Understanding SSL VPN: Architecture, Features, and Deployment Scenarios

SSL VPN Overview

SSL VPN encrypts the application data exchanged between client and server rather than all traffic, providing secure remote access without the overhead of full‑tunnel encryption.

Why IPSec Falls Short

IPSec operates at the network layer, making NAT traversal difficult and requiring dedicated client software, which burdens administrators and limits its suitability for point‑to‑site mobile users.

SSL VPN Functional Architecture

Each virtual gateway is independently manageable, allowing configuration of resources, users, authentication methods, and access‑control rules. Virtual gateways enable isolated access for different departments or user groups.

Virtual Gateway

Virtual gateways can be assigned per department, creating completely isolated access domains within the enterprise network.

Web Proxy

The web proxy forwards HTTPS requests from remote browsers to internal web servers, offering URL‑level permission control. Two implementation methods exist: Web‑link (ActiveX‑based forwarding) and Web‑rewrite (script‑based URL rewriting).

File Sharing

Clients send HTTPS requests to the internal file server via the USG firewall, which converts the request to SMB format, forwards it to the file server, and then converts the SMB response back to HTTPS for the client.

Port Forwarding

Supports a wide range of static and dynamic TCP applications (e.g., Telnet, SSH, RDP, VNC, FTP, Oracle) with unified access control, requiring only a standard browser—no client installation needed.

Network Expansion

Three deployment modes are available: Split mode (access to both remote intranet and local LAN, no Internet), Full‑routing mode (access only to remote intranet), and Manual mode (selective remote intranet access while preserving local LAN and Internet connectivity).

Packet Encapsulation

Two transmission modes are described: Reliable transmission mode and fast transmission mode, each with its own encapsulation process.

Terminal Security

Host checks include antivirus, firewall, registry, file, port, process, and OS verification. Cache cleaning removes temporary Internet files, saved passwords, cookies, browsing history, recycle‑bin entries, and specified files or folders.

Logging

Comprehensive logging features cover query, export, virtual‑gateway admin logs, user logs, and system logs.

Authentication and Authorization

Certificate‑anonymous authentication validates the client’s certificate at the gateway. Certificate‑challenge authentication combines the certificate with local username/password or server‑side authentication to determine access rights.

SSL VPN Application Scenarios

Typical use cases include remote access for employees, secure file sharing, and controlled web browsing.

Single‑Arm and Dual‑Arm Network Modes

Single‑arm mode uses one interface for both external and internal traffic, while dual‑arm mode employs separate interfaces, simplifying routing and NAT configuration.

Configuration Steps

Configure interfaces.

Set security policies to allow SSL VPN traffic between untrust and trust zones.

Configure VPN database.

Set up virtual gateway.

Select business services to expose.

These steps ensure a functional and secure SSL VPN deployment.