USG Firewall SSL VPN can access the internal network resources after logging in normally


USG firewall SSL VPN can access to the internal network resources

Other related questions:
Whether intranet resources can be accessed after proper login to SSL VPN on the firewall

USG firewall configure SSL VPN network extension
USG Firewall Configure SSL VPN to configure network extensions Network expansion refers to the user on the local PC to install the USG network extension client, generate a virtual network card, the user through the virtual network card and enterprise intranet for SSL data communication. Before the configuration to ensure that the license file has been loaded, the USG can access the internal network resources. Configuration ideas: 1. In the USG to create a virtual gateway, external network users through this virtual gateway to access the enterprise network resources. The IP address of the virtual gateway is the public address of the egress. 2. Configure the DNS server address and domain name of the internal network so that users can access the virtual gateway's service through the domain name. 3. Configure the network extension function, assign IP addresses to the external network users and add the intranet resources that the external network users can access. 4. Configure the authentication mode as a certificate challenge (secondary authentication mode: VPNDB) and configure the authentication mode as VPNDB. 5. Add a VPNDB user. VPNDB user name that is the name of the client certificate, VPNDB password is the external network user login virtual gateway need to enter the password. 6. Configure the virtual gateway source IP policy. 7. Install the client certificate for the CA certificate on the PC side where you want to access the virtual gateway.

Whether the USG supports resource access control for SSL VPN users
The USG controls the resources accessible to SSL VPN users. On the USG2000 or USG5000, access control policies can be configured. There are three types of access control policies: 1. Source IP address: The USG determines whether a user can access internal resources based on the source IP address. 2. Destination IP address: The USG determines whether a user can access internal resources based on the destination IP address and port. 3. Uniform resource locator (URL): The USG determines whether a user can access internal resources based on the resource URL. Access control policies can apply to users or user groups. On the USG6000, access control can be implemented based on roles. The details are as follows: 1. Service enablement: Specify services available for specified roles, including web proxy, network extension, file sharing, and port forwarding. 2. Resource authorization: Specify accessible resources if a specified service is enabled. If no resource is specified, users of the specified role cannot access any resources. After the network extension service is enabled, users can access all IP resources.

Working principle of SSL VPN on the USG
Working principle of Secure Sockets Layer (SSL) VPN on the USG 1. Concept SSL is a security protocol that provides security connections for application layer protocols that are based on TCP. The SSL protocol is widely applied in fields such as e-commerce and e-banking to ensure security for data transmitted over the network. SSL can implement connection privacy, identity authentication, and connection reliability. 2. SSL The SSL protocol is composed of two layers. a. Lower-layer protocol SSL record protocol The SSL record protocol divides upper-layer data into records, compresses and calculates the records, appends message authentication codes (MACs) to the records, encrypts the records, and then transmits the records to the peer party. b. Upper-layer protocols (1) SSL handshake protocol: The client and server establish a session through the handshake protocol. The session contains a group of parameters, including the session ID, certificate of the peer party, encryption algorithm list (including the key exchange algorithm, data encryption algorithm, and MAC algorithm), compression algorithm, and primary key. The SSL session can be shared by multiple connections to reduce the session negotiation overhead. (2) SSL change cipher spec protocol: The client and server notify the recipient through the SSL change cipher spec protocol that subsequent packets are protected and transmitted based on the newly negotiated encryption algorithm list and key. (3) SSL alert protocol: used by a party to report alarm information to the other party. The message carries the alarm severity and description. 3. SSL VPN provides four types of services: a. Web proxy The web proxy allows users to access web servers on the internal network through the USG and provides HTTP-based web services for users. b. Network extension After a user installs the network extension client of the USG on the local PC, a virtual NIC is generated. The user can then conduct SSL data communication with the intranet through this virtual NIC. c. Port forwarding As a non-web application mode, port forwarding provides security access for TCP-based applications. In port forwarding, user access is controlled at the application level. d. File sharing File sharing involves providing shared resources in Windows systems that support different server protocols such as the System Management Board (SMB) protocol, or Linux systems that support the Network File System (NFS) protocol as web pages to users.

USG firewall SSL VPN Intranet server access number is limited by the firewall specification
Not subject to firewall specifications

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top