Requirements
You will need the following to perform the operations described in this technical note.
A compatible SSL VPN client
Every workstation or mobile device must have a compatible VPN client in order to set up SSL VPN tunnels with the SNS firewall. Compatible VPN clients are:
- SN SSL VPN Client: this technical note explains how to install, configure and use the client, including the setup of an SSL VPN tunnel, some of its specific characteristics (compatibility, connection modes, etc.) and access to its logs,
- OpenVPN Connect: for more information, refer to the section Appendix: installing, configuring and using OpenVPN Connect,
- SN VPN Client Standard: for further information, refer to the document SN VPN Client Standard User Guide,
- SN VPN Client Exclusive: for further information, refer to the SN VPN Client Exclusive Administration guide.
For further information on the versions and operating systems that are compatible with Stormshield software programs, refer to the Network Security & Tools life cycle guide.
An adapted SNS firewall
The maximum number of SSL VPN tunnels allowed on SNS firewalls varies according to the model used. Select a model that fits your requirements. You can find this information on the Stormshield website, under Product range (SNS), by selecting your model.
Prior connection of the SNS firewall to a directory
The SNS firewall must be connected to a directory so that it can display the lists of users and user groups in its modules. This will make it possible to define the users and user groups allowed to set up SSL VPN tunnels.
Check this connection in the SNS firewall's administration interface in Configuration > Users > Authentication, Available methods tab. An LDAP line must appear in the grid. For more information on how to configure directories, refer to the section Directory configuration in the user guide of the SNS version used.
Permissions to access the SNS firewall’s captive portal
The SNS firewall’s captive portal must be enabled and users who will connect via SSL VPN must be able to access it. With this access:
- Stormshield SSL VPN clients will be able to get their SSL VPN configuration,
- The SNS firewall and Stormshield SSL VPN clients will be able to apply the policy verifying the compliance of client workstations when zero trust network access is used.
You can check the configuration of the captive portal in the SNS firewall's administration interface in Configuration > Users > Authentication, Captive portal and Captive portal profiles tabs. For more information on the configuration of the captive portal, refer to the section on Authentication in the user guide of the SNS version used.
Multifactor authentication
When multifactor authentication is used for SSL VPN connections:
Multifactor authentication using the Stormshield TOTP solution
- The SNS firewall must be in version 4.5 and higher,
-
The TOTP solution must have been configured in advance. For more information, refer to the technical note Configuring and using the Stormshield TOTP solution.
Multifactor authentication using a third-party solution and a RADIUS server
-
The selected multifactor authentication solution must have been configured in advance,
-
The RADIUS server, with which the SNS firewall can be associated with the selected multifactor authentication solution, must have been configured in advance.
Implementing zero trust network access (ZTNA)
When zero trust network access is used:
- The SNS firewall must be in version 4.8 and higher,
- Every workstation has to use the Stormshield SSL VPN client in version 4.0 or higher,
-
The Stormshield SSL VPN client has to be configured in automatic mode.
Zero trust network access (ZTNA) consists of trusting users and devices only after they have been verified. Network access is considered "zero trust" when several elements come together:
- The compliance of the communication channel is guaranteed through TLS encryption of VPN tunnels.
- User identities are verified through multifactor authentication (e.g., with the Stormshield TOTP solution),
- A policy verifying the compliance of client workstations and users,
- Granular filtering to restrict users' access to only what is necessary.
The following sections in this technical note cover the configuration of these elements. Every one of the elements must be configured in order for zero trust network access (ZTNA) to be effectively implemented.