Configuring the Stormshield Network Firewall
The implementation of SSL VPN tunnels requires the configuration of various modules on the Firewall:
- Activation and configuration of the SSL VPN module,
- Configuration of access privileges to SSL VPN,
- Selection of the authentication method.
Where applicable, the configuration of the LDAP directory (internal or external),
- Definition of filter rules to allow/block traffic between SSL VPN clients and internal resources,
- Where necessary, the implementation of address translation.
Parameters of the SSL VPN service
Click on the menu Configuration > VPN > SSL VPN and enable the SSL VPN.
- Indicate the IP address or the FQDN (example: sslvpnserver.mycompany.com) through which the Stormshield Network Firewall can be contacted in order to set up the SSL VPN tunnels. This address has to be a public IP address (accessible on the Internet).
If you enter an FQDN, it has to be declared in the DNS servers that the client workstation uses when it is outside the company’s network. If your company has a dynamic public IP address, you may use the services of a provider such as DynDNS or No-IP. In this case, configure this FQDN in the menu Configuration > Network > Dynamic DNS.
- In the field Available networks or hosts, select the object that represents the networks and/or hosts that will be accessible through the SSL tunnel. This object may be a network, host or group including networks and/or hosts.
- On the client host, routes needed for contacting all resources have to be defined. However, filter rules will be needed to allow or block with greater precision traffic between internal resources and remote clients originating from an SSL tunnel.
- It may be necessary to define static routes for access to the network assigned to SSL VPN clients on other devices on the company’s network (routers, firewalls) located between the Firewall and provisioned internal resources.
- Select (or create) the object corresponding to the network reserved for SSL VPN clients.
- Select a network that is entirely dedicated to SSL VPN clients and which does not belong to existing internal networks and those declared by a static route. As the interface used for SSL VPN is protected, the firewall would then detect an IP address spoofing attempt and block the corresponding traffic.
- In order to avoid routing conflicts on client workstations during the connection to the VPN, choose instead, for your VPN clients, sub-networks that are less often used (example: 10.60.77.0/24, 172.22.38.0/24, etc.). Indeed, many networks that filter internet access (public WiFi, hotels, etc) or private local networks use the first few address ranges reserved for such use (example: 10.0.0.0/24, 192.168.0.0/24).
- The maximum number of simultaneous tunnels will be automatically calculated and displayed. For example, for a range in /24, only 63 addresses will be available. This corresponds to the minimum of the two following values:
- A quarter of the number of IP addresses minus one, included in the network of the chosen client. SSL tunnels use 4 IP addresses,
- The maximum number of tunnels allowed according to the model of the Firewall used.
DNS parameters sent to the client
Indicate the DNS suffix that clients will use for resolving host names.
Next, specify the main and secondary DNS servers to assign to the client.
You can customize the amount of time (in seconds) after which the keys used by the encryption algorithms will be renegotiated (steps 1 and 2 in the tunnel setup). The default value is 4 hours (14400 seconds).
This operation takes place seamlessly for the client: the active tunnel will not be interrupted during the renegotiation.
Scripts to be executed on the client
You may select scripts that the Stormshield Network SSL VPN Client will execute during connection to and/or disconnection from the Firewall. It is possible, for example, to automatically connect/disconnect a Windows network drive using this method. An example of the script is given in the Further Reading section.
These scripts can only be executed on client hosts that run on Windows; the format of these scripts must be of Microsoft Batch type (“.bat” extension).
All the variables of a Windows environment can be used in connection/disconnection scripts (example: %USERDOMAIN%, %SystemRoot%, etc.).
Two environment variables relating to the SSL VPN tunnel can also be used:
- %NS_USERNAME%: the user name used for authentication,
- %NS_ADDRESS%: the IP address assigned to the client.
Select the certificates that the SSL VPN service on the Firewall and the client have to present in order to set up a tunnel. By default, a certificate authority (CA) dedicated to the SSL VPN as well as a server certificate and a client certificate created during the initialization of the Firewall will be suggested.
If you choose to create your own CA, you will need to use two certificates and their respective keys signed by this CA. If the CA is not a root certificate authority, both certificates must come from the same sub-authority.
In the menu Configuration > Users >
To authorize specific users, select the Detailed access tab and click on Add to create a personalized access rule.
Enable the rule (Status column), select the users or group of authorized users (User – user group column) and select Allow in the SSL VPN column.
In the module Configuration > Users > Authentication, the authentication method offered by default is “LDAP” (Available methods tab).
If your Firewall is already connected to a Microsoft Active Directory, you can go directly to the implementation of filter and NAT rules.
To connect your Firewall to an external directory, Microsoft Active Directory (AD) in our example, click on the menu Configuration > Users >
- Select Connect to a Microsoft Active Directory,
- In the Server field, select or create the object corresponding to your AD server,
- In the Port field, select the port used for connecting to AD (default value: ldap),
- For the Root domain field (Base DN), enter the name of the AD domain (Example: dc=mydomain, dc=com for the domain mydomain.com),
- In the ID field (user DN), select a user account on the AD domain (Example: cn=myuser, cn=users for the user myuser),
For security reasons, you are strongly advised against choosing the user “Administrator”. Select an account that you have created specifically for the Firewall.
- In the Password field, enter the password for this account.
The list of users and groups is now available in the Users module (Configuration > Users > Users and Groups).
Filter rules have to be defined allowing or denying SSL VPN clients access to internal resources that can be accessed through the tunnel.
SSL VPN tunnels are compatible with the advanced filtering features on the Stormshield Network Firewall. Filter rules can therefore include inspection profiles, application proxies, antivirus checks, etc.
Likewise, if clients have to use SSL VPN to access the internet, it will be necessary to set up an address translation rule (NAT) resembling: