Outbound Nodes

An Outbound Node defines the connection configuration for the internal target system that the USP Server connects to when forwarding traffic. It includes several key settings that control how outbound connections are established, authenticated, and secured:

• The Hostname and Port specify the address of the internal target system.
• The assigned Certificates or Keys establish the identity of the USP Server and, when applicable, the target system during TLS or SSH handshakes.
• The Advanced Configuration options allow fine-tuning of cryptographic parameters, supported cipher suites, and other protocol-level security controls.

Before You Begin

Hostname and Port

Every Outbound Node must define the Hostname and Port of the internal target system that the USP Server connects to.

• Hostname: The network address or Fully Qualified Domain Name (FQDN) of the target system. USP resolves this value at connection time. You can use either a hostname (for example, internal-server.company.local) or a static IP address (for example, 10.10.5.25).
• Port: The TCP port number on which the target service listens.

tip

While the internal target can use any port, it is common practice to use each protocol's default port:

• SFTP: 22
• HTTPS: 443
• FTP: 21
• FTPS: 21 (Explicit) or 990 (Implicit)

USP and Target Verification Credentials

FTP(S)

The TLS Certificate and CA Certificate fields control whether TLS is used and, when enabled, how the USP Server authenticates itself and (optionally) validates target certificates during the TLS handshake.

TLS Certificate	CA Certificate	Resulting Behavior
		Connection uses plain FTP with no TLS encryption.
		USP establishes a standard one-way TLS connection. The USP Server is authenticated, but target certificates are not requested or validated.
		USP enforces mutual TLS (mTLS). Both the USP Server and the partner present and validate certificates during the TLS handshake.
		Invalid configuration. A TLS Certificate cannot be used without a CA Certificate; USP returns a configuration error.

HTTP(S)

The TLS Certificate and CA Certificate fields control whether TLS is used and, when enabled, how the USP Server authenticates itself and (optionally) validates target certificates during the TLS handshake.

TLS Certificate	CA Certificate	Resulting Behavior
		Connection uses plain HTTP with no TLS encryption.
		USP establishes a standard one-way TLS connection. The USP Server is authenticated, but target certificates are not requested or validated.
		USP enforces mutual TLS (mTLS). Both the USP Server and the partner present and validate certificates during the TLS handshake.
		Invalid configuration. A TLS Certificate cannot be used without a CA Certificate; USP returns a configuration error.

SFTP

The Remote Host Key is used to verify the identity of the internal target system during the SSH handshake. It represents the expected SSH public key of the remote host.

During connection establishment, the USP Server compares the host key presented by the target system against the configured Remote Host Key in the Outbound Node. If the keys do not match, the connection is rejected.

This verification step helps prevent man-in-the-middle (MITM) attacks and ensures that outbound connections are established only with trusted internal systems.

Advanced Configuration

Optional parameters can be configured under the Advanced section. These settings provide fine-grained control over protocol behavior for inbound connections, allowing alignment with internal security policies and compliance requirements.

info

These settings are optional but recommended when stricter protocol-level security controls are required.

FTP(S)

Advanced FTPS settings define the cryptographic parameters supported by the USP Server during TLS negotiation. These options allow administrators to align the system with internal security policies and compliance requirements.

• TLS Version Override: Restricts the minimum and maximum TLS protocol versions accepted. By default, USP uses the most secure versions available (TLS 1.2 and TLS 1.3).
• Curve Preferences Override: Defines which elliptic-curve algorithms are allowed for ECDHE key exchange. By default, USP enables all available curves.
• Cipher Overrides: Specifies which cipher suites the USP Server advertises during the TLS handshake. Incompatible ciphers are ignored automatically. By default, USP uses ciphers supported by the selected TLS version.

