Switch User Manual
9 Management Protocols
9-12
VPN 3000 Concentrator Series User Guide
Encryption Protocols
Check the boxes for the encryption algorithms that the VPN Concentrator SSL server can negotiate with 
a client and use for session encryption. All are checked by default. You must check at least one algorithm 
to enable SSL. Unchecking all algorithms disables SSL.
The algorithms are negotiated in the order shown. You cannot change the order, but you can enable or 
disable selected algorithms.
RC4-128/MD5 = RC4 encryption with a 128-bit key and the MD5 hash function. This option is 
available in most SSL clients.
3DES-168/SHA = Triple-DES encryption with a 168-bit key and the SHA-1 hash function. This is the 
strongest (most secure) option.
DES-56/SHA = DES encryption with a 56-bit key and the SHA-1 hash function.
RC4-40/MD5 Export = RC4 encryption with a 128-bit key—40 bits of which are private—and the MD5 
hash function. This option is available in the export (non-U.S.) versions of many SSL clients.
DES-40/SHA Export = DES encryption with a 56-bit key—40 bits of which are private—and the 
SHA-1 hash function. This option is available in the export (non-U.S.) versions of many SSL 
clients.
Client Authentication
This parameter applies to HTTPS only; it is ignored for Telnet/SSL.
Check the box to enable SSL client authentication. The box is not checked by default. In the most 
common SSL connection, the client authenticates the server, not vice-versa. Client authentication 
requires personal certificates installed in the browser, and trusted certificates installed in the server. 
Specifically, the VPN Concentrator must have a root CA certificate installed; and a certificate signed by 
one of the VPN Concentrator’s trusted CAs must be installed in the Web browser. See 
Administration | 
Certificate Management
.
SSL Version
Click the drop-down menu button and select the SSL version to use. SSL Version 3 has more security 
options than Version 2, and TLS (Transport Layer Security) Version 1 has more security options than 
SSL Version 3. Some clients that send an SSL Version 2 “Hello” (initial negotiation), can actually use a 
more secure version during the session. Telnet/SSL clients usually can use only SSL Version 2.
Choices are: 
Negotiate SSL V2/V3 = The server tries to use SSL Version 3 but accepts Version 2 if the client can’t 
use Version 3. This is the default selection. This selection works with most browsers and Telnet/SSL 
clients.
SSL V3 with SSL V2 Hello = The server insists on SSL Version 3 but accepts an initial Version 2 
“Hello.”
SSL V3 Only = The server insists on SSL Version 3 only.
SSL V2 Only = The server insists on SSL Version 2 only. This selection works with most Telnet/SSL 
clients.
TLS V1 Only = The server insists on TLS Version 1 only. At present, only Microsoft Internet Explorer 
5.0 supports this option.










