SN 160
SN 160
SN 160
ADMINISTRATOR’S GUIDE
Version 7
9.4.1 Usage 34
Table of contents 9.4.2 Contextual menus
9.4.3 Shortcuts
35
37
1. Getting started 3 10. TrustedConnect Panel 38
2. Installation 4 10.1 Introduction 38
2.1 Introduction 4 10.2 Interface 38
2.1.1 Installation conditions 4 10.3 Taskbar icon and color codes 39
2.1.2 Digital signature and version 4 10.4 Contextual menu 39
2.2 Installation procedure 5 10.5 Usage 40
2.3 Canceling installation 11 10.5.1 Workstation connected to corporate
network 40
2.4 Trial period 11
10.5.2 Workstation not connected to
2.5 Configuring Windows 13 corporate network 40
3. Activation 14 10.6 Error cases 42
3.1 Step 1 14 10.7 Generating logs 43
3.2 Step 2 14 10.8 Selecting the language 43
3.3 Activation errors 15 10.9 Current limitations 43
3.4 Manual activation 16 11. "About…" window 44
3.5 License and activated software 18
12. Importing and exporting the VPN
4. Updates 19 configuration 45
4.1 How to get an update 19 12.1 Importing a VPN configuration 45
4.2 Update procedure 19 12.2 Exporting a VPN configuration 46
4.3 Updating the VPN configuration 20 12.3 Merging VPN configurations 47
4.4 Automation 20 12.4 Splitting a VPN configuration 48
5. Uninstalling the software 21 13. Configuring a VPN tunnel 49
6. Getting started with the software 22 13.1 SSL or IPsec IKEv2 VPN 49
6.1 Introduction 22 13.2 Editing and saving a VPN
configuration 49
6.2 Starting the software 22
13.3 Configuring an IPsec IKEv2 tunnel 50
6.3 Configuring a VPN tunnel 24
13.3.1 IKE Auth: IKE SA 50
6.4 Automating the opening of a VPN 13.3.2 IKE Auth: Protocol 52
tunnel 25 13.3.3 IKE Auth: Gateway 54
6.5 Opening a VPN tunnel from the 13.3.4 IKE Auth: Certificate 55
TrustedConnect Panel 25 13.3.5 Child SA: Overview 55
7. Configuration Wizard 26 13.3.6 Child SA: Child SA: 55
13.3.7 Child SA: Advanced 58
7.1 Step 1 26 13.3.8 Child SA: Automation 59
7.2 Step 2 27 13.3.9 Child SA: Remote sharing 59
7.2.1 Configuring an IPsec/IKEv2 13.4 Configuring an SSL/OpenVPN tunnel 59
tunnel 27 13.4.1 Introduction 59
7.2.2 For an SSL tunnel (OpenVPN) 28 13.4.2 Main 60
7.3 Step 3 28 13.4.3 Security 61
8. Connection Panel 30 13.4.4 Gateway 63
13.4.5 Establishment 65
9. Configuration Panel 32 13.4.6 Automation 67
9.1 Menus 32 13.4.7 Certificate 67
9.2 Status bar 33 13.4.8 Remote sharing 67
9.3 Shortcuts 33
9.4 VPN tunnel tree 34
1. Getting started
Welcome to the SN VPN Client Exclusive 7.00.115 administrator's guide.
This guide is intended for SN VPN Client Exclusive administrators. It contains all the information
required to implement and configure the software so that secure VPN tunnels can be opened.
In this document, Stormshield Network VPN Client Exclusive is referred to in its short form
SN VPN Client Exclusive. Some of the images used in this document are from the partner
vendor's (TheGreenBow) software program. In your program SN VPN Client Exclusive, the
graphics may vary but user experience is exactly the same.
2. Installation
2.1 Introduction
SN VPN Client Exclusive is installed by executing the program that can be downloaded from
MyStormshield.
The default installation procedure, run by double-clicking the icon of the downloaded program,
opens a window that allows you to customize the installation.
The installation of the software can be customized using a set of command-line options and
VPN configuration files.
Refer to section Installation procedure.
Users can check the version number of SN VPN Client Exclusive in the About… window of the
software.
IMPORTANT
You can only update the software if your subscription is still valid (see section How to get an
update).
NOTE
If you want to perform a silent installation, pass specific parameters during installation or
perform a large-scale deployment, refer to the "Deployment Guide".
1. Double-click the installation program you downloaded. The following window is displayed:
3. Read the End User License Agreement (EULA) carefully. If you accept all the terms of the
agreement, select the I accept the terms of the license agreement checkbox, and then click
Next. Otherwise, you will not be able to continue installing SN VPN Client Exclusive. The
following window is displayed:
4. Carefully read the information about what’s new and the note about how the existing VPN
configuration will be converted during an update.
IMPORTANT
Once the installation is complete, you will not be able to revert to an earlier version of
the software without manual intervention. If in doubt, back up your VPN configuration
to a separate folder or to a removable storage medium.
If you accept all the terms of the agreement, select the I accept the new changes checkbox,
and then click Suivant. The following window is displayed:
5. If you want to install SN VPN Client Exclusive in a specific directory, click Change… and
select the desired directory. Otherwise, you can keep the default directory. Then, click on
Next. The following window is displayed:
6. The program is ready to install. If you want to go back to check or change your installation
settings, click Back. Otherwise, click Install. If you are installing from an account that does
not have administrator rights, the following window is displayed:
7. To proceed with the installation, you must enter an administrator name and password to
allow the installation program to make changes to your computer. Otherwise, the software
will not be installed.
If you are installing from an administrator account, you do not need to enter a password.
Simply confirm that you allow the app to make changes to your device.
9. Wait for the installation of SN VPN Client Exclusive, including all its components, to
complete. If installation has succeeded, the following window is displayed:
10. If you do not want to launch SN VPN Client Exclusive immediately, uncheck the
corresponding box. To exit the setup wizard, click Finish.
If you have performed an update, the software is launched directly in the taskbar. You can
test your installation by opening the test tunnel (see section Getting started with the
software).
Otherwise, the activation screen is displayed:
l For a comprehensive explanation of all VPN tunnel configuration options, refer to chapter
Configuring a VPN tunnel.
l To uninstall SN VPN Client Exclusive, refer to chapter Uninstalling the software.
Your system has not been modified and you can resume installation at a later time.
Select I want to evaluate the software, then click on Next > to run the software.
During the trial period, the About… window will display the number of days remaining until the
trial ends.
During the trial period, the activation window can be accessed at any time using the ? >
Activation Wizard menu item in the main interface (Configuration Panel).
3. Activation
If the software has not been activated during its silent installation (refer to the “Deployment
Guide”), the VPN Client must be activated to continue to work beyond the trial period.
The activation procedure can be accessed every time the software is launched or using the ? >
Activation Wizard menu item in the main interface.