Default Ciphers

When no Cipher Overrides are selected, by default USP uses the secure ciphers supported by each version:

TLS Version	Default Cipher Suites
TLS 1.3	TLS_AES_128_GCM_SHA256 (0x1301) TLS_AES_256_GCM_SHA384 (0x1302) TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS 1.0-1.2	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS 1.2 only	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

Available Ciphers

Cipher Suite	Secure	Reason
TLS_RSA_WITH_RC4_128_SHA		Uses RC4 (insecure stream cipher) and RSA key exchange (no forward secrecy).
TLS_RSA_WITH_3DES_EDE_CBC_SHA		Uses 3DES (obsolete, weak) and RSA key exchange (no forward secrecy).
TLS_RSA_WITH_AES_128_CBC_SHA		Uses RSA key exchange (no forward secrecy).
TLS_RSA_WITH_AES_256_CBC_SHA		Uses RSA key exchange (no forward secrecy).
TLS_RSA_WITH_AES_128_CBC_SHA256		RSA key exchange (no forward secrecy) and no Lucky13 CBC countermeasures.
TLS_RSA_WITH_AES_128_GCM_SHA256		Uses RSA key exchange (no forward secrecy), despite AEAD.
TLS_RSA_WITH_AES_256_GCM_SHA384		Uses RSA key exchange (no forward secrecy), despite AEAD.
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA		Uses RC4 (insecure stream cipher).
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA		ECDHE + ECDSA provides forward secrecy; AES-128-CBC is acceptable here.
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA		ECDHE + ECDSA provides forward secrecy; AES-256-CBC is acceptable here.
TLS_ECDHE_RSA_WITH_RC4_128_SHA		Uses RC4 (insecure stream cipher).
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA		Uses 3DES (obsolete, weak).
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA		ECDHE + RSA provides forward secrecy; AES-128-CBC is acceptable here.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA		ECDHE + RSA provides forward secrecy; AES-256-CBC is acceptable here.
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256		Lacks Lucky13 mitigations for CBC-mode AES.
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256		Lacks Lucky13 mitigations for CBC-mode AES.
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256		AEAD cipher (ChaCha20-Poly1305) plus ECDHE forward secrecy.
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256		AEAD cipher (ChaCha20-Poly1305) plus ECDHE forward secrecy.

HTTP(S)

Advanced HTTPS settings define the cryptographic parameters supported by the USP Server during TLS negotiation. These options allow administrators to align the system with internal security policies and compliance requirements.

• TLS Version Override: Restricts the minimum and maximum TLS protocol versions accepted. By default, USP uses the most secure versions available (TLS 1.2 and TLS 1.3).
• Curve Preferences Override: Defines which elliptic-curve algorithms are allowed for ECDHE key exchange. By default, USP enables all available curves.
• Cipher Overrides: Specifies which cipher suites the USP Server advertises during the TLS handshake. Incompatible ciphers are ignored automatically. By default, USP uses ciphers supported by the selected TLS version.

Default Ciphers

When no Cipher Overrides are selected, by default USP uses the secure ciphers supported by each version:

TLS Version	Default Cipher Suites
TLS 1.3	TLS_AES_128_GCM_SHA256 (0x1301) TLS_AES_256_GCM_SHA384 (0x1302) TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS 1.0-1.2	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS 1.2 only	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)

