SSL VPN Technology Overview and Configuration Guide

SSL VPN Technology

SSL VPN encrypts application data transmitted between communication parties, unlike IPSec which encrypts all traffic at the network layer and often cannot traverse NAT or firewalls, making it unsuitable for many remote access scenarios.

SSL VPN Functional Technologies

Virtual Gateway – Each virtual gateway is independently manageable, allowing configuration of resources, users, authentication methods, access control rules, and administrators. Multiple virtual gateways can isolate access for different departments or user groups.

Web Proxy – The proxy forwards HTTPS requests from remote browsers to web servers and returns responses, enabling URL‑level access control. It can be implemented via Web‑Link (ActiveX) or Web‑Rewrite (script‑based link rewriting).

File Sharing – The client sends HTTPS requests to the internal file server via the USG firewall, which converts them to SMB, forwards them, and then converts SMB responses back to HTTPS for the client.

Port Forwarding – Supports a wide range of static and dynamic TCP applications (e.g., Telnet, SSH, RDP, VNC, Lotus Notes, Outlook, FTP, Oracle) with port‑level access control and encrypted authentication.

Network Extension – Offers three modes: Split mode (access to internal network and LAN, no Internet), Full‑routing mode (access only to internal network), and Manual mode (selective internal network access while preserving Internet/LAN access).

Endpoint Security

Includes host inspection (antivirus, firewall, registry, file, port, process, OS checks) and cache cleaning (temporary files, passwords, cookies, history, recycle bin, specified files).

Logging Features – Provides log query, export, virtual gateway admin logs, user logs, and system logs.

Authentication and Authorization

Supports certificate‑based anonymous authentication, certificate‑challenge authentication (certificate + local username/password or certificate + server authentication), and role‑based access control derived from certificate fields.

SSL VPN Application Scenarios

Describes single‑arm and dual‑arm network topologies, NAT considerations, and routing requirements for remote users accessing internal resources.

SSL VPN Configuration Steps

Configure interfaces.

Configure security policies (allow SSL VPN traffic from Untrust to Local, and business traffic from Local to Trust).

Configure VPNDB.

Configure virtual gateway.

Select business services.

证书+本地用户名密码 证书+服务器认证