3.1 Step 1
In the License number field, enter the license number you received by email.
The license number can be copy-pasted directly from the purchase confirmation email into this
field.
The license number consists of the characters [0..9] and [A..F], possibly grouped 6 by 6 and
separated by hyphens.
In the Activation email field, enter the email address used to identify your activation. This
information is used for recovering the activation information if it is lost.
NOTE
The Activation email field is filled by default with the username of the workstation on which the
software is installed (as follows: username@company.com). This allows administrators of a
“master” software license to individually identify all activated workstations. It allows them to
manage software activations and deactivations in a deterministic way.
3.2 Step 2
Click on Next >. The online activation process will run automatically.
Once the activation has been carried out successfully, click on Run to run the software.
NOTE
The software activation is linked to the workstation on which the software has been installed.
Consequently, a license number allowing a single activation cannot be reused on another
workstation once it is activated.
Conversely, a license number activation can be canceled by simply uninstalling the software.
No Meaning Troubleshooting
1 prodact.dat file Retrieve the prodact.dat file from the Documents directory in Windows on
the workstation that you want to activate.
The prodact.dat file is a text file that contains the workstation information
used for the activation. If this file cannot be found in the Documents
directory, carry out the software activation steps on the workstation. This
will generate the file even if activation fails.
2 Activation On a workstation connected to the activation server (the activation server
is the TheGreenBow server, which can be accessed on the Internet), open
the manual activation page (refer to the detailed procedure below), upload
the prodact.dat file and retrieve the tgbcode file that the server
automatically creates.
3 tgbcode file Copy the tgbcode file to the Documents Windows directory on the
workstation that you want to activate. Start the software; it will be
activated.
2. Click Add a file and open the prodact.dat file created on the workstation that you want to
activate.
3. Click on Send. The activation server will check the validity of the information contained in
the prodact.dat file.
4. Click Proceed. The activation server will provide a link to download a file containing the
activation code for the workstation to be activated.
The file name has the following format: tgbcode_[date]_[code].dat (e.g. tgbcode__20210615_
1029.dat).
4. Updates
4.1 How to get an update
Software updates are provided according to the following rules:
IMPORTANT
Performing an update from a Standard edition to an Exclusive edition and vice versa is not
allowed.
In this case, you will need to uninstall the previous version of the software before you
install the new one.
You can either delete the password protecting access to the Configuration Panel, then
proceed with the update, or perform the update in the command line using the TGBCONF_
ADMINPASSWORD property (refer to the “Deployment Guide”).
NOTE
If access to the Configuration Panel is password-protected, you must enter the password during
the update to authorize configuration restoral.
4.4 Automation
The way an update is carried out can be customized by a series of command-line options or an
initialization file.
These options are described in the document entitled “Deployment Guide”.
OR
1. Open the Windows Start menu.
2. Right-click on the SN VPN Client Exclusive program, then select Uninstall.
3. The Windows Control Panel is displayed. SelectSN VPN Client Exclusive from the list of
programs.
4. Click Uninstall and follow the instructions to uninstall the program.
NOTE
Administrator privileges are required to install or uninstall the program on the workstation.
o A status bar
l The TrustedConnect Panel to use the Always-On and TND features (specific executable file)
l An icon on the taskbar and the associated menu, which is different for the TrustedConnect
Panel and for the Connection/Configuration Panel
6.2.2 Starting the VPN Client using the shortcut on the desktop
During the installation of the software, a shortcut to run the application is created on the
Windows desktop.
SN VPN Client Exclusive can be started directly by double-clicking on this icon.
The VPN Client will start minimized and the SN VPN Client Exclusive icon will appear in the
taskbar (see paragraph entitled Taskbar icon below).
6.2.3 Starting the VPN Client using the Windows Start menu
Once the installation is complete, you can start SN VPN Client Exclusive by clicking on the
SN VPN Client Exclusiveprogram name in the Windows Start menu.
The VPN Client will start minimized and the SN VPN Client Exclusive icon will appear in the
taskbar (see paragraph entitled Taskbar icon below).
The tooltip for the icon always shows the software status:
l VPN Tunnel opened if one or several tunnels are open
l SN VPN Client Exclusive when the VPN Client is running, but no tunnels are open
Left-clicking the icon opens the Connection Panel.
Right-clicking the VPN Client icon in the taskbar opens the contextual menu associated with the
icon:
The administrator can limit the options displayed in the menu (see section Showing options in
systray menu). The contextual menu contains the following items:
1. Connection Panel: opens the Connection Panel
2. Configuration Panel: opens the Configuration Panel (if the VPN Client has been run with
administrator privileges)
3. Console: opens the VPN traces window
4. Quit: closes all open VPN tunnels and quits the software
NOTE
If the software has not been run as administrator and the Restrict access to Configuration Panel
to administrator has not been disabled, when the user selects the Configuration Panel option, a
message is displayed indicating that the software must be run as administrator to access the
Configuration Panel (see paragraph Running the Running the VPN Client as administrator above).
NOTE
When the Restrict access to Configuration Panel to administrator option is disabled (see section
Restricting access to the Configuration Panel), you do not need to run the VPN Client as
administrator to be able to access the Configuration Panel.
Then, open the Configuration Wizard by selecting the Configuration > Configuration Wizard
menu item.
Use the wizard as described in chapter Configuration Wizard below.
NOTE
The TrustedConnect Panel (run using the VpnDialer.exe executable file) cannot be run at the
same time as the Configuration Panel or the Connection Panel (both run using the VpnConf.exe
executable file, the desktop shortcut, or the Start menu).
When VpnConf.exe is running and you are running VpnDialer.exe, all tunnels opened in
VpnConf.exe will be closed and VpnDialer.exe (TrustedConnect) will attempt to automatically
launch the configured tunnel.
However, when VpnDialer.exe (TrustedConnect) is running, you cannot run VpnConf.exe
immediately. You must first quit VpnDialer.exe before you can run VpnConf.exe.
7. Configuration Wizard
The Configuration Wizard is used to configure a VPN tunnel in three easy steps.
The way the Configuration Wizard works is illustrated in the example below:
l The tunnel is open between a workstation and a VPN gateway that has been assigned the
DNS address “myrouter.dyndns.org”
l The company’s local network is 192.168.1.0 (it may, for example, include machines that
have been assigned the IP addresses 192.168.1.3, 192.168.1.4, etc.)
l Once the tunnel is open, the remote workstation will have the following IP address on the
company’s network: 10.10.10.10.
In the main interface, open the VPN Configuration Wizard: Configuration > Wizard….
TIP
Security recommendation: We recommend configuring IKEv2 tunnels with a certificate.
Refer to chapter Security recommendations.
7.1 Step 1
Choose the VPN protocol to be used for the tunnel: IKEv2 or SSL.
