Hardware	SSL VPN compatibility
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LMS-EA	Yes
MSR810-LMS, MSR810-LUS	No
MSR2600-6-X1	Yes
MSR2600-10-X1	No
MSR 2630	Yes
MSR3600-28, MSR3600-51	Yes
MSR3600-28-SI, MSR3600-51-SI	No
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP	Yes
MSR3610-I-DP, MSR3610-IE-DP	Yes
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC	Yes
MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660	Yes
MSR3610-G, MSR3620-G	Yes

‌

IPv6-related parameters are not supported on MSR routers.

aaa domain

Use aaa domain to specify an ISP domain for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.

Use undo aaa domain to restore the default.

Syntax

aaa domain domain-name

undo aaa domain

Default

The default ISP domain is used for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

An SSL VPN username cannot carry ISP domain information. After this command is executed, an SSL VPN gateway uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users in the context.

Examples

# Specify ISP domain myserver for authentication, authorization, and accounting of SSL VPN users in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] aaa domain myserver

authentication use

Use authentication use to specify the authentication methods required for user login.

Use undo authentication use to restore the default.

Syntax

authentication use { all | any-one }

undo authentication use

Default

To log in to an SSL VPN context, a user must pass all the authentication methods enabled for the context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

all: Uses all enabled authentication methods.

any-one: Uses any enabled authentication method.

Usage guidelines

You can enable username/password authentication, certificate authentication, or both for an SSL VPN context. The authentication methods required for logging in to the SSL VPN context depend on the configuration of this command:

· If the authentication use all command is configured, a user must pass all the enabled authentication methods for login.

· If the authentication use any-one command is configured, a user can log in after passing any enabled authentication method.

Examples

# Configure SSL VPN context ctx to allow users to log in after passing any enabled authentication method.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] authentication use any-one

Related commands

certificate-authentication enable

display sslvpn context

password-authentication enable

bandwidth

Use bandwidth to set the expected bandwidth for an interface.

Use undo bandwidth to restore the default.

Syntax

bandwidth bandwidth-value

undo bandwidth

Default

The expected bandwidth is 64 kbps for an interface.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.

Usage guidelines

The expected bandwidth for an interface affects CBQ bandwidth and link costs in OSPF, OSPFv3, and IS-IS. For more information about CBQ bandwidth, see QoS configuration in ACL and QoS Configuration Guide. For more information about link costs, see Layer 3—IP Routing Configuration Guide.

Examples

# Set the expected bandwidth to 10000 kbps for SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] bandwidth 10000

certificate-authentication enable

Use certificate-authentication enable to enable certificate authentication.

Use undo certificate-authentication enable to disable certificate authentication.

Syntax

certificate-authentication enable

undo certificate-authentication enable

Default

Certificate authentication is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

After you enable certificate authentication, you must also execute the client-verify command in SSL server policy view. The SSL VPN gateway uses the digital certificate sent by an SSL VPN client to authenticate the client's identity. If the client's username and the username in the digital certificate are not the same, the client cannot log in to the SSL VPN gateway.

Examples

# Enable certificate authentication.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] certificate-authentication enable

Related commands

client-verify enable

client-verify optional

content-type

Use content-type to configure a file policy to rewrite a file in an HTTP response to a specific type of file.

Use undo content-type to restore the default.

Syntax

content-type { css | html | javascript | other }

undo content-type

Default

A file policy rewrites a file carried in an HTTP response to a file of the type indicated by the content-type field in the HTTP response.

Views

File policy view

Predefined user roles

network-admin

Parameters

css: Changes the file type to CSS.

html: Changes the file type to HTML.

javascript: Changes the file type to JavaScript.

other: Does not change the file type.

Usage guidelines

A file policy rewrites a file carried in an HTTP response to a file of the type specified by this command. If the specified file type is different from that indicated by the content-type field in the HTTP response, users might not be able to read the file correctly.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure file policy fp to rewrite files to HTML files.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp] content-type html

default

Use default to restore the default settings for an SSL VPN AC interface.

Syntax

default

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION:

The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you use it on a live network.

This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Examples

# Restore the default settings of sslvpn-ac 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] default

This command will restore the default settings. Continue? [Y/N]:y

default-policy-group

Use default-policy-group to specify a policy group as the default policy group.

