Client workstation verification (ZTNA) tab

A policy can be set up to verify the compliance of client workstations (ZTNA) that set up SSL VPN tunnels with the SNS firewall. With this verification, workstations or users that do not comply with the criteria in the policy will not be able to set up SSL VPN tunnels with the SNS firewall.

This use case requires the Stormshield SSL VPN client in version 4.0 or higher on each workstation in the corporate network.

Stormshield SSL VPN client version

Select the checkbox to enable the settings section of the required versions.

Allow a version range (at least v4.0.0)

Select this option if you have a varied pool of Stormshield SSL VPN clients, and wish to allow several versions of the client to set up tunnels with the firewall.

You must then enter the Lowest version of Stormshield SSL VPN clients that are allowed to set up tunnels. You can enter the Highest version or leave this field empty to allow all versions equal to or higher than the lowest specified version.
Allow only one version

Select this option to exclusively allow one Stormshield SSL VPN client version. You must then enter the exact version of Stormshield SSL VPN clients that are allowed to set up tunnels.

Allow tunnels to be set up for the following additional clients

Stormshield SSL VPN clients for (Linux or macOS)

Select the option if you have client workstations with a Linux or Mac Stormshield SSL VPN client (available soon). By doing so, specific Windows criteria will not be applied to these workstations, and you will not need to adapt your criteria to them.
SSL VPN clients incompatible with ZTNA

Select the checkbox to enable permissive mode, which allows SSL VPN clients that are incompatible with the client workstation verification feature to set up tunnels with the SNS firewall. With this permissive mode, it is possible to:

  • Progressively update a pool of Stormshield SSL VPN clients to a compatible version,
  • Continue using third-party SSL VPN clients.

Customized message for incompatible workstations

If an SSL VPN tunnel fails to set up because the workstation or user is non-compliant, the Stormshield SSL VPN Client displays the default message "For more information, please contact support" in English, French and German.

In the text entry section, you can change the message, or delete it if you do not wish to display an additional message. Do note that as automatic translation mechanisms have not been set up: you will need to have the message translated with your own means.

You can reset the additional message that you have written by clicking on Go back to messages suggested by default.