7.2 Step 2
7.3 Step 3
Review the Summary window to check whether the configuration is correct and then click
Finish.
The tunnel that has just been configured now appears in the tunnel tree of the main interface.
Double-click on the tunnel to open it or use the tabs of the main interface for further
configuration.
8. Connection Panel
The Connection Panel allows you to easily open and close the configured VPN connections:
The Connection Panel can be customized. You can select the VPN connections to be shown. You
can also rename or sort the VPN connections.
Refer to chapter Configuring the Connection Panel.
To open a VPN connection, simply click the relevant OPEN button.
The icon to the left of the connection name indicates the status of the connection:
Connection closed.
Click this icon to open the VPN configuration for this connection in the Configuration Panel.
Caution: access to the Configuration Panel may be restricted (see section Restricting access
to the Configuration Panel)
Connection being opened or closed.
Connection open. When there is traffic on this connection, the color intensity of the disk at the
center of the icon changes.
The connection experienced an incident while opening or closing. Clicking the warning icon
will open a pop-up window giving detailed or additional information about the incident.
The following keyboard shortcuts are available for the Connection Panel:
9. Configuration Panel
The Configuration Panel is the administrator’s interface for SN VPN Client Exclusive.
It is only accessible if the VPN Client has been started as Windows administrator (see
paragraph Starting the VPN Client as administrator in section Starting the software above), or for
any user if the option Restrict access to the Configuration Panel to administrator has been
unchecked (not recommended).
It includes the following items:
l A set of menus for VPN configuration and software management
l The VPN tunnel tree
l VPN tunnel configuration tabs
l A status bar
9.1 Menus
The following menus are available in the Configuration Panel:
l Configuration
o Save
o Import: Import a VPN configuration
o Configuration Wizard
o Quit: Close all open VPN tunnels and quit the software
l Tools
o Connection Panel
o Connections Configuration
l ?
o Online support: Access to online support
o Activation Wizard…
o About…
l The “LED” on the left edge is green when all the software’s services are operational (IKE
service)
l The text on the left shows the software status (VPN Client ready, Saving configuration,
Applying configuration, etc.).
l When the trace mode is enabled, the text “Trace Mode is ON” is shown in the middle of the
status bar.
l
The icon, which appears to the left of this text, is a clickable icon that opens the folder
containing the log files generated by the trace mode.
l The progress bar on the right side of the status bar shows the progress when saving a
configuration.
9.3 Shortcuts
Ctrl+S Save the VPN configuration
Ctrl+Enter Switch to the Connection Panel
Ctrl+D Opens the VPN Console window
Ctrl+Alt+R Restart the IKE service
9.4.1 Usage
The left side of the Configuration Panel is the tree structure of the VPN configuration. The tree
can contain an infinite number of tunnels.
Under the root called “VPN Configuration”, there are two levels that allow you to create the
following respectively:
l IPsec IKEv2 tunnels, specified by an IKE Auth and a Child SA, knowing that each IKE Auth
can contain more than one Child SA
l SSL/TLS tunnels
Clicking on an IKE Auth, Child SA, or TLS will open the corresponding VPN configuration tabs on
the right-hand side of the Configuration Panel. See the following sections for further details:
1. IPsec IKEv2 tunnel
l IKEv2 (IKE Auth): Authentication
l IKEv2 (Child SA): IPsec
2. SSL tunnel (OpenVPN)
l SSL: TLS
An icon is associated with each tunnel (Child SA, or TLS). This icon shows the status of the VPN
tunnel:
Tunnel is closed
Tunnel is open
You can edit and change the name of any item in the tree by clicking twice in a row on it,
without double-clicking.
If there are any unsaved changes in the VPN configuration, the modified item is shown in bold.
As soon as the tree is saved, all text formatting is removed.
NOTE
Two items in the tree cannot have the same name. The software displays a message to the user
if the name entered is already in use.
VPN Configuration
Right clicking the VPN configuration (root of the tree) displays the following contextual menu:
IKEv2, SSL
Right-clicking the IKEv2 or SSL items will display the following contextual menu, which allows
you to export, save, create, or paste an IKE Auth/SSL:
IKE Auth
Right-clicking an IKE Auth displays the following contextual menu:
Child SA or TLS
Right-clicking a Child SA or TLS displays the following contextual menu:
Open tunnel Displayed if the VPN tunnel is closed. Opens the selected (Child SA or TLS) tunnel.
Close tunnel Displayed if the VPN tunnel is open. Closes the selected (Child SA or TLS) tunnel.
Export Exports the selected Child SA/TLS.
This function allows users to export the entire tunnel, i.e. both the Child SA and its
associated IKE Auth, or TLS, and thus to create a fully operational, single-tunnel
VPN configuration (which becomes immediately functional when imported).
Copy Copies the selected Child SA/TLS.
Rename Renames the selected Child SA/TLS.
This menu is disabled while the tunnel is open.
Delete Deletes the selected Child SA/TLS after confirmation by the user.
This menu is disabled while the tunnel is open.
9.4.3 Shortcuts
The following shortcuts are available for tree management:
10.2 Interface
When it is used for the first time, the TrustedConnect Panel is displayed in the center of the
screen.
For subsequent uses, the TrustedConnect Panel memorizes the place to which the user has
moved it.
The interface of the TrustedConnect Panel includes the following items:
l A title that identifies the name of the connection being managed
l An information message about the connection status
l A Connect button
l A message that indicates the current status of the software and displays possible error
codes
l A help button that gives access to a document with help for the user
l An information button that displays essential information about the software
l A set of icons whose color reflects the connection status
You can minimize the TrustedConnect Panel at any time either to the taskbar, by clicking the
Minimize button in the title bar, or to the notification area, by clicking on the Close button in the
title bar.
Conversely, you can display the TrustedConnect Panel at any time by clicking the
TrustedConnect icon in the taskbar or in the notification area.
You can quit the software by right clicking the TrustedConnect icon in the notification area and
then selecting Quit.
This state means that the TrustedConnect Panel is not managing any connection on the
workstation. Generally, this state is encountered when the user explicitly requests the VPN
connection to be closed.
This state means that the workstation is directly connected to the corporate network, which is
considered as a trusted network.
This state means that the workstation is connected to the corporate network through a VPN
connection. The workstation thus is physically located on a network that is not considered as
trusted.
This state means that the VPN connection could not be established.
10.5 Usage
There are two types of use depending on whether the workstation is already connected to the
corporate network or not.
The window of the TrustedConnect Panel then automatically minimizes either to the taskbar or
to the notification area, depending on the behavior that the administrator has configured.
Refer to the “Deployment Guide”.
To display the window again, select the application in the taskbar. When connected to the
corporate network, users cannot perform any action on the connection status.
Once the connection is established, the window of the TrustedConnect Panel automatically
minimizes either to the taskbar or to the notification area, depending on the behavior that the
administrator has configured.
