SSL VPN

SSL VPN enables remote users to safely access internal corporate resources using communications encrypted in SSL. To use SSL VPN, an SSL VPN client must be installed on the workstation or on any type of mobile terminal (Windows, IOS, Android, etc.).

SSL VPN tunnels may be based on UDP or TCP protocols. Whenever a UDP-based tunnel fails, the connection will switch to TCP.

If the provided VPN client is used, only the IP address of the firewall and its authentication information (login/password) will be needed for the connection. If an OpenVPN client is used, the client must retrieve configuration details from the authentication portal (“Personal data” menu) before inserting them into the client

In addition to the settings in this module, the Authentication section must define the method and allow the user in its policy. Filter rules must also specify ‘Via SSL VPN tunnel’ as the source (advanced properties) to allow traffic.

For further information, refer to the Technical note SSL VPN tunnels available in your secure-access area.

This module consists of a single configuration screen split up into four sections:

  • Enable the service
  • Network settings: this area contains the elements that can be used in the configuration of the SSL VPN server, networks or contactable hosts, as well as the network assigned to clients.
  • DNS settings sent to client: this area contains the DNS configuration elements that will be sent to the client.
  • Advanced properties: in this area, you can customize the lifetime before SSL renegotiation, define scripts to execute when the client is connected/disconnected, and select client and server certificates to set up the SSL tunnel.

 This button makes it possible to enable or disable the SSL VPN server on the firewall.

Network settings

UTM IP address (or FQDN) used Indicate the public IP address of the IPS-Firewall (or an FQDN associated with this address, e.g., sslserver.company.com) through which clients will be able to contact the SSL VPN server.
Available networks or hosts Indicate which network and hosts will be visible to clients. All packets from the client going towards these networks will go through the SSL tunnel.
This object can either be a network, machine or group object containing several networks and/or hosts, and can be created directly from this window by clicking on .
The value of this field is Network_internals by default, which makes it possible to connect with all networks protected by the firewall.

NOTE
This is only a network routing concept. Filter rules must be created to allow or block traffic between the remote client network and internal resources.
Network assigned to clients (UDP) Select a network object, except IP address range or Group objects, which are not accepted. Each client that sets up a UDP-based tunnel will be assigned an IP address belonging to this network.
This network must be different from the one assigned to the clients of TCP-based tunnels.
The object can be created directly from this window by clicking on .

Warning
To prevent routing conflicts on client workstations during the connection to the SSL VPN, select less commonly used sub-networks for your clients (e.g., 10.60.77.0/24, 192.168.38.0/24, etc.). Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks use the first few address ranges reserved for these uses (e.g., 10.0.0.0/24, 192.168.0.0/24).
Network assigned to clients Select a network object, except IP address range or Group objects, which are not accepted. Each client that sets up a TCP-based tunnel will be assigned an IP address belonging to this network.
This network must be different from the one assigned to the clients of UDP-based tunnels.
The object can be created directly from this window by clicking on .

Warning
To prevent routing conflicts on client workstations during the connection to the SSL VPN, select less commonly used sub-networks for your clients (e.g., 10.60.77.0/24, 172.168.38.0/24, etc.). Many filtered Internet access networks (public Wi-Fi, hotels, etc) or private local networks use the first few address ranges reserved for these uses (e.g., 10.0.0.0/24, 192.168.0.0/24).
Maximum number of simultaneous tunnels allowed Depending on the size of the network chosen for clients and the model of the firewall, the number of tunnels that can be set up simultaneously will be indicated.
This number corresponds to the lowest of the two following values:
  • A quarter of the number of IP addresses included in the selected client network (e.g., 63 for a Class C network). Each SSL tunnel takes up four IP addresses.
  • The maximum number of tunnels allowed on the IPS-Firewall used.

DNS settings sent to client

Domain name Domain name assigned to clients so that they can resolve the DNS.
Primary DNS server Primary DNS server assigned to the client.
Secondary DNS server Secondary DNS server assigned to the client.

Advanced properties

UTM IP address for the SSL VPN (UDP) You can specify the public IP address on the IPS-Firewall through which clients will be able to contact the SSL VPN server over UDP.
Fill in this field in the following cases:
  • When the SSL VPN client uses an IP address without any link to the firewall's default gateway in the “Firewall address” field,
  • When the SSL VPN client uses an IP address assigned to the firewall as an alias (additional IP address on an interface) in the “Firewall address” field,
Port (UDP) Select or create the object corresponding to the UDP port that will be used to set up tunnels.
Port (TCP) Select or create the object corresponding to the TCP port that will be used to set up tunnels. This port will also be used as a backup mechanism if tunnels cannot be set up via UDP.
Interval before key renegotiation (in seconds) Period after which keys will be renegotiated. The default value is 14400 seconds, or 4 hours.
Use DNS servers provided by the firewall If this option is selected, the SSL VPN client will include the DNS servers retrieved via the SSL VPN in the workstation's network configuration. If DNS servers are already defined on the workstation, they may be queried.
Prohibit use of third-party DNS servers If this option is selected, the SSL VPN client will exclude DNS servers already defined in the workstation's configuration. Only DNS servers sent by the firewall can be queried.
These DNS servers must be contactable through an SSL VPN tunnel.
Script to run when connecting Select a script that the client will execute locally when connecting to the SSL tunnel (e.g., connecting a disk to a remote shared network).
Script to run when disconnecting Select a script that the client will execute locally when it disconnects from the SSL tunnel (e.g., disconnecting a disk from a remote shared network).
NOTE
  • Only client hosts running under Windows and with the Stormshield Network client can use the executable script service. The format of files must be “.bat”.
  • All Windows environment variables can be used in connection/disconnection scripts (e.g., %USERDOMAIN%, %SystemRoot%, etc.).

Two environment variables relating to the SSL VPN tunnel can also be used:

  • %NS_USERNAME%: the user name used for authentication,
  • %NS_ADDRESS%: the IP address assigned to the client.

Used certificates

Server certificate Select the certificate submitted by the server to set up the SSL tunnel.
By default, the server certificate suggested is the one created during the initialization of the firewall. It is issued by the CA dedicated to the default SSL VPN.
Client certificate Select the certificate submitted by the client to set up the SSL tunnel.
By default, the client certificate suggested is the one created during the initialization of the firewall. It is issued by the CA dedicated to the default SSL VPN.
This certificate is the same for all clients. They can be authenticated once the SSL connection has been established.

Warning
If you choose to create your own CA, you must use two certificates signed by it. If this CA is not a root authority, both certificates must use be issued by the same sub-authority.

Configuration

Download the configuration file Click on this button to obtain an archive containing the SSL VPN server's configuration file.