16-Security Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10416-Security Command Reference
12-SSL VPN commands
Title Size Download
12-SSL VPN commands 441.47 KB

Contents

SSL VPN commands· 1

aaa domain· 1

authentication use· 1

bandwidth· 2

certificate-authentication enable· 3

content-type· 4

default 4

default-policy-group· 5

description (shortcut view) 6

description (SSL VPN AC interface view) 6

display interface sslvpn-ac· 7

display sslvpn context 10

display sslvpn gateway· 12

display sslvpn ip-tunnel statistics· 14

display sslvpn policy-group· 18

display sslvpn port-forward connection· 19

display sslvpn session· 20

dynamic-password enable· 23

emo-server 23

exclude· 24

execution (port forwarding item view) 25

execution (shortcut view) 26

file-policy· 26

filter ip-tunnel acl 27

filter ip-tunnel uri-acl 28

filter tcp-access acl 29

filter tcp-access uri-acl 30

filter web-access acl 31

filter web-access uri-acl 32

force-logout 33

force-logout max-onlines enable· 34

gateway· 35

heading· 35

http-redirect 36

idle-cut traffic-threshold· 37

include· 38

interface sslvpn-ac· 38

ip address· 39

ip range· 40

ip-route-list 40

ip-tunnel access-route· 41

ip-tunnel address-pool (SSL VPN context view) 42

ip-tunnel address-pool (SSL VPN policy group view) 43

ip-tunnel bind address· 44

ip-tunnel dns-server 45

ip-tunnel interface· 46

ip-tunnel keepalive· 47

ip-tunnel log connection-close· 47

ip-tunnel web-resource auto-push· 48

ip-tunnel wins-server 49

ipv6 address· 49

ipv6 range· 50

local-port 51

log resource-access enable· 52

log user-login enable· 53

login-message· 53

logo· 54

max-onlines· 55

max-users· 55

message-server 56

mtu· 57

new-content 57

old-content 58

password-authentication enable· 59

policy-group· 59

port-forward· 60

port-forward-item·· 61

reset counters interface sslvpn-ac· 62

reset sslvpn ip-tunnel statistics· 62

resources port-forward· 63

resources port-forward-item·· 64

resources shortcut 65

resources shortcut-list 65

resources snat-pool 66

resources uri-acl 67

resources url-item·· 67

resources url-list 68

rewrite-rule· 69

rule· 69

service enable (SSL VPN context view) 71

service enable (SSL VPN gateway view) 71

session-connections· 72

shortcut 73

shortcut-list 73

shutdown· 74

sms-imc address· 74

sms-imc enable· 75

ssl client-policy· 76

ssl server-policy· 77

sslvpn context 77

sslvpn gateway· 78

sslvpn ip address-pool 79

sslvpn log enable· 80

sslvpn snat-pool 80

timeout idle· 81

title· 82

uri-acl 82

url (file policy view) 83

url (URL item view) 84

url-item·· 85

url-list 86

url-mapping· 86

user 88

verify-code· 88

vpn-instance (SSL VPN context view) 89

vpn-instance (SSL VPN gateway view) 90

web-access ip-client auto-activate· 90


SSL VPN commands

aaa domain

Use aaa domain to specify an ISP domain for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.

Use undo aaa domain to restore the default.

Syntax

aaa domain domain-name

undo aaa domain

Default

The default ISP domain is used for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

·     The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

·     The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

An SSL VPN username cannot carry ISP domain information. After this command is executed, an SSL VPN gateway uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users in the context.

Examples

# Specify ISP domain myserver for authentication, authorization, and accounting of SSL VPN users in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] aaa domain myserver

authentication use

Use authentication use to specify the authentication methods required for user login.

Use undo authentication use to restore the default.

Syntax

authentication use { all | any-one }

undo authentication use

Default

To log in to an SSL VPN context, a user must pass all the authentication methods enabled for the context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

all: Uses all enabled authentication methods.

any-one: Uses any enabled authentication method.

Usage guidelines

You can enable username/password authentication, certificate authentication, or both for an SSL VPN context. The authentication methods required for logging in to the SSL VPN context depend on the configuration of this command:

·     If the authentication use all command is configured, a user must pass all the enabled authentication methods for login.

·     If the authentication use any-one command is configured, a user can log in after passing any enabled authentication method.

Examples

# Configure SSL VPN context ctx to allow users to log in after passing any enabled authentication method.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] authentication use any-one

Related commands

certificate-authentication enable

display sslvpn context

password-authentication enable

bandwidth

Use bandwidth to set the expected bandwidth for an interface.

Use undo bandwidth to restore the default.

Syntax

bandwidth bandwidth-value

undo bandwidth

Default

The expected bandwidth is 64 kbps for an interface.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.

