Limitations and Precautions for SSL VPN

Hardware Requirements

USG6510E/6510E-POE/6530E do not support web proxy, file sharing, and port forwarding.

The SSL VPN function is supported by all models.

License Requirements

Concurrent SSL VPN users is license-controlled.

SSL VPN Gateway

The SecoClient that supports this version has no longer evolved and cannot be downloaded from the Huawei Support website. The downloaded SecoClient can still be used. SecoClient configuration examples and common configuration problems are retained in the document. When users need to use the SSL VPN function through client access, see : VPN Client Download Description.
SSL VPN does not support IPv6.
After loading or changing the license, configuration of the maximum number of concurrent users is deleted from the device, and the administrator must configure the number again.
When a remote user uses the Windows 7, Windows 8.1, or Windows 2012 operating systems to access the SSL VPN virtual gateway, the system prompts the user to restart the computer. This is normal, and the user needs to save the operations and then restart the computer.
When SSL VPN uses RADIUS server authentication, the user name configured on the RADIUS server can not contain an at sign (@).
SSL VPN users do not support if-authenticated authorization.
If certificate-anonymous or certificate-challenge authentication is implemented for users, the client certificate needs to be installed on the client browser. The client certificate must be in .p12, .pem (including a key), or .pfx format.
SSL VPN supports only TLS 1.0, TLS 1.1, and TLS 1.2. To use the Internet Explorer to log in to a virtual gateway, ensure that the SSL protocol set in the Internet Explorer is supported by SSL VPN. Otherwise, an exception may occur. For example, if SSL2.0 is set in the Internet Explorer and certificate-anonymous authentication is used for login to the virtual gateway, the virtual gateway will display "Your certificate is invalid. Provide a valid certificate".
You are advised to upload the local certificate of the FW on the Network > SSL VPN > Public Configuration page in advance. The Internal name and commonName fields of the local certificate are the VPN gateway IP address that provides VPN services externally. When configuring the virtual gateway, select the client CA certificate that can be used to verify the local certificate. Otherwise, when a user logs in to the virtual gateway, the system displays a message indicating that the host name in the security certificate of the website is different from that of the website that the user is attempting to access. For details about how to create a certificate, see How Can I Clear the Alarm "Your certificate of calibration is illegal, continue to log in?".
SSL VPN is not supported in the load-balancing networking.
When the FW is deployed on the intranet and a NAT device is deployed externally to the FW, and if the SSL VPN network extension service is used, the SSL VPN tunnel can be established only in reliable transmission mode. To establish an SSL VPN tunnel in fast transmission mode, perform the following operations:
- On the NAT device, configure NAT Server mapping for the TCP and UDP ports of the SSL VPN virtual gateway. When NAT mapping is performed for UDP ports, the Global port must be the same as the Inside port.
- On the FW, configure a security policy to permit data traffic destined for the TCP and UDP ports of the virtual gateway.
When the virtual gateway and DNS server reside in different virtual systems and if you configure the DNS resolution function, also configure the source NAT policy in Easy IP mode to translate the source IP address of the DNS request packet into the IP address of the Virtual-if interface on the virtual system where the virtual gateway resides. In this way, the DNS resolution function across virtual systems is implemented.
The FW is configured with both the SSL VPN network extension and AD SSO functions. After an SSL VPN user logs in, network extension is enabled. Then another account is used to remotely log in to the AD server through network extension. In this case, two online user entries are generated on the FW, one for the SSL VPN user and the other for the AD SSO user. The two users have the same IP address, which is the virtual IP address delivered by the network extension function. As a result, the online SSL VPN user who goes online first is logged out.

Limitations on public IP address sharing among virtual gateways in different virtual systems are as follows:

Only one virtual gateway that shares the public IP address can be configured for each virtual system, and only one pair of IP addresses and ports can be configured for the virtual gateway using the public IP address.
The FW device can be configured with only one public IP address. The public configuration can only be made in the root system, while other configurations can be made in either the root system or the virtual system.
In the public IP address sharing scenario, the SSL versions cannot be configured for the exclusive mode virtual gateway; certificates, SSL versions, and cipher suites cannot be configured for the sharing mode virtual gateways, and these sharing mode virtual gateways can use only public configurations.
The Internet Explorer browser in the Windows 2003 system does not support SNI information carried in packets.
When you access an exclusive mode virtual gateway using a domain name, the virtual gateway cannot be distinguished based on the domain name if the Client Hello packet on the client end does not carry SNI. In such a case, the public certificate, SSL version, and cipher suite can be used to establish an SSL connection, and the virtual gateway can be distinguished based on the domain name carried in the HTTP packet.

Considering system security, by default, the exclusive mode virtual gateway is prohibited to establish SSL connections using the public certificate and cipher suite. This function can be enabled in the scenario where the public certificate, SSL version, and cipher suite are required.

The Client Hello packet on the client end does not carry the SNI in the following scenarios:
- The Internet Explorer browser in the Windows 2003 system is used.
- Browsers that do not support the SNI, for example, Nokia Browser for Symbian, or IBM HTTP Server, are used.
For USG6610E/6620E, USG6630E/6650E, USG6680E and USG6712E/6716E, in certificate authentication scenarios, the RSA key length of the certificate must be set to 2048, 3072, or 4096. Otherwise, the SSL VPN negotiation using this certificate will be affected.
For USG6635E/6655E, USG6680E and USG6712E/6716E, when you create a virtual gateway in a virtual system, the vsys name cannot contain dots (.), colons (:), backslashes (\), or single quotation marks ('). Otherwise, the database of the virtual gateway fails to be restored after the device is restarted. The configurations such as role authorization, user group, and customized page are stored in the virtual gateway database. If the virtual gateway database fails to be restored, you cannot log in to the virtual gateway.
In SSL VPN access scenarios, when a role is associated with a user, you can specify only the user group to which the role belongs and its parent group, but not the parent group of the user group's parent group.
For interfaces in public, if an interface is bound to a VPN instance and SSL VPN link setup traffic enters through the current interface, the firewall directly sends RST packets. As a result, SSL VPN links cannot be established.

