Operation

Requirements

A Stormshield Network Firewall in version 3.x or 4.x.

For the client terminal:

  • Workstation in Windows 10 64 bits, with the latest 2.9.x Stormshield Network SSL VPN Client software installed,
  • Workstation equipped with a third-party client compatible with OpenVPN,
  • Smartphone or tablet (Android or IOS) equipped with the OpenVPN Connect client (available on Google Play Store and Apple Store).

Advantages of the Stormshield Network SSL VPN Client

During each connection, the Stormshield Network SSL VPN Client retrieves the user’s configuration automatically and safely. These elements are integrated into the client seamlessly for the user.

For third-party clients that are compatible with OpenVPN as well as OpenVPN Connect for Android or IOS, these configuration elements have to be retrieved and integrated manually during the initial connection to the authentication portal (https://firewall_IP_address/auth). Likewise for changes to the configuration of the SSL VPN service (modification of certificates, IP address of the Firewall, etc.).

The Stormshield Network SSL VPN Client can also execute scripts on the user's terminal upon every connection to and/or disconnection from an SSL VPN tunnel.

The SN SSL VPN Client offers an address book that allows storing several connection profiles. This address book can be encrypted.

Establishing a tunnel with the Stormshield Network SSL VPN Client

The user configures the three fields regarding the Stormshield Network SSL VPN Client (IP address of the Firewall to contact, user name password), and launches the connection.

The SSL VPN client then connects to the Firewall’s authentication server, which will verify the identification information and check in the rules of the authentication policy (UAC: User Access Control) whether the user has sufficient privileges to set up an SSL VPN tunnel.

Next, the Stormshield Network SSL VPN Client will transparently retrieve his configuration (archive in “zip” format containing: connection profile, certificate, private key, certificate authority, scripts that may be executed during connection and/or disconnection) in order to negotiate the setup of the tunnel.

The negotiation takes place in this manner:

  1. The SSL VPN client and service on the Stormshield Network firewall mutually identify themselves through certificates (SSL handshake) and negotiate encryption algorithms,
  2. The SSL VPN service checks for a second time the user’s access (login, password and access privileges to SSL VPN tunnels),
  3. The SSL VPN service saves the user in its ASQ user table,
  4. The tunnel is set up: the client is assigned an IP address and receives the necessary routes for contacting the internal resources authorized via the tunnel.

From then on, all traffic between the client and authorized resources will go through the SSL VPN tunnel that has been set up.