Usage guidelines

The expected bandwidth for an interface affects CBQ bandwidth and link costs in OSPF, OSPFv3, and IS-IS. For more information about CBQ bandwidth, see QoS configuraiton in ACL and QoS Configuration Guide. For more information about link costs, see Layer 3—IP Routing Configuration Guide.

Examples

# Set the expected bandwidth to 10000 kbps for SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] bandwidth 10000

certificate-authentication enable

Use certificate-authentication enable to enable certificate authentication.

Use undo certificate-authentication enable to disable certificate authentication.

Syntax

certificate-authentication enable

undo certificate-authentication enable

Default

Certificate authentication is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

After you enable certificate authentication, you must also execute the client-verify command in SSL server policy view. The SSL VPN gateway uses the digital certificate sent by an SSL VPN client to authenticate the client's identity. If the client's username and the username in the digital certificate are not the same, the client cannot log in to the SSL VPN gateway.

Examples

# Enable certificate authentication.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] certificate-authentication enable

Related commands

client-verify enable

client-verify optional

content-type

Use content-type to configure a file policy to rewrite a file in an HTTP response to a specific type of file.

Use undo content-type to restore the default.

Syntax

content-type { css | html | javascript | other }

undo content-type

Default

A file policy rewrites a file carried in an HTTP response to a file of the type indicated by the content-type field in the HTTP response.

Views

File policy view

Predefined user roles

network-admin

Parameters

css: Changes the file type to CSS.

html: Changes the file type to HTML.

javascript: Changes the file type to JavaScript.

other: Does not change the file type.

Usage guidelines

A file policy rewrites a file carried in an HTTP response to a file of the type specified by this command. If the specified file type is different from that indicated by the content-type field in the HTTP response, users might not be able to read the file correctly.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure file policy fp to rewrite files to HTML files.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp] content-type html

default

Use default to restore the default settings for an SSL VPN AC interface.

Syntax

default

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION

CAUTION:

The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you use it on a live network.

 

This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Examples

# Restore the default settings of sslvpn-ac 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] default

This command will restore the default settings. Continue? [Y/N]:y

default-policy-group

Use default-policy-group to specify a policy group as the default policy group.

Use undo default-policy-group to restore the default.

Syntax

default-policy-group group-name

undo default-policy-group

Default

No policy group is specified as the default policy group.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters. The specified policy group must have been created.

Usage guidelines

You can configure multiple policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not issue an authorized policy group to the user, the user can access only the resources allowed by the default policy group.

Examples

# Specify policy group pg1 as the default policy group.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] quit

[Sysname-sslvpn-context-ctx1] default-policy-group pg1

Related commands

display sslvpn context

policy-group

description (shortcut view)

Use description to configure a description for a shortcut.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a shortcut.

Views

Shortcut view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 63 characters.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure a description for shortcut shortcut1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] shortcut shortcut1

[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] description shortcut1

description (SSL VPN AC interface view)

Use description to configure the description of an interface.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The description of an interface is interface name Interface, for example, SSLVPN-AC1000 Interface.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

Configure descriptions for interfaces for identification and management purposes.

You can use the display interface command to display the configured interface descriptions.

Examples

# Configure a description of SSL VPN A for SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] description SSL VPN A

display interface sslvpn-ac

Use display interface sslvpn-ac to display SSL VPN AC interface information.

Syntax

display interface [ sslvpn-ac [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify the sslvpn-ac keyword, this command displays information about all interfaces except virtual access (VA) interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all SSL VPN AC interfaces. For more information about VA interfaces, see PPPoE configuration in Layer 2—WAN Access Configuration Guide.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.

down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.

Examples

# Display detailed information about SSL VPN AC 1000.

<Sysname> display interface sslvpn-ac 1000

SSLVPN-AC1000

Current state: UP

Line protocol state: DOWN

Description: SSLVPN-AC1000 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1500

Internet protocol processing: Disabled

Link layer protocol is SSLVPN

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Table 1 Command output

Field

Description

SSLVPN-AC1000

Information about interface SSL VPN AC 1000.

Current state

Physical link state of the interface:

·     Administratively DOWN—The interface has been shut down by using the shutdown command.

·     DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed).

·     UP—The interface is both administratively and physically up.

Line protocol state

Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer.

·     UP—The data link layer protocol is up.

·     UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces.

·     DOWN—The data link layer protocol is down.

Description

Description of the interface.

Bandwidth

Expected bandwidth of the interface.

Maximum transmission unit

MTU of the interface.

Internet protocol processing: Disabled

The interface is not assigned an IP address and cannot process IP packets.

Internet Address

IP address of the interface. The primary attribute indicates that the address is the primary IP address.

Last clearing of counters

Most recent time the counters were cleared by using the reset counters interface command.

