Client workstation verification (ZTNA) tab

As of SNS version 4.8.1, a policy can be set up to verify the compliance of client workstations (ZTNA) that set up SSL VPN tunnels through Stormshield SSL VPN clients in version 4.0.0 or higher.

When this verification is enabled, workstations or users that do not comply with the criteria in the policy will not be able to set up SSL VPN tunnels with the SNS firewall.

Enable client workstation verification (ZTNA)

Select the checkbox to enable verification of client workstation and user compliance. When it is enabled:

Compatible SSL VPN clients can set up SSL VPN tunnels with the firewall only if all the criteria defined in the policy have been met,
Incompatible SSL VPN clients cannot set up SSL VPN tunnels with the firewall, unless permissive mode has been enabled (see below).

Allow tunnels to be set up for Linux or Mac Stormshield SSL VPN clients

Select this option if you have client workstations with a Linux or Mac Stormshield SSL VPN client. By doing so, specific Windows criteria will not be applied to these workstations, and you will not need to adapt your criteria to them.

Allow tunnels to be set up for clients that are not compatible with ZTNA

Select the checkbox to enable permissive mode, which allows SSL VPN clients that are incompatible with the client workstation verification feature to set up SSL VPN tunnels with the SNS firewall. With this permissive mode, it is possible to:

Progressively update a pool of Stormshield SSL VPN clients to a compatible version,
Continue using other SSL VPN clients on operating systems that are not compatible with the Stormshield SSL VPN client.

Client workstation verification (ZTNA) settings

Set the criteria of the policy that verifies the compliance of client workstations and users. You must select at least one criterion.

Client workstation antivirus enabled and up to date	The workstation must be equipped with an active antivirus program with the latest antivirus database updates. This information is based on the status of the antivirus recognized by the Windows Security center. Third-party antiviruses are therefore supported as long as the Windows Security center recognizes their status.
Active firewall on the client workstation	The Windows firewall must be running on the workstation, and the domain network, private network and public network profiles must be enabled. If a profile is disabled, the criterion will be considered non-compliant.
SES installed on the client workstation	In infrastructures that have deployed SES Evolution, the SES agent must be installed on the workstation. Do note that the configuration and status of the SES agent are not taken into account.
Prohibit users holding administration privileges on the client workstation	Users who hold administrator privileges on the workstation cannot set up SSL VPN tunnels with the firewall.
Check the Windows 10/Windows 11 versions (build number)	Workstations in Windows 10 or Windows 11 must be equipped with the Windows versions specified (build numbers) to set up an SSL VPN tunnel with the firewall. If this option is selected, you will be enabling the settings section of the required versions. Windows 10 and Windows 11 tabs Allow a version range: if this option is selected: You have to specify the Minimum version that the workstation must run (by default 10000 for Windows 10 and 20000 for Windows 11), You can specify the Maximum version that the workstation must run. Leave this field empty to allow all versions equal to or higher than the minimum specified version. Allow only one version: if this option is selected, you have to specify the exact Windows version that the workstation must run.
Host connected to a domain tab	If you select Connect the host to a company domain, in the List of Active Directory domains grid, add the domains of the workstations that are allowed to set up SSL VPN tunnels with the firewall. Do note that this criterion is not related to the configuration of directories on the firewall.
User connected to a domain tab	If you select Connect the user to a company domain, in the List of Active Directory domains grid, add the domains of the users that are allowed to set up SSL VPN tunnels with the firewall. With this criterion, the user's full name, including the domain, will be verified. As such, even if the workstation is connected to a domain, local users on the workstation will not be able to set up SSL VPN tunnels with the firewall. Do note that this criterion is not related to the configuration of directories on the firewall.
Stormshield SSL VPN client version	Workstations must be equipped with the Stormshield SSL VPN client versions specified to set up an SSL VPN tunnel with the firewall. By selecting Check Stormshield SSL VPN client version, you will be enabling the settings section of the required versions. Allow a version range: if this option is selected: The Minimum version of the Stormshield SSL VPN client allowed (the minimum version allowed is 4.0.0) has to be specified, The Maximum version of the Stormshield SSL VPN client allowed has to be specified. Leave this field empty to allow all versions equal to or higher than the minimum specified version. Allow only one version: if this option is selected, you have to specify the exact version of the Stormshield SSL VPN client allowed (the lowest version allowed is 4.0.0).

Customized message

If the SSL VPN tunnel setup process fails due to the non-compliance of the workstation or user, the Stormshield SSL VPN client will display the message "The connection was denied as the user or workstation used does not comply with the policy defined on the firewall", followed by an additional message in English, French and German.

In the text entry section, you can:

Edit the additional message to customize it. As automatic translation mechanisms have not been set up, you will need to have the message translated with your own means,
Delete the content if you do not wish to display an additional message.

You can reset the additional message by clicking on Go back to messages suggested by default.