SSL VPN > Server Settings

The SSL VPN > Server Settings page configures details of the firewall’s behavior as an SSL VPN server.

You configure the Virtual Office portal through settings in the following sections:

•	SSL VPN Status on Zones

•	SSL VPN Server Settings

•	RADIUS User Settings

•	SSL VPN Client Download URL

SSL VPN Status on Zones

This section displays the SSL VPN Access status on each zone:

•	Green indicates active SSL VPN status.

•	Red indicates inactive SSL VPN status.

To enable or disable SSL VPN access, click the zone name.

SSL VPN Server Settings

Topics:

•	About Suite B Cryptography

•	Configuring the SSL VPN Server

About Suite B Cryptography

SonicOS supports Suite B cryptography, which is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It serves as an interoperable cryptographic base for both classified and unclassified information. Suite B cryptography is approved by National Institute of Standards and Technology (NIST) for use by the U.S. Government.

NOTE: There is also a Suite A that is defined by the NSA, but is used primarily in applications where Suite B is not appropriate.

Most of the Suite B components are adopted from the FIPS standard:

•	Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits (provides adequate protection for classified information up to the SECRET level).

•	Elliptic Curve Digital Signature Algorithm (ECDSA) - digital signatures (provides adequate protection for classified information up to the SECRET level).

•	Elliptic Curve Diffie-Hellman (ECDH) - key agreement (provides adequate protection for classified information up to the SECRET level).

•	Secure Hash Algorithm 2 (SHA-256 and SHA-384) - message digest (provides adequate protection for classified information up to the TOP SECRET level).

Configuring the SSL VPN Server

The following settings configure the SSL VPN server:

•	SSL VPN Port - Enter the SSL VPN port number in the field. The default is 4433.

•	Certificate Selection – From this drop-down menu, select the certificate that will be used to authenticate SSL VPN users. The default method is Use Selfsigned Certificate.

To manage certificates, go to the System > Certificates page.

NOTE: On NSA 2600 and above appliances, you can configure Suite B mode and specify cipher preferences in the following two settings.

•	Enable SuiteB Mode in SSL VPN – Select this checkbox to enable SSL VPN Suite B mode. This option is not selected by default.

•	Enable Server Cipher Preference – Select this checkbox to configure a preferred cipher method. This option is not selected by default.

•	Select a cipher from the Cipher Methods drop-down menu:

•	RC4_MD5 (default)

•

3DES_SHA1

•	AES256_SHA1

•	User Domain – Enter the user’s domain, which must match the domain field in the NetExtender client. The default is LocalDomain.

•	Enable Web Management over SSL VPN – To enable web management over SSL VPN, select Enabled from this drop-down menu. The default is Disabled.

•	Enable SSH Management over SSL VPN – To enable SSH management over SSL VPN, select Enabled from this drop-down menu. The default is Disabled.

•	Inactivity Timeout (minutes) – Enter the number of minutes of inactivity before logging out the user. The default is 10 minutes.

RADIUS User Settings

This section is available only when either RADIUS or LDAP is configured to authenticate SSL VPN users.

•	Use RADIUS in – Select this checkbox to have RADIUS use MSCHAP (or MSCHAPv2) mode. Enabling MSCHAP-mode RADIUS will allow users to change expired passwords at login time. Choose between these two modes:

NOTE: In LDAP, password updates can only be done when using either Active Directory with TLS and binding to it using an administrative account or Novell eDirectory. If this option is set when is selected as the authentication method of log in on the Users > Settings page, but LDAP is not configured in a way that allows password updates, then password updates for SSL VPN users are performed using MSCHAP-mode RADIUS after using LDAP to authenticate the user.

•

MSCHAP

•	MSCHAPV2 mode (allows users to change expired passwords)

SSL VPN Client Download URL

This section allows you to download client SSL VPN files to your HTTP server.

•	Click here to download the SSL VPN zip file which includes all SSL VPN client files – To download from the appliance, click the Click here link to display an Opening application.zip dialog:

Open and unzip the file, and then put the folder on your HTTP server.

•	Use customer’s HTTP server as downloading URL: (http://) – Select this checkbox to enter your SSL VPN client download URL in the supplied field.