If the reset counters interface command has never been executed since the device starts up, this field displays Never.

Last 300 seconds input rate

Average input rate in the last 300 seconds.

Last 300 seconds output rate

Average output rate in the last 300 seconds.

 

# Display brief information about all SSL VPN AC interfaces.

<Sysname> display interface sslvpn-ac brief

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP         Description

SSLVPN-AC1000        UP   DOWN     --

# Display brief information about SSL VPN AC 1000, including the complete interface description.

<Sysname> display interface sslvpn-ac 1000 brief description

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP         Description

SSLVPN-AC1000        UP    UP      1.1.1.1            SSLVPN-AC1000 Interface

# Display information about interfaces in DOWN state and the causes.

<Sysname> display interface sslvpn-ac brief down

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface            Link Cause

SSLVPN-AC1000        ADM

SSLVPN-AC1001        ADM

Table 2 Command output

Field

Description

Brief information of interfaces in route mode:

Brief information about Layer 3 interfaces.

Interface

Abbreviated interface name.

Link

Physical link state of the interface:

·     UP—The interface is physically up.

·     DOWN—The interface is physically down.

·     ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command.

·     Stby—The interface is a backup interface in standby state.

Protocol

Data link layer protocol state of the interface:

·     UP—The data link layer protocol of the interface is up.

·     UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces.

·     DOWN—The data link layer protocol of the interface is down.

Primary IP

Primary IP address of the interface.

Description

Description of the interface.

Cause

Cause for the physical link state of an interface to be DOWN:

·     Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command.

·     Not connected—No physical connection exists (possibly because the network cable is disconnected or faulty).

 

Related commands

reset counters interface

display sslvpn context

Use display sslvpn context to display SSL VPN context information.

Syntax

display sslvpn context [ brief | name context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief SSL VPN context information. If you do not specify this keyword, the command displays detailed SSL VPN context information.

name context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN contexts.

Examples

# Display detailed information about all SSL VPN contexts.

<Sysname> display sslvpn context

Context name: ctx1

  Operation state: Up

  AAA domain: domain1

  Certificate authentication: Enabled

  Password authentication: Enabled

  Authentication use: All

  Dynamic password: Enabled

  Code verification: Disabled

  Default policy group: Not configured

  Associated SSL VPN gateway: gw1

    Domain name: 1

  Associated SSL VPN gateway: gw2

    Virtual host: abc.com

  Associated SSL VPN gateway: gw3

  SSL client policy configured: ssl1

  SSL client policy in use: ssl

  Maximum users allowed: 200

  VPN instance:vpn1

  Idle timeout: 30 min

  Idle-cut traffic threshold: 100 Kilobytes

Context name: ctx2

  Operation state: Down

  Down reason: Administratively down

  AAA domain not specified

  Certificate authentication: Enabled

  Password authentication: Disabled

  Authentication use: Any-one

  Dynamic password: Disabled

  Code verification: Disabled

  Default group policy: gp

  Associated SSL VPN gateway: -

  SSL client policy configured: ssl1

  SSL client policy in use: ssl

  Maximum users allowed: 200

  VPN instance not configured

  Idle timeout: 50 min

  Idle-cut traffic threshold: 100 Kilobytes

  Address pool: Conflicted with an IP address on the device

Table 3 Command output

Field

Description

Context name

Name of the SSL VPN context.

Operation state

Operation state of the SSL VPN context:

·     Up—The context is running.

·     Down—The context is not running.

Down reason

Causes for the Down operations status:

·     Administratively down—The context is disabled. To enable the context, use the service enable command.

·     No gateway associated—The context is not associated with an SSL VPN gateway.

AAA domain

ISP domain for the SSL VPN context.

Certificate authentication

Whether certificate authentication is enabled for the SSL VPN context.

Password authentication

Whether username/password authentication is enabled for the SSL VPN context.

Authentication use

Authentication methods required for user login:

·     All—A user must pass all the enabled authentication methods to log in to the SSL VPN context.

·     Any-one—A user can log in to the SSL VPN context after passing any enabled authentication method.

Code verification

Whether code verification is enabled for the SSL VPN context.

Default policy group

Default policy group used by the SSL VPN context.

Associated SSL VPN gateway

SSL VPN gateway associated with the SSL VPN context.

Domain name

Domain name specified for the SSL VPN context.

Virtual host

Virtual host name specified for the SSL VPN context.

SSL client policy configured

SSL client policy configured for the SSL VPN context.

A newly configured SSL client policy takes effect only after the SSL VPN context is restarted.

SSL client policy in use

SSL client policy being used by the SSL VPN context.

Maximum users allowed

Maximum number of sessions allowed in the SSL VPN context.