Available Ciphers

Cipher Suite	Secure	Reason
TLS_RSA_WITH_RC4_128_SHA		Uses RC4 (insecure stream cipher) and RSA key exchange (no forward secrecy).
TLS_RSA_WITH_3DES_EDE_CBC_SHA		Uses 3DES (obsolete, weak) and RSA key exchange (no forward secrecy).
TLS_RSA_WITH_AES_128_CBC_SHA		Uses RSA key exchange (no forward secrecy).
TLS_RSA_WITH_AES_256_CBC_SHA		Uses RSA key exchange (no forward secrecy).
TLS_RSA_WITH_AES_128_CBC_SHA256		RSA key exchange (no forward secrecy) and no Lucky13 CBC countermeasures.
TLS_RSA_WITH_AES_128_GCM_SHA256		Uses RSA key exchange (no forward secrecy), despite AEAD.
TLS_RSA_WITH_AES_256_GCM_SHA384		Uses RSA key exchange (no forward secrecy), despite AEAD.
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA		Uses RC4 (insecure stream cipher).
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA		ECDHE + ECDSA provides forward secrecy; AES-128-CBC is acceptable here.
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA		ECDHE + ECDSA provides forward secrecy; AES-256-CBC is acceptable here.
TLS_ECDHE_RSA_WITH_RC4_128_SHA		Uses RC4 (insecure stream cipher).
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA		Uses 3DES (obsolete, weak).
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA		ECDHE + RSA provides forward secrecy; AES-128-CBC is acceptable here.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA		ECDHE + RSA provides forward secrecy; AES-256-CBC is acceptable here.
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256		Lacks Lucky13 mitigations for CBC-mode AES.
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256		Lacks Lucky13 mitigations for CBC-mode AES.
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384		AEAD cipher (AES-GCM) plus ECDHE forward secrecy.
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256		AEAD cipher (ChaCha20-Poly1305) plus ECDHE forward secrecy.
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256		AEAD cipher (ChaCha20-Poly1305) plus ECDHE forward secrecy.

SFTP

Advanced SFTP settings allow customization of the SSH server's behavior and supported cryptographic parameters.

• Server Version: The version string advertised during the SSH handshake.
• Banner: Optional message sent to the client after key exchange but before authentication. Often used for policy or legal notices.
• Key Exchange Algorithms: The Diffie-Hellman or elliptic-curve algorithms allowed during key exchange. Limiting these strengthens session-establishment security.
• Ciphers: The symmetric encryption algorithms available for SSH traffic. Administrators can restrict weaker options to enforce compliance requirements (for example, FIPS).
• MACs: Message Authentication Code algorithms that protect data integrity. Selecting stronger SHA-2-based variants improves resistance against tampering.

Outbound Node Administration via USP Admin UI

Adding an Outbound Node

To add an Outbound Node, follow these steps:

1. From the Sidebar, click Configuration > Route.
2. Click the row of the Route where you want to add the Outbound Node.
3. Go to the Outbound Nodes tab.
4. Click Add Outbound Node.
5. Complete the Outbound Node details using the Field Descriptions table as a guide.
6. Click Save.

Field Descriptions

FTP(S)

Name	Description	Specifications	Required
Name	The name of the Outbound Node.	Must be unique.	Yes
Description	The description of the Outbound Node.		No
Hostname	The hostname of the internal target.		Yes
Port	The port number of the internal target.	Must be within 1 and 65535.	Yes
Encryption Mode	The encryption mode that will be used. Options (multi-select): None (FTP) Implicit (FTPS) Explicit (FTPES)		Yes
CA Certificate	The CA certificate presented by the USP Server during the TLS handshake.	Must reference an already-created CA Certificate.	Yes, if Encryption Mode is Implicit (FTPS) or Explicit (FTPES).
TLS Certificate	The CA certificate used to validate client certificates during mTLS authentication.	Must reference an already-created CA Certificate.	No
Remote Server Name	The Server Name indication (string) announced during the TLS public handshake.		No
TLS Version Override	USP automatically uses the most secure TLS version available (1.2 or 1.3). To specify a version, set two versions (smallest is minimum, highest is maximum). Options (multi-select): TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3		No
Curve Preferences Override	USP uses all available curve preferences by default unless you specify otherwise. Options (multi-select): CurveP256 CurveP384 CurveP521 X25519 X25519MLKEM768		No
Cipher Overrides	Available ciphers depend on the selected TLS version. Select the ciphers you want to use. Options (multi-select), see Available Ciphers.	USP will ignore any ciphers incompatible with your TLS version. See Default Ciphers.	No

HTTP(S)