The connection may not be established for various reasons. The information message below
the button provides a first level of information. The various possible cases of connection failure
are detailed in the next section.
When the tunnel is mounted and the workstation is shown as being on the corporate network,
you can click inside the connection status indicator ring to stop the tunnel.
The application then switches to the state Not connected and you can click the button to
manually open the tunnel again:
Contact the network administrator to resolve the issue. The error code shown may provide some
indication or explanation as to the issue encountered. If the administrator requests the logs,
refer to the procedure described in the next section.
The list of error codes is provided in the appendix of this document (see section
TrustedConnect Panel diagnostics).
To view the logs, access the system menu and select the item Access logs. A window with the
log folder is shown with a certain number of files. You can send these files to the administrator
when you encounter any issues.
NOTE
SN VPN Client Exclusive can monitor VPN configuration file integrity (see the MSI SIGNFILE
properties in the deployment guide). In this case, a signature is generated during export and the
integrity of the file is checked during import.
When importing a VPN configuration, users are prompted to specify whether they want to add
the new VPN configuration to the current one or replace (overwrite) the current configuration
with the new one:
If the imported VPN configuration has been exported with a password protection (see section
Exporting a VPN configuration below), users will have to provide the password.
If the VPN configuration is exported with an integrity check (see section Exporting a VPN
configuration below) and it has been corrupted, a warning will be displayed to the user and the
software will not import the configuration.
If one or several tunnels are open when importing, the following information window will be
displayed to let you know that the import will close all open tunnels:
Once this message has been confirmed and the import has been completed, you will need to
reopen the tunnels.
NOTE
If some of the VPN tunnels added have the same name as certain tunnels in the current
configuration, they are automatically renamed during import (an increment will be added
between brackets).
password protection. If a password has been set, users will be required to enter it when
importing.
NOTES
l By default, the extension of exported VPN configuration files is .tgb.
l Whether it is exported with or without encryption, the exported VPN configuration can
benefit from integrity protection (default behavior).
Protecting the integrity of a VPN configuration when it is exported is a feature that
cannot be enabled using an MSI installer property. This function is covered in the
“Deployment Guide”.
We recommend that you always export VPN configurations with a password protection
(encrypted).
NOTE
As of version 7.0, the password must contain at least 16 characters.
TIP
Security recommendation: We recommend configuring IKEv2 tunnels with a certificate.
Refer to chapter Security recommendations.
Addresses
Interface Name of the network interface on which the VPN connection is open.
The software can decide automatically which interface to use by selecting Any.
Authentication
NOTE
The preshared key is an easy way to configure a VPN tunnel. However, it is less
flexible in terms of security management than the use of certificates.
Refer to chapter Security recommendations.
NOTE
Using the Certificate option strengthens the security in terms of VPN connection
management (mutual authentication, verification of validity periods, revocation,
etc.).
Refer to chapter Security recommendations.
Cryptography
NOTE
Refer to chapter Security recommendations on the choice of algorithm.
Auto means that the VPN Client automatically adapts to the gateway parameters.
Identity
Local ID “Local ID” is the identifier that the VPN Client sends to the remote VPN gateway during the
authentication phase.
According to the type selected, this identifier can be any of the following:
l IP address: an IPv4 address (type = IPV4 ADDR), e.g. 195.100.205.101
l DNS: a domain name (type = FQDN), e.g. gw.mydomain.net
l KEY ID: a character string (type = KEY ID), e.g. 123456
l Email: an email address (type = USER FQDN),
l DER ASN1 DN: the X.509 subject of a certificate (type = DER ASN1 DN)
l X509 subject: this field is automatically filled in with the subject of an X.509 certificate
when the tunnel is associated with a user certificate (see chapter Managing
certificates)
If this parameter is not set, the VPN Client's IP address is used by default.
Remote ID “Remote ID” is the identifier of the authentication phase that the VPN Client expects to
receive from the VPN gateway.
According to the type selected, this identifier can be any of the following:
l IP address: an IP address (type = IPV4 ADDR), e.g. 80.2.3.4
l DNS: a domain name (type = FQDN), e.g. router.mydomain.com
l KEY ID: a character string (type = KEY ID), e.g. 123456
l Email: an email address (type = USER FQDN), e.g. admin@mydomain.com
l DER ASN1 DN: the X.509 subject of a certificate (type = DER ASN1 DN)
Advanced functions
NOTE
The remote VPN gateway must also be able to perform the IKE Auth exchanges on a
port other than 500.
NAT port IKE Child SA (IPsec) exchanges use the UDP protocol and port 4500 by default. NAT port
configuration can bypass the networking hardware (firewall, routers) that filter port
4500.
NOTE
The remote VPN gateway must also be able to perform the IKE Child SA exchanges
on a port other than 4500.
Enable NATT When the IKE port is different from 500, it may be necessary to check this option for the
offset gateway to accept the connection.
Childless When this mode is enabled, the VPN Client will attempt to initiate IKE exchanges without
creating any Child SA in accordance with RFC 6023. We recommend using this mode.
Check The Dead Peer Detection (DPD) function enables the VPN Client to detect whether the VPN
interval gateway has become unreachable or inactive.
The check interval is the time period between two consecutive DPD check messages sent,
expressed in seconds.
The DPD function is enabled upon opening the tunnel (after the authentication phase). When
linked to a redundant gateway, DPD allows the VPN Client to automatically switch between
gateways when one of them is unavailable.
Max. Number of consecutive unsuccessful attempts before concluding that the VPN gateway is
number of unreachable.
retries
Delay Time between two DPD messages when the VPN gateway is not responding, expressed in
between seconds.
retries
Lifetime
Gateway-related parameters
Redundant Used to define the address of a spare VPN gateway that the VPN Client will switch to
gateway when the initial gateway is unavailable or unreachable.
The address of the redundant VPN gateway can be either an IP or a DNS address.
Refer to chapter Redundant gateway.
Retransmissions Number of IKE protocol message resends before failure.
Gateway timeout Delay between two retransmissions
Traffic selectors
VPN Client “Virtual” IP address of the workstation, the way it will be “seen” on the remote network.
address From a technical standpoint, it is the source IP address of the IP packets going through
the IPsec tunnel.
Address type The endpoint of the tunnel can be a network or a remote workstation.
Refer to section Configuring the Address type below.
Request This option (also called “Configuration Payload” or “Mode CP”) lets the VPN Client get all
configuration the information required for the VPN connection from the gateway: VPN Client addresses,
from the remote network address, subnet mask, and DNS addresses.
gateway When this option is checked, all corresponding fields are disabled (uneditable).
They are filled in dynamically as the tunnel is opened with the values sent by the VPN
gateway during the Mode CP exchange.