VPN instance

VPN instance associated with the SSL VPN context.

Idle timeout

Maximum idle time of an SSL VPN session, in minutes.

Idle-cut traffic threshold

SSL VPN idle session disconnection traffic threshold.

Address pool: Conflicted with an IP address on the device

An IP address conflict was detected in the SSL VPN context.

 

# Display brief information about all SSL VPN contexts.

<Sysname> display sslvpn context brief

Context name   Admin   Operation   VPN instance   Gateway   Domain/VHost

ctx1           Up      Up          -              gw1       -/1

                                                  gw2       abc.com/-

                                                  gw3       -/-

ctx2           Down   Down         -              -         -/-

Table 4 Command output

Field

Description

Context name

Name of the SSL VPN context.

Admin

Administrative status of the SSL VPN context:

·     Up—The context has been enabled by using the service enable command.

·     Down—The context is disabled.

Operation

Operation state of the SSL VPN context:

·     Up—The context is running.

·     Down—The context is not running.

VPN instance

VPN instance associated with the SSL VPN context.

Gateway

SSL VPN gateway associated with the SSL VPN context.

Domain/VHost

Domain name or virtual host name specified for the SSL VPN context.

 

display sslvpn gateway

Use display sslvpn gateway to display SSL VPN gateway information.

Syntax

display sslvpn gateway [ brief | name gateway-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief SSL VPN gateway information. If you do not specify this keyword, the command displays detailed SSL VPN gateway information.

name gateway-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN gateways.

Examples

# Display detailed information about all SSL VPN gateways.

<Sysname> display sslvpn gateway

Gateway name: gw1

  Operation state: Up

  IP: 192.168.10.75  Port: 443

  HTTP redirect port: 80

  SSL server policy configured: ssl1

  SSL server policy in use: ssl

  Front VPN instance: vpn1

Gateway name: gw2

  Operation state: Down

  Down reason: Administratively down

  IP: 0.0.0.0  Port: 443

  SSL server policy configured: ssl1

  SSL server policy in use: ssl

  Front VPN instance: Not configured

Gateway name: gw3

  Operation state: Up

  IPv6: 3000::2  Port: 443

  SSL server policy configured: ssl1

  SSL server policy in use: ssl

  Front VPN instance: Not configured

Table 5 Command output

Field

Description

 

Gateway name

Name of the SSL VPN gateway.

 

Operation state

Operation state of the SSL VPN gateway:

·     Up—The gateway is running.

·     Down—The gateway is not running.

 

Down reason

Causes for the Down operation status:

·     Administratively down—The SSL VPN gateway is disabled. To enable the gateway, use the service enable command.

·     VPN instance not exist—The VPN instance to which the SSL VPN gateway belongs does not exist.

·     Applying SSL server-policy failed—Failed to apply the SSL server policy to the SSL VPN gateway.

 

IP

IPv4 address of the SSL VPN gateway.

 

IPv6

IPv6 address of the SSL VPN gateway.

Port

Port number of the SSL VPN gateway.

 

HTTP redirect port

HTTP redirection port number of the SSL VPN gateway.

 

SSL server policy configured

SSL server policy configured for the SSL VPN gateway.

A newly configured SSL server policy takes effect only after the SSL VPN gateway is restarted.

 

SSL server policy in use

SSL server policy being used by the SSL VPN gateway.

 

Front VPN instance

Front VPN instance to which the SSL VPN gateway belongs.

 

 

# Display brief information about all SSL VPN gateways.

<Sysname> display sslvpn gateway brief

Gateway name                    Admin  Operation

gw1                             Up     Up

gw2                             Down   Down (Administratively down)

gw3                             Up     Up

Table 6 Command output

Field

Description

Gateway name

Name of the SSL VPN gateway.

Admin

Administrative status of the SSL VPN gateway:

·     Up—The gateway has been enabled by using the service enable command.

·     Down—The gateway is disabled.

Operation

Operation state of the SSL VPN gateway:

·     Up—The gateway is running.

·     Down (Administratively down)—The gateway is disabled. To enable the gateway, use the service enable command.

·     Down (VPN instance not exist)—The gateway is down because the VPN instance to which the gateway belongs does not exist.

·     Down (Applying SSL server-policy failed)—The gateway is down because the SSL server policy failed to be applied to the gateway.

 

display sslvpn ip-tunnel statistics

Use display sslvpn ip-tunnel statistics to display packet statistics for IP access users.

Syntax

display sslvpn ip-tunnel statistics [ context context-name ] [ user user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_).

user user-name: Specifies an IP access user by username, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays IP access packets statistics for all SSL VPN contexts.

If you only specify an SSL VPN context, this command displays IP access packet statistics for the specified context and for each SSL VPN user in the context.