Use undo default-policy-group to restore the default.

Syntax

default-policy-group group-name

undo default-policy-group

Default

No policy group is specified as the default policy group.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters. The specified policy group must have been created.

Usage guidelines

You can configure multiple policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not issue an authorized policy group to the user, the user can access only the resources allowed by the default policy group.

Examples

# Specify policy group pg1 as the default policy group.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] quit

[Sysname-sslvpn-context-ctx1] default-policy-group pg1

Related commands

display sslvpn context

policy-group

description (SSL VPN AC interface view)

Use description to configure the description of an interface.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The description of an interface is interface name Interface, for example, SSLVPN-AC1000 Interface.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

Configure descriptions for interfaces for identification and management purposes.

You can use the display interface command to display the configured interface descriptions.

Examples

# Configure a description of SSL VPN A for SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] description SSL VPN A

display interface sslvpn-ac

Use display interface sslvpn-ac to display SSL VPN AC interface information.

Syntax

display interface [ sslvpn-ac [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify the sslvpn-ac keyword, this command displays information about all interfaces except virtual access (VA) interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all SSL VPN AC interfaces. For more information about VA interfaces, see PPPoE configuration in Layer 2—WAN Access Configuration Guide.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.

down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.

Examples

# Display detailed information about SSL VPN AC 1000.

<Sysname> display interface sslvpn-ac 1000

SSLVPN-AC1000

Current state: UP

Line protocol state: DOWN

Description: SSLVPN-AC1000 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1500

Internet protocol processing: Disabled

Link layer protocol is SSLVPN

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Table 1 Command output

Field	Description
SSLVPN-AC1000	Information about interface SSL VPN AC 1000.
Current state	Physical link state of the interface: · Administratively DOWN—The interface has been shut down by using the shutdown command. · DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). · UP—The interface is both administratively and physically up.
Line protocol state	Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol is down.
Description	Description of the interface.
Bandwidth	Expected bandwidth of the interface.
Maximum transmission unit	MTU of the interface.
Internet protocol processing: Disabled	The interface is not assigned an IP address and cannot process IP packets.
Internet address: ip-address/mask-length (Type)	IP address of the interface and type of the address in parentheses. Possible IP address types include: Primary—Manually configured primary IP address.
Last clearing of counters	Most recent time the counters were cleared by using the reset counters interface command. If the reset counters interface command has never been executed since the device starts up, this field displays Never.
Last 300 seconds input rate	Average input rate in the last 300 seconds.
Last 300 seconds output rate	Average output rate in the last 300 seconds.

# Display brief information about all SSL VPN AC interfaces.

<Sysname> display interface sslvpn-ac brief

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

SSLVPN-AC1000 UP DOWN --

# Display brief information about SSL VPN AC 1000, including the complete interface description.

<Sysname> display interface sslvpn-ac 1000 brief description

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

SSLVPN-AC1000 UP UP 1.1.1.1 SSLVPN-AC1000 Interface

# Display information about interfaces in DOWN state and the causes.

<Sysname> display interface sslvpn-ac brief down

Brief information of interfaces in route mode:

Link: ADM - administratively down

Interface Link Cause

SSLVPN-AC1000 ADM

SSLVPN-AC1001 ADM

Table 2 Command output

Field	Description
Brief information of interfaces in route mode:	Brief information about Layer 3 interfaces.
Interface	Abbreviated interface name.
Link	Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Stby—The interface is a backup interface in standby state.
Protocol	Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol of the interface is down.
Primary IP	Primary IP address of the interface.
Description	Description of the interface.
Cause	Cause for the physical link state of an interface to be DOWN: · Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Not connected—No physical connection exists (possibly because the network cable is disconnected or faulty).

Related commands

reset counters interface

display sslvpn context

Use display sslvpn context to display SSL VPN context information.

Syntax

display sslvpn context [ brief | name context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief SSL VPN context information. If you do not specify this keyword, the command displays detailed SSL VPN context information.

name context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN contexts.