Third-Party Server Authorization

If a third-party server is used to authorize an SSL VPN user, the user group is matched as follows:

If the user already exists locally, the local user group takes effect on authorization.
If the user does not exist locally, check whether New User Authentication Options is configured.
1. New User Authentication Options is not configured.
  The user group configured on the authorization server takes effect on authorization.
2. New User Authentication Options is configured.
  - If Prohibit new user login is selected, the user login request is rejected, and the authorization process is terminated.
  - If Add new users to a user group or security groupis selected, the specified user group takes effect on authorization.
  - If Consider new users as temporary users and do not add them to the local user list is selected, the specified user group takes effect on authorization.

Supported Operating Systems and Browsers

Table 1 lists the operating systems and browsers supported by the SSL VPN feature.

When you log in to the SSL VPN gateway using a browser for the first time, you need to install the ActiveX control as prompted. The ActiveX control is integrated in the patch file of the SSL VPN client, except the USG6610E/6620E, USG6630E/6650E, USG6680E and USG6712E/6716E. The administrator needs to obtain the patch file and load it to the device through the SSL VPN client patch upgrade function. For details, see Installing the ActiveX Control.

**Table 1** Supported operating systems and browsers
SSL VPN		Operating System	Browser and Version
Web proxy	Web rewriting	Depending on the operating system supported by the browser	Internet Explorer 6/7/8/9/10/11 (32-bit and 64-bit) Firefox 4.0 to 30.0 (32-bit) Chrome 10 to 20 Opera 9.0 to 12.0 Safari 3.0 to 5.1.x
Web proxy	Web link	Windows Server 2003 (32-bit) Windows Vista (32-bit and 64-bit) Windows 7 (32-bit and 64-bit) Windows Server 2008 (32-bit and 64-bit) Windows 8 (32-bit and 64-bit) Windows 8.1 (32-bit and 64-bit) Windows 10 (32-bit and 64-bit)	Internet Explorer 6/7/8/9/10/11 (32-bit and 64-bit)
File sharing		Depending on the operating system supported by the browser	Internet Explorer 6/7/8/9/10/11 (32-bit and 64-bit) Firefox 4.0 to 30.0 (32-bit) Chrome 10 to 20 Opera 9.0 to 12.0 Safari 3.0 to 5.1.x
Port forwarding		Windows Server 2003 (32-bit) Windows Vista (32-bit and 64-bit) Windows 7 (32-bit and 64-bit) Windows Server 2008 (32-bit and 64-bit) Windows 8 (32-bit and 64-bit) Windows 8.1 (32-bit and 64-bit) Windows 10 (32-bit and 64-bit)	Internet Explorer 6/7/8/9/10/11 (32-bit and 64-bit)
Network extension	Access through a browser	Windows Server 2003 (32-bit) Windows Vista (32-bit and 64-bit) Windows 7 (32-bit and 64-bit) Windows Server 2008 (32-bit and 64-bit) Windows 8 (32-bit and 64-bit) Windows 8.1 (32-bit and 64-bit) Windows 10 (32-bit and 64-bit)	Internet Explorer 6/7/8/9/10/11 (32-bit and 64-bit) (Only the SecoClient supports this function.)Firefox 38-49 (32-bit) (Only the SecoClient supports this function.)Firefox 52 or later (32-bit and 64-bit) (Only the SecoClient supports this function.)Chrome 35 or later NOTE: The SecoClient that supports this version has no longer evolved and cannot be downloaded from the Huawei Support website. The downloaded SecoClient can still be used. SecoClient configuration examples and common configuration problems are retained in the document. When users need to use the new SSL VPN function through client access, see : VPN Client Download Description.The new client cannot meet users' requirements for accessing network extension services using Firefox or Chrome. You need to install the new client to access network extension services. For the USG6510E/6510E-POE, network extension service cannot be accessed through Firefox or Chrome. For other models. To enable users to access network extension services through the Firefox, Chrome browser, the network administrator needs to upload the SecoClient software on the System > VPN Client Upgrade page of the FW web UI. In addition, only the network extension services can be configured on the virtual gateway of the FW. The certificate authentication mode cannot be configured there. When the preceding conditions are met and if a user accesses the virtual gateway login page through a browser, the system prompts the user to download and install the SecoClient software. In V600R007C00 and later versions, the device supports access to the virtual gateway login page through Chrome (42 or later) or Firefox (52 or later). In this case, you need to install the corresponding extension plug-in as prompted and install SecoClient. After the SecoClient software is installed, the user can access network extension services after refreshing the login page. If the current operating system of the user does not support the installation of the SecoClient software, the user cannot access network extension services through the Firefox, Chrome browser.
Network extension	Access through the SecoClient	The OS specifications supported by the independent network extension client are determined by the client version. To query the OS specifications, use the registration account to access http://support.huawei.com/enterprise and download the client production documentation.	-
MAC authentication	Browser	-	Internet Explorer 7/8/9/10/11 (32-/64-bit) Firefox 38.0 to 40.0 Chrome 35 to 41
MAC authentication	SecoClient (5.0.0.1 and later)	-	-