If you only specify an SSL VPN user, this command displays IP access packet statistics for the specified user in all SSL VPN contexts.

If you specify both an SSL VPN context and user, this command displays IP access packet statistics for the specified user in the specified context.

Examples

# Display IP access packet statistics for all SSL VPN contexts.

<Sysname> display sslvpn ip-tunnel statistics

IP-tunnel statistics in SSL VPN context ctx1:

  Client:

    In bytes  : 125574               Out bytes  : 1717349

  Server:

    In bytes  : 1717349              Out bytes  : 116186

 

IP-tunnel statistics in SSL VPN context ctx2:

  Client:

    In bytes  : 521                  Out bytes  : 1011

  Server:

    In bytes  : 1011                 Out bytes  : 498

# Display IP access packet statistics for SSL VPN context ctx1 and for each user in the context.

<Sysname> display sslvpn ip-tunnel statistics context ctx1

IP-tunnel statistics in SSL VPN context ctx1:

  Client:

    In bytes  : 125574               Out bytes  : 1717349

  Server:

    In bytes  : 1717349              Out bytes  : 116186

 

SSL VPN session IP-tunnel statistics:

Context                       : ctx1

User                          : user1

Session ID                    : 1

User IPv4 address             : 192.168.56.1

Received requests             : 81

Sent requests                 : 0

Dropped requests              : 81

Received replies              : 0

Sent replies                  : 0

Dropped replies               : 0

Received keepalives           : 1

Sent keepalive replies        : 1

Received configuration updates: 0

Sent configuration updates    : 0

 

Context                       : ctx1

User                          : user2

Session ID                    : 2

User IPv6 address             : 1234::5001

Received requests             : 81

Sent requests                 : 0

Dropped requests              : 81

Received replies              : 0

Sent replies                  : 0

Dropped replies               : 0

Received keepalives           : 1

Sent keepalive replies        : 1

Received configuration updates: 0

Sent configuration updates    : 0

 

# Display IP access packet statistics for user user1 in all SSL VPN contexts.

<Sysname> display sslvpn ip-tunnel statistics user user1

SSL VPN session IP-tunnel statistics:

Context                       : ctx1

User                          : user1

Session ID                    : 1

User IPv4 address             : 192.168.56.1

Received requests             : 81

Sent requests                 : 0

Dropped requests              : 81

Received replies              : 0

Sent replies                  : 0

Dropped replies               : 0

Received keepalives           : 1

Sent keepalive replies        : 1

Received configuration updates: 0

Sent configuration updates    : 0

 

Context                       : ctx2

User                          : user1

Session ID                    : 2

User IPv6 address             : 1234::5001

Received requests             : 81

Sent requests                 : 0

Dropped requests              : 81

Received replies              : 0

Sent replies                  : 0

Dropped replies               : 0

Received keepalives           : 1

Sent keepalives replies       : 1

Received configuration updates: 0

Sent configuration updates    : 0

 

# Display IP access packet statistics for user user1 in SSL VPN context ctx1.

<Sysname> display sslvpn ip-tunnel statistics context ctx1 user user1

SSL VPN session IP-tunnel statistics:

Context                       : ctx1

User                          : user1

Session ID                    : 1

User IPv4 address             : 192.168.56.1

Received requests             : 81

Sent requests                 : 0

Dropped requests              : 81

Received replies              : 0

Sent replies                  : 0

Dropped replies               : 0

Received keepalives           : 1

Sent keepalive replies        : 1

Received configuration updates: 0

Sent configuration updates    : 0

 

Context                       : ctx1

User                          : user1

Session ID                    : 2

User IPv6 address             : 1234::5001

Received requests             : 81

Sent requests                 : 0

Dropped requests              : 81

Received replies              : 0

Sent replies                  : 0

Dropped replies               : 0

Received keepalives           : 1

Sent keepalives replies       : 1

Received configuration updates: 0

Sent configuration updates    : 0

Table 7 Command output

Field

Description

Context

SSL VPN context to which the SSL VPN user belongs.

User

Login username used by the SSL VPN user.

User IPv4 address

IPv4 address of the SSL VPN user.

User IPv6 address

IPv6 address of the SSL VPN user.

Received requests

Number of IP access requests received by the SSL VPN gateway from the user.

Sent requests

Number of IP access requests forwarded by the SSL VPN gateway to internal servers.

Dropped requests

Number of IP access requests dropped by the SSL VPN gateway.

Received replies

Number of IP access replies received by the SSL VPN gateway from internal servers.

Sent replies

Number of IP access replies forwarded by the SSL VPN gateway to the user.

Dropped replies

Number of IP access replies dropped by the SSL VPN gateway.

Received keepalives

Number of keepalive messages received by the SSL VPN gateway from the user.