Examples

# Display detailed information about all SSL VPN contexts.

<Sysname> display sslvpn context

Context name: ctx1

Operation state: Up

AAA domain: domain1

Certificate authentication: Enabled

Password authentication: Enabled

Authentication use: All

Dynamic password: Enabled

Code verification: Disabled

Default policy group: Not configured

Associated SSL VPN gateway: gw1

Domain name: 1

Associated SSL VPN gateway: gw2

Virtual host: abc.com

Associated SSL VPN gateway: gw3

SSL client policy configured: ssl1

SSL client policy in use: ssl

Maximum users allowed: 200

VPN instance:vpn1

Idle timeout: 30 min

Idle-cut traffic threshold: 100 Kilobytes

Context name: ctx2

Operation state: Down

Down reason: Administratively down

AAA domain not specified

Certificate authentication: Enabled

Password authentication: Disabled

Authentication use: Any-one

Dynamic password: Disabled

Code verification: Disabled

Default group policy: gp

Associated SSL VPN gateway: -

SSL client policy configured: ssl1

SSL client policy in use: ssl

Maximum users allowed: 200

VPN instance not configured

Idle timeout: 50 min

Idle-cut traffic threshold: 100 Kilobytes

Address pool: Conflicted with an IP address on the device

Table 3 Command output

Field	Description
Context name	Name of the SSL VPN context.
Operation state	Operation state of the SSL VPN context: · Up—The context is running. · Down—The context is not running.
Down reason	Causes for the Down operations status: · Administratively down—The context is disabled. To enable the context, use the service enable command. · No gateway associated—The context is not associated with an SSL VPN gateway.
AAA domain	ISP domain for the SSL VPN context.
Certificate authentication	Whether certificate authentication is enabled for the SSL VPN context.
Password authentication	Whether username/password authentication is enabled for the SSL VPN context.
Authentication use	Authentication methods required for user login: · All—A user must pass all the enabled authentication methods to log in to the SSL VPN context. · Any-one—A user can log in to the SSL VPN context after passing any enabled authentication method.
Code verification	Whether code verification is enabled for the SSL VPN context.
Default policy group	Default policy group used by the SSL VPN context.
Associated SSL VPN gateway	SSL VPN gateway associated with the SSL VPN context.
Domain name	Domain name specified for the SSL VPN context.
Virtual host	Virtual host name specified for the SSL VPN context.
SSL client policy configured	SSL client policy configured for the SSL VPN context. A newly configured SSL client policy takes effect only after the SSL VPN context is restarted.
SSL client policy in use	SSL client policy being used by the SSL VPN context.
Maximum users allowed	Maximum number of sessions allowed in the SSL VPN context.
VPN instance	VPN instance associated with the SSL VPN context.
Idle timeout	Maximum idle time of an SSL VPN session, in minutes.
Idle-cut traffic threshold	SSL VPN idle session disconnection traffic threshold.
Address pool: Conflicted with an IP address on the device	An IP address conflict was detected in the SSL VPN context.

# Display brief information about all SSL VPN contexts.

<Sysname> display sslvpn context brief

Context name Admin Operation VPN instance Gateway Domain/VHost

ctx1 Up Up - gw1 -/1

gw2 abc.com/-

gw3 -/-

ctx2 Down Down - - -/-

Table 4 Command output

Field	Description
Context name	Name of the SSL VPN context.
Admin	Administrative status of the SSL VPN context: · Up—The context has been enabled by using the service enable command. · Down—The context is disabled.
Operation	Operation state of the SSL VPN context: · Up—The context is running. · Down—The context is not running.
VPN instance	VPN instance associated with the SSL VPN context.
Gateway	SSL VPN gateway associated with the SSL VPN context.
Domain/VHost	Domain name or virtual host name specified for the SSL VPN context.

display sslvpn gateway

Use display sslvpn gateway to display SSL VPN gateway information.

Syntax

display sslvpn gateway [ brief | name gateway-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief SSL VPN gateway information. If you do not specify this keyword, the command displays detailed SSL VPN gateway information.

name gateway-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN gateways.