Cryptography
NOTES
l Refer to chapter Security recommendations on the choice of algorithm.
Auto means that the VPN Client automatically adapts to the gateway parameters.
l If the IP address of the VPN Client workstation is included in the address range for a
remote network (e.g. @workstation IP=192.168.10.2 and @remote
network=192.168.10.x), then opening a tunnel will prevent the workstation from
communicating on the local network. All communications will go through the VPN
tunnel.
Lifetime
IPv4/IPv6
NOTES
l The function Automatically open this tunnel on traffic detection is used to
automatically open a tunnel when traffic with one of the addresses specified in the
address range is detected (provided that this address range is authorized in the VPN
gateway configuration).
l “All traffic through the VPN tunnel” configuration
The VPN Client can be configured so that all the workstation’s outbound traffic goes
through the VPN tunnel. To implement this function, select Subnet address as the
address type and specify 0.0.0.0 as the Remote LAN address and Subnet mask.
Alternate servers
NOTE
When Mode CP is enabled (see the Request configuration from the gateway parameter
in the Child SA tab), these fields will be grayed out (uneditable). They are automatically
filled in as the tunnel is opened with the values sent by the VPN gateway during the
Mode CP exchange.
Traffic The VPN Client can be configured so that connectivity to the remote network is checked on a
check regular basis. If connectivity has been lost, the VPN Client will automatically close the tunnel
after and attempt to open it again.
opening The IPV4/IPV6 field is the address of a machine within the remote network, which should reply
to pings sent by VPN Client. If a ping goes unanswered, the connection is considered lost.
NOTE
If the tunnel is configured in IPv4 (see the button at the top right of the tab), then the
IPv4 field is displayed. If the tunnel is configured in IPv6, then the IPv6 field is displayed.
Check The Check interval indicates the time interval in seconds between two pings sent by the VPN
interval Client to the machine with the IP address specified above.
Others
Disable When this option is selected, only the traffic going through the tunnel is authorized.
Split
Tunneling The Disable Split Tunneling configuration option increases the “leakproofness” of the
workstation, provided that the VPN tunnel is open. More specifically, this function eliminates
the risk of incoming data flows that do not go through the VPN tunnel. Configuring the
Address type), this option guarantees that the workstation is completely airtight, provided
that the VPN tunnel is open. We recommend using this mode.
13.4.1 Introduction
Versions 6 and later of SN VPN Client Exclusive can be used to open SSL VPN tunnels.
SSL VPN tunnels set up by SN VPN Client Exclusive are compatible with OpenVPN and can
establish secure connections with all gateways implementing this protocol.
13.4.2 Main
Remote Gateway
Interface Name of the network interface on which the VPN connection is open.
The software can decide automatically which interface to use by selecting Any.
Authentication
Extra Authentication
Extra This option increases the security level by asking the user to enter a login name and
Authentication password whenever a tunnel is opened.
When the box Popup when tunnel opens is checked, users will be prompted for their
login name and password whenever they open the tunnel. When it is unchecked, the
login name and password must be entered here permanently. Users therefore will not
need to enter them every time they open the tunnel.
13.4.3 Security
Security This parameter is used to configure the security level of the authentication phase during the
Suite SSL exchange.
Auto: All cryptography suites (except null) are sent to the gateway, which will use the best fit.
TLS v1.2 — Medium: Only “medium” cryptography suites are sent to the gateway. In the
current version, these are suites that use 128-bit encryption algorithms.
TLS v1.2 — High: Only strong cryptography suites are sent to the gateway. In the current
version, these are suites that use 128-bit or higher encryption algorithms.
TLS v1.3: TLS 1.3 suite negotiated with the gateway, including:
l TLS_AES_128_GCM_SHA256
l TLS_AES_256_GCM_SHA384
l TLS_CHACHA20_POLY1305_SHA256
l TLS_AES_128_CCM_SHA256
l TLS_AES_128_CCM_8_SHA256
For further information: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
NOTE
If the Extra HMAC option is enabled (see below), the authentication
algorithm cannot be set to Auto. It will have to be configured explicitly
and must be identical to the one chosen at the gateway end.
NOTE
Auto means that the VPN Client automatically adapts to the gateway parameters.
Extra This option adds an authentication layer to the packets exchanged between the VPN Client and
HMAC the VPN gateway. For this option to be fully operational, it must also be configured on the
gateway (on gateways, this option is often referred to as “TLS-Auth”).
If this option is enabled, a key must be entered in the field below the checked box. The same
key must also be entered on the gateway. It consists of a string of hexadecimal characters, in
the following format:
-----BEGIN Static key-----
362722d4fbff4075853fbe6991689c36
b371f99aa7df0852ec70352122aee7be
…
515354236503e382937d1b59618e5a4a
cb488b5dd8ce9733055a3bdc17fb3d2d-----END Static key-----
The Key Direction must also be defined:
l BiDir: The specified key is used in both directions (default mode)
l Client: The key direction must be defined as Server in the gateway.
l Server: The key direction must be defined as Client in the gateway.
13.4.4 Gateway
Ping Period, expressed in seconds, between two pings sent by the VPN Client to the gateway.
Gateway Sending this ping enables the gateway to determine whether the VPN Client is still active.
Detect Time, expressed in seconds, after which the gateway is considered down if no ping has been
Gateway received.
On Dead When the gateway is detected as unavailable (i.e. once the Detect Gateway time has
Peer expired), the tunnel can be closed, or the VPN Client may try to open it again.
Detection
Gateway-related parameters
Explicit exit This parameter configures the VPN Client to send a specific VPN tunnel closing frame
to the gateway when closing the tunnel.
If this option is not selected, the gateway will use DPD to close the tunnel at its end,
which is less effective.
Gateway certificate Specifies the control level applied to the gateway certificate.
check In the current version, two levels are available:
l Yes (the certificate’s validity is checked)
l No (the certificate’s validity is not verified)
The Lite option is reserved for future use. In this version, it is equivalent to the Yes
option.
If the Check gateway certificate signature option is enabled in the PKI Options (cf.
section PKI options), the present option on the Gateway tab is grayed out and the
option is set to Yes.
Check Gateway Used to determine the coherence level between the VPN tunnel and gateway
Options parameters (encryption algorithms, compression, etc.).
l Yes: Coherence is verified for all VPN parameters. The VPN tunnel will not open if
any parameter is different.
l No: Coherence is not verified before opening the tunnel. The VPN tunnel will try to
open, even though no traffic may pass through because certain parameters are
not consistent.
l Lite: Consistency between the VPN Client and the gateway is only verified for
essential parameters.
l Apply: Gateway parameters will be applied.
Validate the subject If this field is filled in, the VPN Client will check that the subject of the certificate
of the gateway received from the gateway is, indeed, the one specified.
certificate
Redundant gateway Defines the address of a spare VPN gateway that the VPN Client will switch to when
the initial gateway is unavailable or unreachable.