Sent keepalives replies

Number of keepalive replies sent by the SSL VPN gateway to the user.

Received configuration updates

Number of configuration update messages received by the SSL VPN gateway from the user.

Sent configuration updates

Number of configuration update messages sent by the SSL VPN gateway to the user.

Client

Statistics of the traffic transmitted between the SSL VPN gateway and the IP access client:

·     In bytes—Number of bytes received by the SSL VPN gateway from the client.

·     Out bytes—Number of bytes sent by the SSL VPN gateway to the client.

Server

Statistics of the traffic transmitted between the SSL VPN gateway and the server:

·     In bytes—Number of bytes received by the SSL VPN gateway from the server.

·     Out bytes—Number of bytes sent by the SSL VPN gateway to the client.

 

display sslvpn policy-group

Use display sslvpn policy-group to display SSL VPN policy group information.

Syntax

display sslvpn policy-group group-name [ context context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters.

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about policy groups with the specified group name in all SSL VPN contexts.

Examples

# Display information about policy groups named pg1 in all SSL VPN contexts.

<Sysname> display sslvpn policy-group pg1

Group policy: pg1

  Context: context1

   Idle timeout: 35 min

  Context: context2

   Idle timeout: 40 min

Table 8 Command output

Field

Description

Idle timeout

Maximum idle time of an SSL VPN session, in minutes.

 

display sslvpn port-forward connection

Use display sslvpn port-forward connection to display TCP port forwarding connection information.

Syntax

In standalone mode:

display sslvpn port-forward connection [ context context-name ]

In IRF mode:

display sslvpn port-forward connection [ context context-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays TCP port forwarding connection information for all SSL VPN contexts.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP port forwarding connection information for all member devices. (In IRF mode.)

Examples

# (In standalone mode.) Display TCP port forwarding connection information for all SSL VPN contexts.

<Sysname> display sslvpn port-forward connection

SSL VPN context  : ctx1

  Client address : 192.0.2.1

  Client port    : 1025

  Server address : 192.168.0.39

  Server port    : 80

  Status         : Connected

SSL VPN context  : ctx2

  Client address : 3000::983F:7A36:BD06:342D

  Client port    : 56190

  Server address : 300::1

  Server port    : 23

  Status         : Connecting

# (In IRF mode.) Display TCP port forwarding connection information for all SSL VPN contexts.

<Sysname> display sslvpn port-forward connection

SSL VPN context  : ctx1

  Client address : 192.0.2.1

  Client port    : 1025

  Server address : 192.168.0.39

  Server port    : 80

  Slot           : 1

  Status         : Connected

SSL VPN context  : ctx2

  Client address : 3000::983F:7A36:BD06:342D

  Client port    : 56190

  Server address : 300::1

  Server port    : 23

  Slot           : 1

  Status         : Connecting

Table 9 Command output

Field

Description

Client address

IP address of the SSL VPN client.

Client port

Port number of the SSL VPN client.

Server address

IP address of the internal server.

Server port

Port number of the internal server.

Slot

(In IRF mode.) IRF member ID of the device.

Status

Connection status, Connected or Connecting.

 

display sslvpn session

Use display sslvpn session to display SSL VPN session information.

Syntax

display sslvpn session [ context context-name ] [ user user-name | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays SSL VPN session information for all SSL VPN contexts.

user user-name: Specifies an SSL VPN user by the username, a case-insensitive string of 1 to 63 characters. If you specify a user, this command displays detailed SSL VPN session information for the user. If you do not specify a user, this command displays brief SSL VPN session information for all users.

verbose: Displays detailed SSL VPN session information for all SSL VPN users. If you do not specify this keyword, the command displays brief SSL VPN session information for the specified or all SSL users.

Examples

# Display brief SSL VPN session information for all users in all SSL VPN contexts.

<Sysname> display sslvpn session

Total users: 4

 

SSL VPN context: ctx1

Users: 2

Username        Connections  Idle time   Created       User IP

user1           5            0/00:00:23  0/04:47:16    192.0.2.1

user2           5            0/00:00:46  0/04:48:36    192.0.2.2

 

SSL VPN context: ctx2

Users: 2

Username        Connections  Idle time   Created       User IP

user3           5            0/00:00:30  0/04:50:06    192.168.2.1

user4           5            0/00:00:50  0/04:51:16    192.168.2.2

Table 10 Command output

Field

Description

Total users

Total number of users in all SSL VPN contexts.

SSL VPN context

Name of the SSL VPN context.

Users

Number of users in the SSL VPN context.

Username

Login name for the SSL VPN session.

Connections

Number of connections in the SSL VPN session.

Idle time

Duration that the SSL VPN session has been idle, in the format of days/hh:mm:ss.