Examples

# Display detailed information about all SSL VPN gateways.

<Sysname> display sslvpn gateway

Gateway name: gw1

Operation state: Up

IP: 192.168.10.75 Port: 443

HTTP redirect port: 80

SSL server policy configured: ssl1

SSL server policy in use: ssl

Front VPN instance: vpn1

Gateway name: gw2

Operation state: Down

Down reason: Administratively down

IP: 0.0.0.0 Port: 443

SSL server policy configured: ssl1

SSL server policy in use: ssl

Front VPN instance: Not configured

Gateway name: gw3

Operation state: Up

IPv6: 3000::2 Port: 443

SSL server policy configured: ssl1

SSL server policy in use: ssl

Front VPN instance: Not configured

Table 5 Command output

Field	Description
Gateway name	Name of the SSL VPN gateway.
Operation state	Operation state of the SSL VPN gateway: · Up—The gateway is running. · Down—The gateway is not running.
Down reason	Causes for the Down operation status: · Administratively down—The SSL VPN gateway is disabled. To enable the gateway, use the service enable command. · VPN instance not exist—The VPN instance to which the SSL VPN gateway belongs does not exist. · Applying SSL server-policy failed—Failed to apply the SSL server policy to the SSL VPN gateway.
IP	IPv4 address of the SSL VPN gateway.
IPv6		IPv6 address of the SSL VPN gateway.
Port	Port number of the SSL VPN gateway.
HTTP redirect port	HTTP redirection port number of the SSL VPN gateway.
SSL server policy configured	SSL server policy configured for the SSL VPN gateway. A newly configured SSL server policy takes effect only after the SSL VPN gateway is restarted.
SSL server policy in use	SSL server policy being used by the SSL VPN gateway.
Front VPN instance	Front VPN instance to which the SSL VPN gateway belongs.

# Display brief information about all SSL VPN gateways.

<Sysname> display sslvpn gateway brief

Gateway name Admin Operation

gw1 Up Up

gw2 Down Down (Administratively down)

gw3 Up Up

Table 6 Command output

Field	Description
Gateway name	Name of the SSL VPN gateway.
Admin	Administrative status of the SSL VPN gateway: · Up—The gateway has been enabled by using the service enable command. · Down—The gateway is disabled.
Operation	Operation state of the SSL VPN gateway: · Up—The gateway is running. · Down (Administratively down)—The gateway is disabled. To enable the gateway, use the service enable command. · Down (VPN instance not exist)—The gateway is down because the VPN instance to which the gateway belongs does not exist. · Down (Applying SSL server-policy failed)—The gateway is down because the SSL server policy failed to be applied to the gateway.

display sslvpn ip-tunnel statistics

Use display sslvpn ip-tunnel statistics to display packet statistics for IP access users.

Syntax

display sslvpn ip-tunnel statistics [ context context-name ] [ user user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_).

user user-name: Specifies an IP access user by username, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays IP access packets statistics for all SSL VPN contexts.

If you only specify an SSL VPN context, this command displays IP access packet statistics for the specified context and for each SSL VPN user in the context.

If you only specify an SSL VPN user, this command displays IP access packet statistics for the specified user in all SSL VPN contexts.

If you specify both an SSL VPN context and user, this command displays IP access packet statistics for the specified user in the specified context.

Examples

# Display IP access packet statistics for all SSL VPN contexts.

<Sysname> display sslvpn ip-tunnel statistics

IP-tunnel statistics in SSL VPN context ctx1:

Client:

In bytes : 125574 Out bytes : 1717349

Server:

In bytes : 1717349 Out bytes : 116186

IP-tunnel statistics in SSL VPN context ctx2:

Client:

In bytes : 521 Out bytes : 1011

Server:

In bytes : 1011 Out bytes : 498

# Display IP access packet statistics for SSL VPN context ctx1 and for each user in the context.

<Sysname> display sslvpn ip-tunnel statistics context ctx1

IP-tunnel statistics in SSL VPN context ctx1:

Client:

In bytes : 125574 Out bytes : 1717349

Server:

In bytes : 1717349 Out bytes : 116186

SSL VPN session IP-tunnel statistics:

Context : ctx1

User : user1

Session ID : 1

User IPv4 address : 192.168.56.1

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Context : ctx1

User : user2

Session ID : 2

User IPv6 address : 1234::5001

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

# Display IP access packet statistics for user user1 in all SSL VPN contexts.

<Sysname> display sslvpn ip-tunnel statistics user user1

SSL VPN session IP-tunnel statistics:

Context : ctx1

User : user1

Session ID : 1

User IPv4 address : 192.168.56.1

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Context : ctx2

User : user1

Session ID : 2

User IPv6 address : 1234::5001

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalives replies : 1

Received configuration updates: 0

Sent configuration updates : 0

# Display IP access packet statistics for user user1 in SSL VPN context ctx1.

<Sysname> display sslvpn ip-tunnel statistics context ctx1 user user1

SSL VPN session IP-tunnel statistics:

Context : ctx1

User : user1

Session ID : 1

User IPv4 address : 192.168.56.1

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Context : ctx1

User : user1

Session ID : 2

User IPv6 address : 1234::5001

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalives replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Table 7 Command output

Field	Description
Context	SSL VPN context to which the SSL VPN user belongs.
User	Login username used by the SSL VPN user.
User IPv4 address	IPv4 address of the SSL VPN user.
User IPv6 address	IPv6 address of the SSL VPN user.
Received requests	Number of IP access requests received by the SSL VPN gateway from the user.
Sent requests	Number of IP access requests forwarded by the SSL VPN gateway to internal servers.
Dropped requests	Number of IP access requests dropped by the SSL VPN gateway.
Received replies	Number of IP access replies received by the SSL VPN gateway from internal servers.
Sent replies	Number of IP access replies forwarded by the SSL VPN gateway to the user.
Dropped replies	Number of IP access replies dropped by the SSL VPN gateway.
Received keepalives	Number of keepalive messages received by the SSL VPN gateway from the user.
Sent keepalives replies	Number of keepalive replies sent by the SSL VPN gateway to the user.
Received configuration updates	Number of configuration update messages received by the SSL VPN gateway from the user.
Sent configuration updates	Number of configuration update messages sent by the SSL VPN gateway to the user.
Client	Statistics of the traffic transmitted between the SSL VPN gateway and the IP access client: · In bytes—Number of bytes received by the SSL VPN gateway from the client. · Out bytes—Number of bytes sent by the SSL VPN gateway to the client.
Server	Statistics of the traffic transmitted between the SSL VPN gateway and the server: · In bytes—Number of bytes received by the SSL VPN gateway from the server. · Out bytes—Number of bytes sent by the SSL VPN gateway to the client.

display sslvpn policy-group

Use display sslvpn policy-group to display SSL VPN policy group information.

Syntax

display sslvpn policy-group group-name [ context context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters.

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about policy groups with the specified group name in all SSL VPN contexts.

Examples

# Display information about policy groups named pg1 in all SSL VPN contexts.

<Sysname> display sslvpn policy-group pg1

Group policy: pg1

Context: context1

Idle timeout: 35 min

Context: context2

Idle timeout: 40 min

Table 8 Command output

Field	Description
Idle timeout	Maximum idle time of an SSL VPN session, in minutes.

display sslvpn port-forward connection

Use display sslvpn port-forward connection to display TCP port forwarding connection information.

Syntax

In standalone mode:

display sslvpn port-forward connection [ context context-name ]

In IRF mode:

display sslvpn port-forward connection [ context context-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays TCP port forwarding connection information for all SSL VPN contexts.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP port forwarding connection information for all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display TCP port forwarding connection information for all SSL VPN contexts.

<Sysname> display sslvpn port-forward connection

SSL VPN context : ctx1

Client address : 192.0.2.1

Client port : 1025

Server address : 192.168.0.39

Server port : 80

Status : Connected

SSL VPN context : ctx2

Client address : 3000::983F:7A36:BD06:342D

Client port : 56190

Server address : 300::1

Server port : 23

Status : Connecting

# (In IRF mode.) Display TCP port forwarding connection information for all SSL VPN contexts.

<Sysname> display sslvpn port-forward connection

SSL VPN context : ctx1

Client address : 192.0.2.1

Client port : 1025

Server address : 192.168.0.39

Server port : 80

Slot : 1

Status : Connected

SSL VPN context : ctx2

Client address : 3000::983F:7A36:BD06:342D

Client port : 56190

Server address : 300::1

Server port : 23

Slot : 1

Status : Connecting

Table 9 Command output

Field	Description
Client address	IP address of the SSL VPN client.
Client port	Port number of the SSL VPN client.
Server address	IP address of the internal server.
Server port	Port number of the internal server.
Slot	(In IRF mode.) IRF member ID of the device.
Status	Connection status, Connected or Connecting.

display sslvpn session

Use display sslvpn session to display SSL VPN session information.

