SSL VPN

SSL VPN allows remote users to securely access a company's resources - internal or otherwise - via the SNS firewall. An SSL VPN client must be installed on the user’s workstation or mobile device before a VPN tunnel can be set up with the SNS firewall.

Stormshield's SSL VPN client (SN SSL VPN Client) has a connection mode that allows it to automatically and securely retrieve its VPN configuration, unlike OpenVPN Connect, on which the VPN configuration must be manually integrated.

To set up SSL VPN tunnels, the following modules must be configured in addition to the SSL VPN module: Authentication, Access privileges and Filter - NAT. For more information, refer to the technical note Configuring and using the SSL VPN on SNS firewalls.

The SSL VPN module consists of several sections.


 Enables or disables VPN SSL on the SNS firewall.

Network settings section

UTM IP address (or FQDN) used

Indicate the IP address that users must use to reach the firewall to set up SSL VPN tunnels.

  • If you enter an IP address, it must be public, and therefore accessible over the Internet,

  • If you enter an FQDN (e.g., ssl.company.tld), it must be declared on the DNS servers that the client device uses when it is outside the corporate network. If you have a dynamic public IP address, you can use the services of a provider such as DynDNS or No-IP. In this case, configure this FQDN firewall in the Dynamic DNS module.
Available networks or hosts

Select the object representing the networks or hosts that will be reached through the VPN tunnel. This object makes it possible to automatically set on the client device the routes needed to reach resources that can be accessed via the VPN.

Filter rules (in the Filter - NAT module) will be necessary to more granularly allow or prohibit traffic between remote clients and internal resources.

Network assigned to clients (UDP)

 

Network assigned to clients (TCP)

Select the object corresponding to the network that will be assigned to VPN clients. The network mask must not be smaller than /28. You can assign a network to VPN clients in UDP, and another network to VPN clients in TCP, but they must both be different. The VPN client will always choose the UDP network first to ensure better performance.

Choosing the network or sub-networks:

  • Choose a network dedicated to SSL VPN clients that does not belong to any existing internal networks, or declared by a static route on the firewall. Since the interface used for the SSL VPN is protected, the firewall would then detect an IP spoofing attempt and block the corresponding traffic,

  • Choose seldom-used sub-networks (e.g., 10.60.77.0.24/) to prevent routing conflicts on client devices during the connection to the VPN. Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks already use the first few reserved address ranges.
Maximum number of simultaneous tunnels allowed

The maximum number of simultaneous tunnels allowed appears automatically. This corresponds to the minimum value between the maximum number of tunnels allowed on the SNS firewall and the number of sub-networks available for VPN clients. The number of sub-networks represents a quarter of the number of IP addresses minus 2. An SSL VPN tunnel consumes four IP addresses, but the server reserves 2 sub-network for its own use.

DNS settings sent to client section

Domain name Enter the domain name assigned to the SSL VPN clients so that they can resolve their host names.
Primary DNS server Select the object representing the DNS server to be assigned.
Secondary DNS server Select the object representing the DNS server to be assigned.

Advanced properties section

UTM IP address for the SSL VPN (UDP)

The SSL VPN service listens on all of the SNS firewall's IP addresses by default. You can select the object representing the IP address used for setting up SSL VPN tunnels (UDP), especially when:

  • The IP address used for setting up the SSL VPN tunnels (UDP) is not the main IP address of the external interface.

  • The IP address used for setting up the SSL VPN tunnels (UDP) belongs to an external interface that is not linked to the default gateway of the firewall.

Port (UDP)

 

Port (TCP)

The listening ports of the SSL VPN service can be changed to UDP and TCP, Some ports are reserved for the SNS firewall’s internal use only and cannot be selected. If you change any of the default ports, the SSL VPN could become inaccessible from networks (hotels or public WiFi) on which Internet access is filtered.

Port 443 is the only port below 1024 that can be used.
Interval before key renegotiation (in seconds) You can change the length of time after which the keys used by the encryption algorithms will be renegotiated. The default value is 4 hours (14400 seconds). This operation is transparent for the user - the active tunnel will not be disrupted during renegotiation.
Use DNS servers provided by the firewall If this option is selected, the SSL VPN client will include the DNS servers retrieved via the SSL VPN in the workstation's (Windows only) network configuration. If DNS servers are already defined on the workstation, they may be queried.
Prohibit use of third-party DNS servers If this option is selected, the SSL VPN client will exclude DNS servers already defined in the workstation's (Windows only) configuration. Only DNS servers sent by the SNS firewall can be queried.

Scripts to run on the client

Stormshield Network SSL VPN Client can run .bat scripts on Windows workstations once it connects to and disconnects from the SNS firewall. You can use such scripts in Windows environment variables (%USERDOMAIN%, %SystemRoot%, etc.), as well as two variables specific to the SSL VPN tunnel:

  • %NS_USERNAME% represents the user name used for authentication,

  • %NS_ADDRESS% represents the IP address assigned to the SSL VPN client.

Script to run when connecting

Select a script that the VPN client will run when the VPN tunnel is opened. Example of a script that makes it possible to connect the Z: network drive to the shared network:

NET USE Z: \\myserver\myshare
Script to run when disconnecting

Select a script that the VPN client will run when the VPN tunnel is closed. Example of a script that makes it possible to disconnect the Z: network drive from a shared network:

NET USE Z: /delete

Used certificates

Select the certificates that the SNS firewall’s SSL VPN service and the SSL VPN client must present to set up a tunnel. The default suggestions are the certification authority dedicated to the SSL VPN, and a server certificate and a client certificate created when the firewall was initialized.

If you use your own certification authority, you must create a client identity and a server identity. If this CA is not the root authority, both peer certificates have to be issued from the same sub-authority.

Server certificate

Select the desired certificate. The icon indicates certificates with a TPM-protected private key. For more information on the TPM, see the section Trusted Platform Module.
Client certificate Select the desired certificate. Client certificates with a TPM-protected private key cannot be selected as the private keys of such certificates must be available in plaintext (unencrypted) in the VPN configuration that is distributed to VPN clients.

Configuration

Export the configuration file Click on this button to export the SSL VPN configuration in .ovpn format.