soon). By doing so, specific Windows criteria will not be applied to these workstations, and you will not need to adapt your criteria to them.
    Allow tunnels to be set up for clients that are not compatible with ZTNA

    Select the checkbox to enable permissive mode, which allows SSL VPN clients that are incompatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall. With this permissive mode, it is possible to:

    • Progressively update a pool of Stormshield SSL VPN clients to a compatible version,
    • Continue using third-party SSL VPN clients.

    Client workstation verification (ZTNA) settings

    Client workstations are verified based on different criteria. Do note that if you select several criteria from those described below, the SSL VPN client has to meet all the defined criteria to be allowed to set up tunnels with the SNS firewall.

    Field/Criterion Description
    Client workstation antivirus enabled and up to date

    The workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center. Third-party antiviruses are therefore supported as long as the Windows Security center recognizes their status.

    Active firewall on the client workstation

    The Windows firewall must be running on the workstation, and the domain network, private network and public network profiles must be enabled. If a profile is disabled, the criterion will be considered non-compliant.

    SES installed on the client workstation

    In infrastructures that have deployed SES Evolution, the SES agent must be installed on the workstation. 

    Do note that the configuration and status of the SES agent are not taken into account.

    Prohibit users holding administration privileges on the client workstation

    Users who hold administrator privileges on the workstation cannot set up tunnels with the SNS firewall.

    Check the Windows 10/Windows 11 versions (build number)

    Select the checkbox to enable the settings section of the required Windows 10 and Windows 11 versions. Two tabs are available, depending on the Windows version in question.

    • Allow a version range (builds): when this option is selected, you have to enter the Lowest version that the workstation must run (by default 10000 for Windows 10 and 20000 for Windows 11).

      You can enter the Highest version that the workstation must run, or leave this field empty to allow all versions equal to or higher than the lowest specified version.

    • Allow only one version: if this option is selected, you have to Fill the exact Windows version des workstation to set up tunnels.
    Host connected to a domain tab

    When you select Connect the host to a company domain, in the List of Active Directory domains grid, add the domains of the workstations that are allowed to set up tunnels.

    Do note that this criterion is not related to the configuration of directories on the firewall.

    User connected to a domain tab

    When you select Connect the user to a company domain, in the List of Active Directory domains grid, add the domains of the users that are allowed to set up tunnels. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels with the firewall.

    Do note that this criterion is not related to the configuration of directories on the firewall.

    Stormshield SSL VPN client version

    Select Check Stormshield SSL VPN client version to enable the settings section of the required versions.

    • Allow a version range (builds): select this option if you have a varied pool of Stormshield SSL VPN clients, and wish to allow several versions of the client to set up tunnels with the firewall.

      You must then enter the Lowest version of Stormshield SSL VPN clients that are allowed to set up tunnels. The lowest version allowed is 4.0. 0. You can enter the Highest version or leave this field empty to allow all versions equal to or higher than the lowest specified version.

    • Allow only one version: select this option to exclusively allow one Stormshield SSL VPN client version. You must then enter the exact version of Stormshield SSL VPN clients that are allowed to set up tunnels.

    Customized message

    If an SSL VPN tunnel fails to set up because the workstation or user is non-compliant, the Stormshield SSL VPN Client displays the default message "For more information, please contact support" in English, French and German.

    In the text entry section, you can change the message, or delete it if you do not wish to display an additional message. Do note that as automatic translation mechanisms have not been set up: you will need to have the message translated with your own means.

    You can reset the additional message that you have written by clicking on Go back to messages suggested by default.

    Screen to customize the message indicating non-compliance with the client workstation verification policy on an SNS firewall in version 4