Syntax

display sslvpn session [ context context-name ] [ user user-name | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays SSL VPN session information for all SSL VPN contexts.

user user-name: Specifies an SSL VPN user by the username, a case-insensitive string of 1 to 63 characters. If you specify a user, this command displays detailed SSL VPN session information for the user. If you do not specify a user, this command displays brief SSL VPN session information for all users.

verbose: Displays detailed SSL VPN session information for all SSL VPN users. If you do not specify this keyword, the command displays brief SSL VPN session information for the specified or all SSL users.

Examples

# Display brief SSL VPN session information for all users in all SSL VPN contexts.

<Sysname> display sslvpn session

Total users: 4

SSL VPN context: ctx1

Users: 2

Username Connections Idle time Created User IP

user1 5 0/00:00:23 0/04:47:16 192.0.2.1

user2 5 0/00:00:46 0/04:48:36 192.0.2.2

SSL VPN context: ctx2

Users: 2

Username Connections Idle time Created User IP

user3 5 0/00:00:30 0/04:50:06 192.168.2.1

user4 5 0/00:00:50 0/04:51:16 192.168.2.2

Table 10 Command output

Field	Description
Total users	Total number of users in all SSL VPN contexts.
SSL VPN context	Name of the SSL VPN context.
Users	Number of users in the SSL VPN context.
Username	Login name for the SSL VPN session.
Connections	Number of connections in the SSL VPN session.
Idle time	Duration that the SSL VPN session has been idle, in the format of days/hh:mm:ss.
Created	Time elapsed since the SSL VPN session was created, in the format of days/hh:mm:ss.
User IP	IP address used by the SSL VPN session.

# Display SSL VPN session information for SSL VPN user user1.

<Sysname> display sslvpn session user user1

User : user1

Context : context1

Policy group : pgroup

Idle timeout : 30 min

Created at : 13:49:27 UTC Wed 05/14/2014

Lastest : 17:50:58 UTC Wed 05/14/2014

User IPv4 address : 192.0.2.1

Session ID : 1

Web browser/OS : Internet Explorer

User : user1

Context : context2

Policy group : Default

Idle timeout : 2100 sec

Created at : 14:15:12 UTC Wed 05/14/2014

Lastest : 18:56:58 UTC Wed 05/14/2014

User IPv6 address : 0:30::983F:7A36:BD06:342D

Session ID : 5

Web browser/OS : Internet Explorer

# Display detailed SSL VPN session information for all users in all SSL VPN contexts.

<Sysname> display sslvpn session verbose

User : user1

Context : context1

Policy group : pgroup

Idle timeout : 30 min

Created at : 13:49:27 UTC Wed 05/14/2014

Lastest : 17:50:58 UTC Wed 05/14/2014

User IPv4 address : 192.0.2.1

Session ID : 1

Web browser/OS : Internet Explorer

User : user1

Context : context2

Policy group : Default

Idle timeout : 2100 sec

Created at : 14:15:12 UTC Wed 05/14/2014

Lastest : 18:56:58 UTC Wed 05/14/2014

User IPv6 address : 0:30::983F:7A36:BD06:342D

Session ID : 5

Web browser/OS : Internet Explorer

Table 11 Command output

Field	Description
User	SSL VPN username.
Context	Context to which the user belongs.
Policy group	Policy group used by the user.
Idle timeout	Idle timeout time of the SSL VPN session, in seconds.
Created at	Time at which the SSL VPN session was created.
Lastest	Most recent time when the SSL VPN user accessed resources through the SSL VPN session.
Allocated IP	IP address allocated to the iNode client of the SSL VPN user. This field is displayed only for iNode users.
User IPv4 address	IPv4 address used by the SSL VPN session.
User IPv6 address	IPv6 address used by the SSL VPN session.
Web browser/OS	Web browser or operating system used by the SSL VPN user.

dynamic-password enable

Use dynamic-password enable to enable dynamic password verification.

Use undo dynamic-password enable to disable dynamic password verification.

Syntax

dynamic-password enable

undo dynamic-password enable

Default

Dynamic password verification is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

After dynamic password verification is enabled, a user must enter a correct dynamic password to log in to the SSL VPN webpage.

Examples

# Enable dynamic password verification.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] dynamic-password enable

emo-server

Use emo-server to specify an Endpoint Mobile Office (EMO) server for mobile clients.

