Advanced

On the SSL > Advanced tab you can configure various advanced server options ranging from the cryptographic settings, through compression settings, to debug settings.

Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL. Changes applied here always affect both SSL configurations.

Cryptographic Settings

These settings control the encryption parameters for all SSL VPN remote access clients:

  • Encryption algorithm: The encryption algorithm specifies the algorithm used for encrypting the data sent through the VPN tunnel. The following algorithms are supported, which are all in Cipher Block Chaining (CBC) mode:

    • DES-EDE3-CBC
    • AES-128-CBC (128 bit)
    • AES-192-CBC (192 bit)
    • AES-256-CBC (256 bit)
    • BF-CBC (Blowfish (128 bit))
  • Authentication algorithm: The authentication algorithm specifies the algorithm used for checking the integrity of the data sent through the VPN tunnel. Supported algorithms are:

    • SHA-1 (160 bit)
    • SHA2 256 (256 bit)
    • SHA2 384 (384 bit)
    • SHA2 512 (512 bit)
    • MD5 (128 bit)
  • Key size: The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024, 2048, 3072 or 4096 bits.
  • Server certificate: Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients.

    Note – Sophos UTM on AWS does not support wildcard certificates and certificates signed by an intermediate CA in the SSL VPN.

  • Key lifetime: Enter a time period after which the key will expire. The default is 28,800 seconds.

Compression Settings

Compress SSL VPN traffic: When enabled, all data sent through SSL VPN tunnels will be compressed prior to encryption.

Debug Settings

Enable debug mode: When enabling debug mode, the SSL VPN log file will contain extended information useful for debugging purposes.