Name	Description	Specifications	Required
Name	The name of the Outbound Node.	Must be unique.	Yes
Description	The description of the Outbound Node.		No
Hostname	The hostname of the internal target.		Yes
Port	The port number of the internal target.	Must be within 1 and 65535.	Yes
CA Certificate	The CA certificate used to validate target certificates during mutual TLS authentication. Options: None (Plain HTTP) An already created CA Certificate.	Must reference an already-created CA Certificate.	Yes
TLS Certificate	The TLS certificate presented by the USP Server during the TLS handshake.	Must reference an already-created TLS Certificate.	No
Remote Server Name	The Server Name indication (string) announced during the TLS public handshake.		No
TLS Version Override	USP automatically uses the most secure TLS version available (1.2 or 1.3). To specify a version, set two versions (smallest is minimum, highest is maximum). Options (multi-select): TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3		No
Curve Preferences Override	USP uses all available curve preferences by default unless you specify otherwise. Options (multi-select): CurveP256 CurveP384 CurveP521 X25519 X25519MLKEM768		No
Cipher Overrides	Available ciphers depend on the selected TLS version. Select the ciphers you want to use. Options (multi-select), see Available Ciphers.	USP will ignore any ciphers incompatible with your TLS version. See Default Ciphers.	No

SFTP

Name	Description	Specifications	Required
Name	The name of the Outbound Node.	Must be unique.	Yes
Description	The description of the Outbound Node.		No
Hostname	The hostname of the internal target.		Yes
Port	The port number of the internal target.	Must be within 1 and 65535.	Yes
Remote Host Key	The name of the Public Key used to validate the internal server identity.	Must reference an already-created Public Key.	Yes
SSH Software Version Identifier	The version identification string that is announced during the SSH public handshake.	Default value: SSH-2.0-USP.	Yes
Key Exchange Algorithms	The allowed key exchange algorithms. Options (multi-select): ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 curve25519-sha256 diffie-hellman-group16-sha512 diffie-hellman-group14-sha256 diffie-hellman-group-exchange-sha256		No
Ciphers	The allowed cipher algorithms. Options (multi-select): aes256-ctr aes192-ctr aes128-ctr aes128-gcm aes256-gcm chacha20-poly1305		No
MACs	The allowed MAC algorithms. Options (multi-select): hmac-sha2-256-etm hmac-sha2-512-etm hmac-sha2-256 hmac-sha2-512 hmac-sha2-1		No

Editing an Outbound Node

To edit an Outbound Node, follow these steps:

1. From the Sidebar, click Configuration > Route.
2. Click the row of the Route where the Outbound Node is added.
3. Go to the Outbound Nodes tab.
4. Click the row of the Outbound Node you want to edit.
5. Complete the Outbound Node details using the Field Descriptions table as a guide.
6. Click Save.

warning

If you modify a Outbound Node that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:

1. Navigate to Monitoring > Status.
2. Click the Name of the associated USP Server instance.
3. Go to the Configuration tab.
4. Review the pending changes in the Updated Configuration column.
5. If the changes are correct, click Push Configuration.

Outbound Node Metadata

Outbound Node details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:

Name	Description
ID	Universally Unique Identifier of this Outbound Node.
Route ID	The ID of the Route where the node belongs.
Created At	Date and time this Outbound Node was created.
Updated At	Date and time this Outbound Node was last updated.

Deleting an Outbound Node

To delete an Outbound Node, follow these steps:

1. From the Sidebar, click Configuration > Route.
2. Click the row of the Route where the Outbound Node is added.
3. Go to the Outbound Nodes tab.
4. Click the row of the Outbound Node you want to delete.
5. Click Delete.
6. You will be asked to confirm the deletion. Click Delete.

warning

USP Manager prevents deletion of an Outbound Node if it is currently referenced by a Route.

Additionally, if the Outbound Node is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:

1. Navigate to Monitoring > Status.
2. Click the Name of the associated USP Server instance.
3. Go to the Configuration tab.
4. Review the pending changes in the Candidate Configuration - Preview section.
5. If the changes are correct, click Push Configuration.

The changes do not take effect on the server until this step is completed.