Use undo emo-server to restore the default.

Syntax

emo-server address { host-name | ipv4-address } port port-number

undo emo-server

Default

No EMO server is specified for mobile clients.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

address: Specifies the host name or IPv4 address of the EMO server.

host-name: Specifies the host name of the EMO server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).

ipv4-address: Specifies the IPv4 address of the EMO server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.

port port-number: Specifies the port number of the EMO server, in the range of 1025 to 65535.

Usage guidelines

An EMO server provides services for mobile clients. The SSL VPN gateway issues the EMO server information to the clients, and the clients can access available service resources through the EMO server.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the IP address of the EMO server as 10.10.1.1 and the port number as 9058 for context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] emo-server address 10.10.1.1 port 9058

file-policy

Use file-policy to create a file policy and enter its view, or enter the view of an existing file policy.

Use undo file-policy to delete a file policy.

Syntax

file-policy policy-name

undo file-policy policy-name

Default

No file policies exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a file policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The SSL VPN gateway uses a file policy to rewrite the content of Web page files before forwarding them to requesting Web access users.

You can configure multiple file policies in an SSL VPN context.

Examples

# Create a file policy named fp and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp]

Related commands

sslvpn context

filter ip-tunnel acl

Use filter ip-tunnel acl to specify an advanced ACL for IP access filtering.

Use undo filter ip-tunnel acl to remove the advanced ACL configuration for IP access filtering.

Syntax

filter ip-tunnel [ ipv6 ] acl advanced-acl-number

undo filter ip-tunnel [ ipv6 ] acl

Default

All IP accesses are denied.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.

acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for IP access filtering.

The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:

1. Matches the request against rules in the URI ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.

2. Matches the request against rules in the advanced ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for IP access filtering.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel acl 3000

[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel ipv6 acl 3500

Related commands

filter ip-tunnel uri-acl

Use filter ip-tunnel uri-acl to specify a URI ACL for IP access filtering.

Use undo filter ip-tunnel uri-acl to remove the URI ACL configuration for IP access filtering.

Syntax

filter ip-tunnel uri-acl uri-acl-name

undo filter ip-tunnel uri-acl

Default

All IP accesses are denied.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for IP access filtering.

The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:

1. Matches the request against rules in the URI ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.

2. Matches the request against rules in the advanced ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

If a rule in the URI ACL specified for IP access filtering contains HTTP or HTTPS settings, the rule does not take effect.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure policy group abcpg to use URI ACL abcuriacl for IP access filtering.

<Sysname> system-view

[Sysname] sslvpn context abc

[Sysname-sslvpn-context-abc] policy-group abcpg

[Sysname-sslvpn-context-abc-policy-group-abcpg] filter ip-tunnel uri-acl abcuriacl

filter tcp-access acl

Use filter tcp-access acl to specify an advanced ACL for TCP access filtering.

Use undo filter tcp-access acl to remove the advanced ACL configuration for TCP access filtering.

Syntax

filter tcp-access [ ipv6 ] acl advanced-acl-number

undo filter tcp-access [ ipv6 ] acl

Default

A user can access only the TCP resources in the TCP port forwarding list authorized to the user.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.

acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for TCP access filtering.

For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:

1. Matches the request against the authorized port forwarding list.

¡ If the request matches a port forwarding item in the list, the gateway forwards the request.

¡ If the request does not match any port forwarding items in the list, the gateway proceeds to step 2.

2. Matches the request against the rules in the URI ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.

3. Matches the request against the rules in the advanced ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for TCP access filtering.

<Sysname> system-view

[Sysname]sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access acl 3000

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access ipv6 acl 3500

Related commands

filter tcp-access uri-acl

Use filter tcp-access uri-acl to specify a URI ACL for TCP access filtering.

Use undo filter tcp-access uri-acl to remove the URI ACL configuration for TCP access filtering.

Syntax

filter tcp-access uri-acl uri-acl-name

undo filter tcp-access uri-acl

Default

A user can access only the TCP resources in the TCP port forwarding list authorized to the user.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for TCP access filtering.

For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:

1. Matches the request against the authorized port forwarding list.

¡ If the request matches a port forwarding items in the list, the gateway forwards the request.