Ssl Vpn; General Configuration - Stormshield SN series Configuration Manual

SSL VPN

SSL VPN enables remote users to safely access internal corporate resources using
communications encrypted in SSL. The use of SSL VPN requires the installation of an SSL VPN
client installed on the workstation or on any type of mobile terminal (Windows, IOS, Android, etc.).
If the VPN client that has been provided is used, only the IP address of the firewall and its
authentication information (login/password) will be needed for the connection. If an OpenVPN
client is used, the client must retrieve configuration details from the authentication portal
("Personal data" menu) before inserting them into the client
In addition to the settings in this module, the Authentication section must define the method and
allow the user in its policy. A filter rule must also specify 'Via SSL VPN tunnel' as the source
(advanced configuration) in order to authorize traffic.
For further information, please refer to the Technical note SSL VPN tunnels available in your
secure-access area.
This module consists of a single configuration screen split up into 4 zones:
Enable SSL VPN
l
Network settings: this zone contains elements for configuring the SSL VPN server, networks
l
or contactable hosts, as well as the network assigned to clients.
DNS settings sent to client: this zone contains the DNS configuration elements that will be
l
sent to the client.
Advanced configuration : an area for customizing the lifetime before SSL renegotiation,
l
defining scripts to be executed where necessary when logging on to/off from the client and
selecting client and server certificates for setting up the SSL tunnel.
Enable SSL VPN

General configuration

UTM IP address (or
FQDN) used
Network assigned to
clients
Page 331/448
When this option is selected, the integrated SSL VPN server will be enabled.
Indicate the public IP address of the IPS-Firewall (or an FQDN associated with this
address. Example: sslserver.company.com) through which clients will be able to
contact the SSL VPN server.
Select a "network" object ("IP address range" or "Group" objects are not accepted).
Each client that logs on via SSL VPN will be assigned an IP address belonging to this
network.
The object can be created directly in this window by clicking on the icon
IMPORTANT
In order to prevent routing conflicts on client workstations during the
connection to the SSL VPN, select for your clients sub-networks that are less
commonly used instead (example: 10.60.77.0/24, 172.168.38.0/24, etc.). Many
filtered internet access networks (public Wi-Fi, hotels, etc) or private local
networks precisely use the first few address ranges reserved for these uses
(example: 10.0.0.0/24, 192.168.0.0/24).
REMARK
Address ranges are not supported.
SNS - USER CONFIGURATION MANUAL V.3
sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
SSL VPN