General configuration tab

Indicate the IP address that users must use to reach the SNS firewall in order to set up VPN tunnels. You can indicate either an IP address or FQDN.

• For IP addresses: they must be public, and therefore accessible over the Internet,

• For FQDNs: they must be declared on the DNS servers that the workstation uses when it is outside the corporate network. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP dynamic, and then configure this FQDN in the Dynamic DNS module.

Select the object representing the networks or hosts that will be reached through the VPN tunnel. This object makes it possible to automatically set on the workstation the routes needed to reach resources that can be accessed via the VPN.

Filter rules (in the Filter - NAT module) will be necessary to more granularly allow or prohibit traffic between remote workstations and internal resources. You may also need to set static routes for access to the network assigned to VPN clients on corporate network devices located between the SNS firewall and the internal resources provided.

Select the object corresponding to the network that has been assigned to VPN clients in UDP and TCP. The network mask must not be smaller than /28. If you assign two networks, VPN client will always choose the UDP network first to ensure better performance. Choosing the network or sub-networks:

• The assigned network must not belong to any existing internal networks, or networks declared by a static route on the SNS firewall. Since the interface used for the SSL VPN is protected, the firewall would then detect an IP spoofing attempt and block the corresponding traffic.
• To avoid routing conflicts, select less commonly used sub-networks (such as 10.60.77.0/24) as many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.

The number appears automatically. This number corresponds to the lowest value, either the number of tunnels allowed on the SNS firewall, or the number of sub-networks available for VPN clients. The number of sub-networks represents 1/4 of the number of IP addresses minus 2. An SSL VPN tunnel takes up 4 IP addresses and the server reserves 2 sub-networks for its own use.

In either of the following cases, you need to select the object representing the IP address used for setting up UDP SSL VPN tunnels:

• The IP address used for setting up the SSL VPN tunnels (UDP) is not the main IP address of the external interface.

• The IP address used for setting up the SSL VPN tunnels (UDP) belongs to an external interface that is not linked to the default gateway of the firewall.

The listening ports of the SSL VPN service can be changed. Note:

• Some ports are reserved for the SNS firewall’s internal use only and cannot be selected,
• Port 443 is the only port below 1024 that can be used,
• If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels or public WiFi) on which Internet access is filtered.

You can change the length of time (14400 seconds by default, or 4 hours) after which the keys used by the encryption algorithms will be renegotiated. During this operation:

• The SSL VPN tunnel will not respond for several seconds,
• If multifactor authentication is used, the user will need to enter a new OTP, or approve the new connection on the third-party application (in push mode), in order to stay connected. It would be helpful to set an interval that corresponds to the average length of a workday, such as 28800 seconds (8 hours).

You can instruct VPN clients to include the DNS servers retrieved via the SSL VPN in the workstation's (Windows only) network configuration. If DNS servers are already defined on the workstation, they may be queried.

Select the script to run when the VPN tunnel is opened. Example of a script that makes it possible to connect the Z: network drive to the shared network:

NET USE Z: \\myserver\myshare

Select the script to run when the VPN tunnel is closed. Example of a script that makes it possible to disconnect the Z: network drive from a shared network:

NET USE Z: /delete

Select the desired certificate. The icon indicates certificates with a TPM-protected private key. For more information on the TPM, see the section Trusted Platform Module.