Professional Documents
Culture Documents
Access control ✅
Certified
Control termination
Functional L3VPN
✅
Since September 2018 Testing
AVX7800 (Rel.AVX.2.7.0.76)
In the case of a certified family of models, ICSA Labs periodically tests other models in the series. ICSA Labs SSL-TLS
Certification extends beyond the most recently tested model(s) (in bold below) to the other members of the Array AG
Series SSL VPN Appliances family. In this test cycle, ICSA Labs tested the vxAG virtual appliance running on Array
Networks’ AVX7800 hardware. vxAG is listed separately below to indicate that the virtual appliance runs on other
hypervisors; however, vxAG was not tested on those other hypervisors during this test cycle:
AVX10650 vxAG
SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 2 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report
Scope of Assessment
ICSA Labs tests candidate SSL-TLS VPN products against publicly available criteria initially developed by a
consortium of SSL-TLS VPN vendors with input from industry analysts and the end user community. An ICSA Labs
certified SSL-TLS VPN product must satisfy all the mandatory requirements along with all related requirements to
elected optional functionality. For more information about the criteria, please visit the SSL-TLS section of the ICSA
Labs website (www.icsalabs.com).
1. Protocol and Cipher Suite Support – The TLS protocol and underlying cryptography must be implemented
properly.
2. X.509 Certificate Management and Validation – The product must support X.509 certificate management
such as secure enrollment and renewal. When supporting client certificate authentication, the product must
properly validate client certificates. SSL VPN Client apps must support proper certificate validation for SSL
VPN Server certificates.
3. Security Testing – The product must prevent unauthorized access and protect against common exploits and
attacks.
4. Administration – The product must have secure administrative capabilities including strong authentication,
secure remote access, and administrative and user session management.
5. Logging – The product must have the ability to accurately log the required data for system and session
related events.
6. SSL VPN Client Platforms – The product must support a Windows based client with Internet Explorer or
Firefox for browser based access.
7. Authentication and Authorization – The product must support secure user authentication mechanisms,
including strong authentication and granular control of access to resources. The product must also have the
ability to perform integrity checks of the client system before granting access and throughout the session.
8. Session Control – The product must provide automatic controls of user sessions.
9. Functional Testing – The product must support at least one mode of operation, Reverse Web Proxy (RWP)
or Layer 3 VPN (L3VPN). When operating in RWP mode, the product must prevent leaking of internal network
information and properly clean session related data. Typically, this requirement is satisfied with the use of a
cache cleaning mechanism or a virtual desktop environment during the VPN session. In a L3VPN operation,
the product must support proper disabling of split tunneling and prevent bypassing the VPN tunnel.
SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 3 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report
Testing Details
General Notes
The initial configuration was performed following the steps in the Quick Installation Guide shipped with the
AVX7800 appliance. With web access to the AVX appliance management interface, the ICSA Labs followed the
“System Setup & Network Settings” chapter in the ArrayOS AVX 2.7 User Guide. ICSA Labs then configured the
Virtual Secure Access Gateway (vxAG), following the steps in the vxAG Deployment Guide. The following
documents were used as references where needed:
Array AVX 2.7 User Guide
ArrayOS AG 9.4 User Guide
Array AVX 2.7 CLI Handbook
ArrayOS AG 9.4 CLI Handbook
vxAG Deployment Guide
The vxAG on the AVX VPN Server supported and properly validated client certificates, exhibiting the appropriate
behavior for valid, expired, revoked and certificates with invalid signatures. The vxAG on AVX7800 also handled
CRLs properly (i.e. valid, expired, and invalid signature situations).
Security Testing
ICSA Labs used numerous tools and test methods to verify that the vxAG on AVX7800 was not vulnerable to
known exploits and threats.
Administration
Administrative access to vxAG via https/ssh was secured by disabling weak cipher suites. Via the CLI, the
command ‘webui ssl protocol v12’ was entered. For the vxAG on AVX7800, weak cipher suites could not
be disabled for ssh access; therefore, a separate physical port was used for the vxAG on AVX7800 administrative
interface with restricted access to the physical AVX appliance management port. Administrative session timeout is
supported and is configured within the “Base System - System Management Access Control.”
Logging
The vxAG Base System (accessible from “Admin Tools - Monitoring") was configured to send log events to
a remote SYSLOG server. ICSA Labs verified all required data was captured for each required event. The
following is an example log entry for an event (failed user authentication) recorded on the SYSLOG server:
INFO Sep 01 2020 13:04:04 AN AN_SQUID_LOG 1598979844.000 0 user=(null) 198.51.100.1 TCP_MISS/200 7981
GET /client_sec/l3vpn/version.xml - DIRECT/127.0.0.1 -
NOTICE Sep 01 2020 13:04:13 AN id=ArrayOS time="2020-09-01 13:04:13" timezone=EDT(-0400) fw=AN pri=5
vpn=sslvpn101-1 user=chuck src=198.51.100.1 sport=51721 dst=0.0.0.0 dport=80 dstname=localhost
SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 4 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report
In addition to the authentication and authorization testing described above, verification of host integrity checking
upon and during session establishment was performed. ICSA Labs’ testing verified that sessions would be
prevented initially, or disconnected after being established, when the client system did not meet the configured
requirements, that included having:
Options for the above settings are accessed in the “Virtual Site Security Settings - Client
Security” pages.
With the version of the MotionPro Client initially submitted for testing host checking for firewall and antivirus did
not function in accordance with the requirements. Version 1.2.10 of the MotionPro Client satisfied the
requirements.
Session Control
“User Session Control” is configured for the “Virtual Site” in the “Site Configuration Security
Settings.” ICSA Labs configured sessions per user, idle timeout, maximum session lifetime, and
unauthenticated session lifetime. ICSA Labs found through testing that these settings were properly enforced.
Functional Testing
The mode of operation for which certification has been granted for the Array AG Series SSL VPN Appliances,
including the tested vxAG on AVX7800, is the Layer 3 VPN mode. The VPN session can be configured to disable
split tunneling. Split tunneling is controlled by the configuration of the “Network-type VPN Resource Item”
within the “VPN Access Method” configuration. Initially during this test cycle, the MotionPro Client did not
prevent circumventing the Layer 3 VPN tunnel; however, with MotionPro Client Version 1.2.10, ICSA Labs verified
that the tunnel could not be circumvented and was therefore able to meet the testing requirements.
SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 5 of 6
Copyright © 2020 ICSA Labs. All rights reserved.
ICSA Labs SSL-TLS VPN
Certification Testing Report
Authority
This report is issued by the authority of the General Manager, ICSA Labs. Tests are performed under normal operating
conditions.
www.icslabs.com www.arraynetworks.com
SSLTLSVPN-ARRAYNETWORKS-2020-1029-01 Page 6 of 6
Copyright © 2020 ICSA Labs. All rights reserved.