SSL VPN virtual gateway on the USG

5

Configure SSL parameters.
Configure the SSL version supported by the USG, encryption suite, session timeout duration, and life cycle. You can retain the default values.

Procedure:
system-view
v-gateway v-gateway-name //Access the virtual gateway view.
basic, //Access the basic virtual gateway view.
ssl version { sslv30+tlsv10 | tlsv10 }
//Configure the SSL version supported by the USG. By default, the USG supports SSL3.9 and TLS1.0.
ssl ciphersuit { allciphersuit | custom { aes256-sha | non-aes256-sha } { des-cbc3-sha | non-des-cbc3-sha } { rc4-sha | non-rc4-sha } { rc4-md5 | non-rc4-md5 } { aes128-sha | non-aes128-sha } { des-cbc-sha | non-des-cbc-sha } }
//Configure the SSL encryption suite.
ssl timeout time //Configure the SSL session timeout duration.
ssl lifecycle { time | no-time-limit } //Configure the SSL life cycle.
ssl session-reuse enable //Enable the SSL session reuse function.
Follow-up processing
display ssl //View SSL configuration.

Other related questions:
Configuring an SSL VPN virtual gateway on the firewall
Configuring virtual gateways on the USG 1. system-view 2. v-gateway v-gateway-name { ip-address | interface interface-type interface-number } [ port port-number ] { private [ domain-name ] | public domain-name } //Create a virtual gateway. A private gateway is in exclusive mode, and a public gateway is in shared mode. 3. quit 4. v-gateway v-gateway-name ip address ip-address [ port port-number ] //Assign an IP address and a port number to the virtual gateway. Exclusive virtual gateway: v-gateway v-gateway-name ip address ip-address [ port port-number ] command: If the entered IP address is the existing IP address of the virtual gateway, this command changes the virtual gateway port number. If the entered IP address is not the IP address of the virtual gateway, this command adds the virtual gateway IP address. The undo v-gateway v-gateway-name ip address ip-address command deletes the IP address of the virtual gateway. The v-gateway v-gateway-name ip address old-ip-address new-ip-address [ port port-number ] command changes the IP address of the virtual gateway. Shared virtual gateway: v-gateway v-gateway-name ip address ip-address [ port port-number ] command: If the entered IP address is the existing IP address of the virtual gateway, this command changes the virtual gateway port number. If the entered IP address is not the IP address of the virtual gateway, this command changes the virtual gateway IP address. You cannot run the undo v-gateway ip address command to delete the IP address of the virtual gateway. The v-gateway v-gateway-name ip address old-ip-address new-ip-address [ port port-number ] command changes the IP address of the virtual gateway. If a port bound to the IP address of the virtual gateway is used for other purposes (such as web management or SSH login), the port cannot be configured as the port of the virtual gateway. 5. v-gateway v-gateway-name interface interface-type interface-number [ port port-number ] //Modify the virtual gateway interface. 6. v-gateway v-gateway-name domain domain-name //Modify the virtual gateway domain name. 7. v-gateway v-gateway-name http-redirect enable //Configure the HTTP redirection function of the virtual gateway. 8. v-gateway v-gateway-name max-user max-user //Modify the maximum number of virtual gateway users. Its default value is 1. 9. v-gateway v-gateway-name cur-max-user cur-max-user //Modify the maximum number of concurrent users of the virtual gateway. 10. v-gateway v-gateway-name max-resource max-resource //Modify the maximum number of resources on the virtual gateway. Its default value is 1.

Maximum number of concurrent SSL VPN connections on the firewall
Configuring the maximum number of concurrent SSL VPN users on the USG v-gateway cur-max-user The v-gateway cur-max-user command modifies the maximum number of concurrent users supported by a virtual gateway. By default, the maximum number of concurrent users is the number of concurrent users available as specified by the system license. The undo v-gateway cur-max-user command restores the maximum number of concurrent users to the default value. Syntax v-gateway v-gateway-name cur-max-user cur-max-user undo v-gateway v-gateway-name cur-max-user Parameter Description v-gateway-name Virtual gateway name cur-max-user cur-max-user Maximum number of concurrent users supported by a virtual gateway Usage Guide The maximum number of concurrent users supported by the USG is controlled by the license. The license also limits the total number of concurrent users on virtual gateways of the USG. The maximum number of concurrent users on virtual gateways should be smaller than that of users on virtual gateways. By default, the maximum number of concurrent users on virtual gateways falls into the following situations: If a concurrent user limit is set for virtual gateways, the maximum number of concurrent users on the new virtual gateway is the number of remaining concurrent users of the system license. If no concurrent user limit is set for virtual gateways, the maximum number of concurrent users on the new virtual gateway is the number of concurrent users allowed by the system license. Example system-view [sysname] v-gateway abc cur-max-user 20 //Set the maximum number of concurrent users on virtual gateway abc to 20.

How to delete the configuration of SSL VPN on an AR
1. Log in to the web system, and choose VPN > SSL VPN. The Virtual Gateway Management page is displayed. Click delete, and then click yes in the displayed dialog box. The virtual gateway is deleted from the virtual gateway list. 2. Alternatively, run commands to delete a virtual gateway. system-view [Huawei]undo sslvpn gateway huawei //The name of a virtual gateway is huawei.

Support for SSL VPN on the USG
Support of USG series firewalls for the SSL VPN function 1. The USG2100, USG2200, and USG5100 BSR do not support the SSL VPN function. 2. In USG2000 or USG5000 V300R001, the SSL VPN function can be configured in CLI mode instead of web UI mode in V300R001C00SPCa00 and V300R001C00SPCb00. The SSL VPN function can be configured in web UI or CLI mode in other versions of V300R001. 3. The USG6000 series firewalls support the SSL VPN function.

Working principle of SSL VPN on the USG
Working principle of Secure Sockets Layer (SSL) VPN on the USG 1. Concept SSL is a security protocol that provides security connections for application layer protocols that are based on TCP. The SSL protocol is widely applied in fields such as e-commerce and e-banking to ensure security for data transmitted over the network. SSL can implement connection privacy, identity authentication, and connection reliability. 2. SSL The SSL protocol is composed of two layers. a. Lower-layer protocol SSL record protocol The SSL record protocol divides upper-layer data into records, compresses and calculates the records, appends message authentication codes (MACs) to the records, encrypts the records, and then transmits the records to the peer party. b. Upper-layer protocols (1) SSL handshake protocol: The client and server establish a session through the handshake protocol. The session contains a group of parameters, including the session ID, certificate of the peer party, encryption algorithm list (including the key exchange algorithm, data encryption algorithm, and MAC algorithm), compression algorithm, and primary key. The SSL session can be shared by multiple connections to reduce the session negotiation overhead. (2) SSL change cipher spec protocol: The client and server notify the recipient through the SSL change cipher spec protocol that subsequent packets are protected and transmitted based on the newly negotiated encryption algorithm list and key. (3) SSL alert protocol: used by a party to report alarm information to the other party. The message carries the alarm severity and description. 3. SSL VPN provides four types of services: a. Web proxy The web proxy allows users to access web servers on the internal network through the USG and provides HTTP-based web services for users. b. Network extension After a user installs the network extension client of the USG on the local PC, a virtual NIC is generated. The user can then conduct SSL data communication with the intranet through this virtual NIC. c. Port forwarding As a non-web application mode, port forwarding provides security access for TCP-based applications. In port forwarding, user access is controlled at the application level. d. File sharing File sharing involves providing shared resources in Windows systems that support different server protocols such as the System Management Board (SMB) protocol, or Linux systems that support the Network File System (NFS) protocol as web pages to users.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top