The USG firewall defaults to the existence of an SSL VPN CA certificate

7

CA certificate needs to apply to CA certification body

Other related questions:
Whether the firewall has an SSL VPN CA certificate by default
You need to apply for the CA certificate towards the CA.

Working principle of SSL VPN on the USG
Working principle of Secure Sockets Layer (SSL) VPN on the USG 1. Concept SSL is a security protocol that provides security connections for application layer protocols that are based on TCP. The SSL protocol is widely applied in fields such as e-commerce and e-banking to ensure security for data transmitted over the network. SSL can implement connection privacy, identity authentication, and connection reliability. 2. SSL The SSL protocol is composed of two layers. a. Lower-layer protocol SSL record protocol The SSL record protocol divides upper-layer data into records, compresses and calculates the records, appends message authentication codes (MACs) to the records, encrypts the records, and then transmits the records to the peer party. b. Upper-layer protocols (1) SSL handshake protocol: The client and server establish a session through the handshake protocol. The session contains a group of parameters, including the session ID, certificate of the peer party, encryption algorithm list (including the key exchange algorithm, data encryption algorithm, and MAC algorithm), compression algorithm, and primary key. The SSL session can be shared by multiple connections to reduce the session negotiation overhead. (2) SSL change cipher spec protocol: The client and server notify the recipient through the SSL change cipher spec protocol that subsequent packets are protected and transmitted based on the newly negotiated encryption algorithm list and key. (3) SSL alert protocol: used by a party to report alarm information to the other party. The message carries the alarm severity and description. 3. SSL VPN provides four types of services: a. Web proxy The web proxy allows users to access web servers on the internal network through the USG and provides HTTP-based web services for users. b. Network extension After a user installs the network extension client of the USG on the local PC, a virtual NIC is generated. The user can then conduct SSL data communication with the intranet through this virtual NIC. c. Port forwarding As a non-web application mode, port forwarding provides security access for TCP-based applications. In port forwarding, user access is controlled at the application level. d. File sharing File sharing involves providing shared resources in Windows systems that support different server protocols such as the System Management Board (SMB) protocol, or Linux systems that support the Network File System (NFS) protocol as web pages to users.

Configuring the SSL VPN session lifetime on the firewall
The default SSL session timeout time is 5 minutes. You can run the ssl timeout command to set the timeout time. system-view [sysname] v-gateway abc [sysname-abc] basic [sysname-abc-basic] ssl timeout 10

Necessity for configuring SSL VPN certificate authentication on the firewall
Is SSL VPN certificate authentication necessary on the USG? During authentication and authorization, if users are required to provide certificates for authentication, certificate configurations are required. However, they are not mandatory.

The USG firewall configures the SSL VPN session timeout
By default, the SSL session timeout period is 5 minutes. The timeout time configuration command is ssl timeout. system-view [sysname] v-gateway abc [sysname-abc] basic [sysname-abc-basic] ssl timeout 10

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top