Created

Time elapsed since the SSL VPN session was created, in the format of days/hh:mm:ss.

User IP

IP address used by the SSL VPN session.

 

# Display SSL VPN session information for SSL VPN user user1.

<Sysname> display sslvpn session user user1

User              : user1

Context           : context1

Policy group      : pgroup

Idle timeout      : 30 min

Created at        : 13:49:27 UTC Wed 05/14/2014

Lastest           : 17:50:58 UTC Wed 05/14/2014

User IPv4 address : 192.0.2.1

Session ID        : 1

Web browser/OS    : Internet Explorer

 

User              : user1

Context           : context2

Policy group      : Default

Idle timeout      : 2100 sec

Created at        : 14:15:12 UTC Wed 05/14/2014

Lastest           : 18:56:58 UTC Wed 05/14/2014

User IPv6 address : 0:30::983F:7A36:BD06:342D

Session ID        : 5

Web browser/OS    : Internet Explorer

# Display detailed SSL VPN session information for all users in all SSL VPN contexts.

<Sysname> display sslvpn session verbose

User              : user1

Context           : context1

Policy group      : pgroup

Idle timeout      : 30 min

Created at        : 13:49:27 UTC Wed 05/14/2014

Lastest           : 17:50:58 UTC Wed 05/14/2014

User IPv4 address : 192.0.2.1

Session ID        : 1

Web browser/OS    : Internet Explorer

 

User              : user1

Context           : context2

Policy group      : Default

Idle timeout      : 2100 sec

Created at        : 14:15:12 UTC Wed 05/14/2014

Lastest           : 18:56:58 UTC Wed 05/14/2014

User IPv6 address : 0:30::983F:7A36:BD06:342D

Session ID        : 5

Web browser/OS    : Internet Explorer

Table 11 Command output

Field

Description

User

SSL VPN username.

Context

Context to which the user belongs.

Policy group

Policy group used by the user.

Idle timeout

Idle timeout time of the SSL VPN session, in seconds.

Created at

Time at which the SSL VPN session was created.

Lastest

Most recent time when the SSL VPN user accessed resources through the SSL VPN session.

Allocated IP

IP address allocated to the iNode client of the SSL VPN user.

This field is displayed only for iNode users.

User IPv4 address

IPv4 address used by the SSL VPN session.

User IPv6 address

IPv6 address used by the SSL VPN session.

Web browser/OS

Web browser or operating system used by the SSL VPN user.

 

dynamic-password enable

Use dynamic-password enable to enable dynamic password verification.

Use undo dynamic-password enable to disable dynamic password verification.

Syntax

dynamic-password enable

undo dynamic-password enable

Default

Dynamic password verification is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

After dynamic password verification is enabled, a user must enter a correct dynamic password to log in to the SSL VPN webpage.

Examples

# Enable dynamic password verification.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] dynamic-password enable

emo-server

Use emo-server to specify an Endpoint Mobile Office (EMO) server for mobile clients.

Use undo emo-server to restore the default.

Syntax

emo-server address { host-name | ipv4-address } port port-number

undo emo-server

Default

No EMO server is specified for mobile clients.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

address: Specifies the host name or IPv4 address of the EMO server.

host-name: Specifies the host name of the EMO server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).

ipv4-address: Specifies the IPv4 address of the EMO server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.

port port-number: Specifies the port number of the EMO server, in the range of 1025 to 65535.

Usage guidelines

An EMO server provides services for mobile clients. The SSL VPN gateway issues the EMO server information to the clients, and the clients can access available service resources through the EMO server.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the IP address of the EMO server as 10.10.1.1 and the port number as 9058 for context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] emo-server address 10.10.1.1 port 9058

exclude

Use exclude to add an excluded route to a route list.

Use undo exclude to delete an excluded route from a route list.

Syntax

exclude ip-address { mask | mask-length }

undo exclude ip-address { mask | mask-length }

Default

No excluded routes exist in a route list.

Views

Route list view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the destination IP address of the route. It cannot be a multicast, broadcast, or loopback address.

mask: Specifies the subnet mask of the destination IP address.

mask-length: Specifies the mask length of the destination IP address, an integer in the range of 0 to 32.

Usage guidelines

To deny user access to specific network nodes or segments behind an SSL VPN gateway, configure excluded routes for those nodes or segments.

When a client accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway issues excluded routes to the client. The client adds the excluded routes to the local routing table. Traffic that matches the excluded routes are not sent to the SSL VPN gateway.

You can add multiple excluded routes to a route list.

If you execute the include and exclude command to add the same route to a route list, the most recent configuration takes effect.

Examples

# Add excluded route 192.168.0.0/16 to route list rtlist.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] ip-route-list rtlist

[Sysname-sslvpn-context-ctx1-route-list-rtlist] exclude 192.168.0.0 16

Related commands

include

execution (port forwarding item view)

Use execution to configure a resource link for a port forwarding item.