The address of the redundant VPN gateway can be either an IP or a DNS address.
Refer to chapter Redundant gateway.
Others
Disable When this option is selected, only the traffic going through the tunnel is authorized. The
Split Disable Split Tunneling configuration option increases the “leakproofness” of the
Tunneling workstation, provided that the VPN tunnel is open. More specifically, this function eliminates
the risk of incoming data flows that do not go through the VPN tunnel.
13.4.5 Establishment
Key Renegotiation
Bytes, Packets, Keys can be renegotiated when any of the three criteria (which can be combined)
Lifetime expire:
l Traffic volume, expressed in KB
l Quantity of packets, expressed in number of packets
l Lifetime, expressed in seconds
If more than one criterion is set, keys will be renegotiated when the first of these
expires.
Tunnel Options
Tunnel Defines the VPN Client’s behavior when it receives an IPv4 configuration from the gateway:
IPv4 l Auto: Accepts the information sent by the gateway
l Yes: Checks whether the information sent by the gateway matches the configured
behavior. If this is not the case, a warning message is displayed on the console and the
tunnel is not established.
l No: Ignores
NOTE
Please check that IPv4 tunnel and IPv6 tunnel aren’t both set to No.
Tunnel Defines the VPN Client’s behavior when it receives an IPv6 configuration from the gateway:
IPv6 l Auto: Accepts the information sent by the gateway
l Yes: Checks whether the information sent by the gateway matches the configured
behavior. If this is not the case, a warning message is displayed on the console and the
tunnel is not established.
l No: Ignores
NOTE
Please check that IPv4 tunnel and IPv6 tunnel aren’t both set to No.
Port/TCP Port number used to establish the tunnel. The default port value is set to 1194.
The tunnel will use UDP by default. The TCP option is used to transport the tunnel over
TCP.
Authentication When this time expires, it is assumed that the tunnel will not open. Time allowed to
Timeout establish the authentication phase. When this timeout expires, the tunnel is closed.
Retransmissions Number of retries for sending a protocol message.
If there is no response by the time the defined number of retries is reached, the
tunnel is closed.
Traffic setup Tunnel establishment phase: time after which the tunnel is closed, if not all the steps
timeout have been completed.
Traffic
Traffic With OpenVPN, the remote network’s details are not configured (they are automatically
detection obtained during the tunnel opening exchange with the gateway). To implement traffic
to open the detection with OpenVPN, the remote network’s details must therefore be stated explicitly.
tunnel That is the purpose of the IPv4 and IPv6 fields.
It is not mandatory to fill in both fields.
The IP field is a sub-network address, configured as an IP address and a prefix length.
Example: IP = 192.168.1.0 / 24: the first 24 bits of the IP address are taken into account, i.e.
the network: 192.168.1.x
NOTE
These parameters are linked to the traffic detection function. The Automatically open
this tunnel on traffic detection box must be checked on the Automation tab for the IPv4
and IPv6 fields to be enabled.
Tunnel If these fields are filled in, the VPN Client will try to ping these addresses after opening the
traffic VPN tunnel. The connection status (reply to pings or no reply to pings) is shown in the
check console.
It is not mandatory to fill in both fields.
NOTE
No particular steps are taken if the ping goes unanswered.
13.4.6 Automation
Refer to chapter Automation.
13.4.7 Certificate
Refer to chapter Managing certificates.
NOTES
l The VPN Client will not try to contact the redundant gateway if the initial gateway can
be reached, but issues are experienced when opening the tunnel.
l The VPN Client will not try to contact the redundant gateway if the initial gateway
cannot be reached due to a DNS resolution issue.
15. Automation
SN VPN Client Exclusive can perform automated actions for each VPN tunnel, such as switching
to a fallback tunnel, opening the tunnel automatically if certain criteria are met, running batches
or scripts at various stages while opening or closing a tunnel, etc.
These automated actions can be performed on any type of tunnel: IKEv2 and SSL.
These automated actions are configured for each tunnel type on the Automation tab of the
corresponding tunnel: Child SA (IKEv2) or TLS (SSL).
15.4 Scripts
Before tunnel opens The specified command line is executed before the tunnel opens.
When tunnel is opened The specified command line is executed as soon as the tunnel is open.
Before tunnel closes The specified command line is executed before the tunnel closes.
After tunnel is closed The specified command line is executed as soon as the tunnel is closed.
NOTE
Scripts cannot be configured for a tunnel configured in GINA mode. Data entry fields are disabled.
Tunnel to switch to This field displays the list of tunnels to which the software can automatically
switch if the current tunnel is unavailable.
Message to display As this function can automatically switch from one tunnel to another, with the
second being, for example, less secure than the first, this option is used to display
a warning message to the user. This message will be displayed every time the
connection switches to the fallback tunnel.
Max. number of The number of fallback attempts is set to avoid infinite switching loops (tunnel 1
retries falling back to tunnel 2 falling back in turn to tunnel 1).
Allow the user to Used to configure the fallback function so that the user gets to decide whether to
refuse the fallback fall back from one tunnel to another.
The IP protocol configured using the IPv4/IPv6 button is exactly the same as the protocol used
on the remote network.
NOTE
Choosing between IPv4 and IPv6 has an impact on the settings of the tunnel’s other
configuration tabs. The IPv4/IPv6 selection button therefore still is shown on the top-right corner
of these other tabs, but it is disabled.
NOTE
For smart cards readers, the reader is displayed with a warning icon in front, if the smart card is
not inserted.
NOTE
Only available certificates that have not expired are displayed.
Once a certificate has been selected, the View Certificate button will show detailed information
about the certificate.
NOTE
Once a certificate has been selected, the tunnel’s Local ID type will automatically switch to X509
subject or “DER ASN1 DN” and the certificate’s subject will be used as the default value of this
Local ID.
IMPORTANT
Whenever you import a certificate into a VPN configuration, we strongly recommend that you
protect the configuration file with a password when you export it (see section Exporting a VPN
configuration) so that the certificate does not become visible in clear text.
The certificate is shown and is selected in the certificate list displayed on the Certificate tab.
The certificate will be saved in the VPN configuration. Save the VPN configuration.
NOTE
The file containing the private key may not be encrypted.
The certificate is shown and is selected in the certificate list displayed on the Certificate tab.
The certificate will be saved in the VPN configuration. Save the VPN configuration.
NOTE
All CAs in the file that are in PKCS#12 format will also be imported to the VPN configuration.
l The certificate must be located by default in the “Personal” certificate store, which
represents the personal identity of the user who wants to set up a VPN tunnel to the
corporate network. To use the Windows machine certificate store, the MACHINESTORE
property must be set to 1 when the software is installed.
Refer to the “Deployment Guide” for the corresponding instructions.
NOTE
Microsoft provides a standard management tool (certmgr.msc) to manage the certificates in the
Windows Certificate Store. To run this tool, go to the Windows Start menu and then enter
certmgr.msc in the Search for programs or files field.
18.7 PKI options: specifying the certificate and its storage device
SN VPN Client Exclusive provides several ways in which to specify the certificate to use, as well
as to select the smart card reader or token that contains the certificate.
This feature is available under the More PKI options link at the bottom of the Certificate tab and
on the PKI options tab of the Options configuration window.
despite this, by adding the dynamic parameter allow_server_extra_keyusage set to the value
true.
In this configuration, the certificate will also be validated if the Key Usage extension contains
one of the following combinations of values:
l digitalSignature + keyEncipherment + keyAgreement
l digitalSignature + keyAgreement
l nonRepudiation
l nonRepudiation + keyEncipherment
l nonRepudiation + keyEncipherment + keyAgreement
l nonRepudiation + keyAgreement
l keyEncipherment + keyAgreement
Moreover, in this configuration the Key Usage extension can be marked as non-critical.
NOTE
For security reasons, the Windows Certificate Store may not be used to access CAs.
In the event that the gateway does not support method 14 with an RSASSA-PSS signature, you
can configure the VPN Client to use method 14 with an RSASSA-PKCS1-v1_5 signature, by adding
the dynamic parameter Method14_RSASSA_PKCS1 with a value set to true or yes (see section
General, paragraph Displaying more parameters).
In the event that the gateway does not support method 14 with an RSASSA-PKCS1-v1_5
signature, you can configure the VPN Client to use method 1 with an RSA and SHA-2 digital
signature, by adding the dynamic parameter Method1_PKCS1v15_Scheme with a value set to 04
NOTES
l SHA-1 algorithm cannot be used in digital signatures.
l SN VPN Client Exclusive will reject RSA certificates with a key size of less than
2048 bits.
l SN VPN Client Exclusive will reject ECDSA certificates with a key size of less than
256 bits.
The Remote Desktop Sharing (RDP) session will be added to the list of sessions. To open this
RDP connection with a single click, we recommend displaying it specifically in the Connection
Panel using the function described in detail in the section entitled Configuring the Connection
Panel in the next chapter.
VPN connections can be VPN tunnels or Remote desktop connections, i.e. a VPN tunnel for
which the Remote desktop function has been specified.
A window that can be accessed from the Tools > Connections Configuration menu allows you to
manage VPN connections in the Connection Panel, i.e. creating, naming, and sorting them.
The configuration window in the Connection Panel is used for the following actions:
l Choosing the VPN connections that are shown in the Connection Panel
l Creating and sorting VPN connections
l Renaming VPN connections
l Configuring Always-On in the TrustedConnect Panel
l Configuring TND (Trusted Network Detection) in the TrustedConnect Panel
The left side of the window shows the list of connections as they appear in the Connection
Panel.
The right side contains the following three tabs:
l General
l Always-On
l TND
The General tab shows the parameters of each connection: its name, the associated VPN tunnel
and possibly the Remote Desktop Sharing (RDP) connection, if it has been configured.
To create a new VPN connection, click Add a new connection, choose a name and select the
corresponding VPN tunnel. If a Remote Desktop Sharing connection is configured, an option
used to select it automatically appears below the selected tunnel. Once they have been
confirmed, changes made in the Connection Panel configuration window instantly appear in the
Connection Panel.
The Always-On and TND tabs are described in chapter Configuring the Connection Panel below.
NOTE
The Connection Panel’s configuration is stored in the VPN configuration file. Therefore, it can be
exported into .tgb files, which are useful for deploying an identical Connection Panel across all
workstations.
21.1 Always-On
NOTE
On some workstations, a few seconds are required before the interface is ready to transmit when
a network interface appears. To mitigate this time delay, there is a Delay before action option on
the Always-On tab (see previous section).
Trusted network DNS This parameter defines the list of trusted DNS suffixes.
suffixes This list can be empty or contain several DNS suffixes.
The suffixes must be separated by a comma in the list, without any blank spaces.
Trusted network This parameter defines the list of trusted server URLs to use.
beacons The list of URLs can be empty: the VPN Client will then fall back to the list of DNS
suffixes to determine whether the workstation is connected to the trusted
network or not.
This list can contain several trusted server URLs. The VPN Client will then
successively test all the URLs and all the certificates associated with each server
until it finds one that is accessible and valid.
The URLs must be separated by a comma in the list, without any blank spaces.
There is no need to add the https:// prefix to an URL.
Beacons port This parameter defines the port to be used to reach trusted servers.
Only one port that will be used for all URLs can be configured.
If this parameter is not configured, the VPN Client will use the port 443 by default.
Visually identify direct This option adds a visual cue to the TrustedConnect Panel to indicate that the VPN
connection to the Client is connected to the trusted network.
trusted network If the box is checked, the taskbar icon and the color of the circle in the panel is
blue when the machine is connected to the trusted network and green when a
tunnel is open.
If the box is unchecked, the taskbar icon and the color of the circle in the panel
remains green in both cases. No distinction is made between the trusted network
and an open tunnel.
21.3 Scripts
The TrustedConnect Panel can run scripts when a tunnel is opened or closed. To configure this
feature, refer to chapter Automation .
NOTE
The time delay and minimization type only apply to automatic minimization of the
TrustedConnect Panel when a connection to the trusted network is detected.
These configurations must be made in the properties of the VPN Client installer.
Refer to the “Deployment Guide” for the corresponding instructions.
Hereinafter, the USB drive containing the VPN configuration will be referred to as “VPN USB
drive”.
Otherwise, simply insert the selected USB drive at this stage. It will be detected automatically
as soon as it is inserted.
NOTE
The USB mode only allows you to protect a single VPN configuration on a USB drive. If there
already is a VPN configuration on the inserted USB drive, the following warning will be displayed:
If an empty USB drive is inserted and it is the only drive inserted into the workstation, the wizard
will automatically proceed to step 2.
Once the prompt has been confirmed, the USB VPN configuration is loaded automatically and,
where appropriate, the corresponding tunnel(s) is (are) opened automatically. A “USB mode”
icon is shown in the top-right corner of the tree on the Configuration Panel when the USB mode
is enabled:
The VPN connections running in USB mode automatically close when the VPN USB drive is
removed. The VPN configuration contained in the USB drive is removed from the workstation. (If
a VPN configuration had already been set on the workstation before the USB drive was inserted,
it will be restored in the software.)
NOTES
l SN VPN Client Exclusive can only take into account a single VPN USB drive at a time. As
long as a VPN USB drive is inserted, any additional VPN USB drives that are inserted will
not be taken into account
l The import function is disabled in USB mode.
The VPN configuration can be edited in USB mode. Any changes made to the VPN configuration
are saved to the VPN USB drive.
NOTE
The VPN Client does not provide any function to directly change the password or the pairing with
a workstation. In order to change these parameters, follow the steps below:
1. Insert the VPN USB drive.
2. Export the VPN configuration.
3. Remove the VPN USB drive.
4. Import the VPN configuration exported in step 2.
5. Reload the USB mode wizard with this configuration and the desired new parameters.
A tunnel configured in GINA mode can be opened before Windows logon, i.e. by any user of the
workstation. We therefore strongly recommend that you set up a strong authentication method
that is certificate-based and, if possible, stored on a removable device.
NOTE
For the Automatically open this tunnel on traffic detection option to be operational after Windows
logon, the Enable before Windows logon option must not be checked.
IMPORTANT
l Limitation: Scripts and USB mode are not available for VPN tunnels configure in GINA
mode.
l A VPN tunnel configured with a certificate stored in the Windows Certificate Store will
not work in GINA mode. The reason for this is that the GINA mode is run before a
Windows user is identified (prior to opening any session). Therefore, the software
cannot identify the user store to use in the Windows Certificate Store.
24. Options
24.1 Display
Using the options listed on the View tab in the Options window, you can hide nearly all of the
software’s interfaces:
l Options in the taskbar menu
l Fade-out pop-up in the taskbar
l Access to the Configuration Panel
Tunnel is open
Tunnel is closed
Failed to open the tunnel: the window will briefly explain what
happened and provide a hyperlink for more information about the
incident.
24.2 General
VPN tunnel, even on unreliable physical networks, typically wireless networks such as Wi-Fi,
4G, 5G or satellite.
NOTE
When deploying the software, all these options can be preconfigured when the SN VPN Client
Exclusive is installed.
Check gateway When this option is selected, the VPN gateway certificate is checked (including its
certificate validity date), as well as all certificates in the certificate chain down to the root
signature certificate.
TIP
Security advisory: When this option is selected, the subject of the gateway
certificate must be entered in the Remote ID of the tunnel concerned to prevent
vulnerability 2018_7293 from being exploited.
Check certificate When this option is selected, the Certificate Revocation List (CRL) of the VPN gateway
chain with CRL certificate is checked, as well as the CRL of all certificates in the certificate chain
down to the root certificate.
The root and intermediate certificates must be imported into the configuration or
available in the Windows Certificate Store. Likewise, the CRLs must also be
accessible, either in the Windows Certificate Store or available for download.
Certs of Gateway If the VPN Client and the VPN gateway use certificates from a different certification
and Client are authority, this box must be checked.
issued by different
CA
Only use When this option is checked, the VPN Client will only take into account Authentication
authentication certificates (i.e. certificates whose key usage extension contains the digitalSignature
certificate attribute).
This function allows you to automatically select a certificate when several are stored
on the same smart card or token.
The checkbox is grayed out when the KEYUSAGE property is set to 2 or 3 during
installation (refer to the “Deployment Guide”.
Force PKCS#11 The VPN Client knows how to handle the PKCS#11 and CNG APIs in order to access
interface usage the certificate for smart cards or tokens.
When this option is checked, the VPN Client will only consider the PKCS#11 API to
access the certificate for smart cards and tokens.
Use the first When this option is checked, the VPN Client will use the first certificate found on the
certificate found specified smart card reader or token.
Use the token/SC reader The VPN Client uses the reader or token specified in the VPN
configured in the VPN Config. configuration file to search for a certificate.
VPN
Use the first token or SC reader The VPN Client uses the first smart card or token found on the
found on this computer workstation to search for a certificate.
Use the token or SC reader The VPN Client uses the vpnconf.ini configuration file to identify the
configured in vpnconf.ini file smart card readers or tokens to use to search for a certificate.
Refer to the “Deployment Guide”.
NOTE
Since the use of the vpnconf.ini file only applies to the PKCS#11
interface, this option requires that the Force PKCS#11 interface
usage option be selected.
The list of languages available in the standard version of the software is provided in an
appendix in section Technical characteristics of SN VPN Client Exclusive.
The translation window is split into 4 columns, which display the number of the character
string, its identifier, its string in the original language and its translation in the selected
language respectively.
Using the translation window, you can perform the following actions:
l Translate each character string by clicking on the corresponding row.
l Search for a specific character string in any column of the table (use the Find field then the
F3 key to browse through every occurrence of the character string you have entered).
l Save the changes (Save button).
IMPORTANT
The characters or character strings below must not be modified during translation:
%s the software will replace it with a character string
%d the software will replace it with a digit
\n indicates a carriage return
& indicates that the following character should be underlined
%m-%d-%Y indicates a date format (in this case US format: month-day-year). Only edit this field if
you are certain of the format used in the target language.
The IDS_SC_P11_3 string must be left as is.
NOTES
l The path for SN VPN Client Exclusive logs in the Windows Event Viewer is the following:
25.2 Console
Access the Console using either of the following methods:
l Tools > Console menu in the Configuration Panel (main interface)
l CTRL+D shortcut when the Configuration Panel is open
l From the software’s taskbar menu, choose Console
l Save: Saves all the traces displayed in the window into a file
l Start / Stop: Starts/stops a console log
l Clear: Clears the contents of the window
l Reset IKE: Restarts the IKE service
NOTES
l Logs can only be enabled on the Configuration Panel and access to the Configuration
Panel can be restricted to administrators.
l Even though logs do not contain any sensitive information, we recommend that, if
enabled by the administrator, said administrator ensures that they are disabled and, if
possible, deleted when quitting the software.
l Trace logs are kept for 10 days. The software automatically deletes any older files.
l When stored in a local file, administrator logs are not deleted.
l Password
26.4.4 Protocol
We recommend that you only configure IPsec/IKEv2 tunnels (and no SSL/OpenVPN tunnels).
27. Appendices
27.1 Shortcuts
27.4.1 General
Remote Desktop Sharing Open a remote computer with a single click via RDP and VPN tunnel
TrustedConnect Panel Automatically open tunnel with Always-On and trusted network detection (TND)
27.4.3 Connection/Tunnel
27.4.4 Cryptography
27.4.5 Miscellaneous
NAT/NAT- NAT-Traversal Draft 1 (enhanced), Draft 2, Draft 3 and RFC 3947, IP address emulation,
Traversal includes support for: NAT_OA, NAT keepalive, NAT-T aggressive mode, NAT-T in forced,
automatic or disabled mode
DPD RFC3706. Detection of inactive IKE endpoints.
Redundant Redundant gateway management, automatically selected when DPD is triggered (inactive
gateway gateway)
27.4.6 Administration
All images in this document are for representational purposes only, actual products may differ.
Copyright © Stormshield 2022. All rights reserved. All other company and product names
contained in this document are trademarks or registered trademarks of their respective
companies.