Use undo execution to restore the default.

Syntax

execution script

undo execution

Default

No resource link is configured for a port forwarding item.

Views

Port forwarding item view

Predefined user roles

network-admin

Parameters

script: Specifies the resource link, a string of 1 to 255 characters.

Usage guidelines

You can configure a resource link in either of the following methods:

·     Enter the resource link in the format of url(‘url-value’). The url-value argument specifies the corresponding resource. The complete format for url-value is protocol://hostname or address:port number/resource path.

·     Enter an executable JavaScript for a resource to provide access to the resource.

After you configure a resource link for a port forwarding item, you can click the port forwarding name on the SSL VPN Web page to access the resource.

If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect.

Examples

# Configure the url(‘http://127.0.0.1’) resource for port forwarding item pfitem1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1

[Sysname-sslvpn-context-ctx1-forward-item-pfitem1] execution url(‘http://127.0.0.1’)

execution (shortcut view)

Use execution to configure a resource link for a shortcut.

Use undo execution to restore the default.

Syntax

execution script

undo execution

Default

No resource link is configured for a shortcut.

Views

Shortcut view

Predefined user roles

network-admin

Parameters

script: Specifies the resource link, a string of 1 to 255 characters.

Usage guidelines

You can configure a resource link in either of the following methods:

·     Enter the resource link in the format of url(‘url-value’). The url-value argument specifies the corresponding resource. The complete format for url-value is protocol://hostname or address:port number/resource path.

·     Enter an executable JavaScript for a resource to provide access to the resource.

After you configure a resource link for a shortcut, you can click the shortcut name on the SSL VPN Web page to access the resource.

If you execute this command for a shortcut multiple times, the most recent configuration takes effect.

Examples

# Configure the url(‘http://10.0.0.1’) resource for shortcut shortcut1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] shortcut shortcut1

[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] execution url(‘http://10.0.0.1’)

file-policy

Use file-policy to create a file policy and enter its view, or enter the view of an existing file policy.

Use undo file-policy to delete a file policy.

Syntax

file-policy policy-name

undo file-policy policy-name

Default

No file policies exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a file policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The SSL VPN gateway uses a file policy to rewrite the content of Web page files before forwarding them to requesting Web access users.

You can configure multiple file policies in an SSL VPN context.

Examples

# Create a file policy named fp and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp]

Related commands

sslvpn context

filter ip-tunnel acl

Use filter ip-tunnel acl to specify an advanced ACL for IP access filtering.

Use undo filter ip-tunnel acl to remove the advanced ACL configuration for IP access filtering.

Syntax

filter ip-tunnel [ ipv6 ] acl advanced-acl-number

undo filter ip-tunnel [ ipv6 ] acl

Default

All IP accesses are denied.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.

acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for IP access filtering.

The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:

1.     Matches the request against rules in the URI ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.

2.     Matches the request against rules in the advanced ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for IP access filtering.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel acl 3000

[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel ipv6 acl 3500

Related commands

filter ip-tunnel uri-acl

filter ip-tunnel uri-acl

Use filter ip-tunnel uri-acl to specify a URI ACL for IP access filtering.

Use undo filter ip-tunnel uri-acl to remove the URI ACL configuration for IP access filtering.

Syntax

filter ip-tunnel uri-acl uri-acl-name

undo filter ip-tunnel uri-acl

Default

All IP accesses are denied.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for IP access filtering.

The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:

1.     Matches the request against rules in the URI ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.

2.     Matches the request against rules in the advanced ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

If a rule in the URI ACL specified for IP access filtering contains HTTP or HTTPS settings, the rule does not take effect.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure policy group abcpg to use URI ACL abcuriacl for IP access filtering.

<Sysname> system-view

[Sysname] sslvpn context abc

[Sysname-sslvpn-context-abc] policy-group abcpg

[Sysname-sslvpn-context-abc-policy-group-abcpg] filter ip-tunnel uri-acl abcuriacl

filter tcp-access acl

Use filter tcp-access acl to specify an advanced ACL for TCP access filtering.

Use undo filter tcp-access acl to remove the advanced ACL configuration for TCP access filtering.

Syntax

filter tcp-access [ ipv6 ]  acl advanced-acl-number

undo filter tcp-access [ ipv6 ]  acl

Default

A user can access only the TCP resources in the TCP port forwarding list authorized to the user.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.

acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for TCP access filtering.

For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:

1.     Matches the request against the authorized port forwarding list.

¡     If the request matches a port forwarding item in the list, the gateway forwards the request.

¡     If the request does not match any port forwarding items in the list, the gateway proceeds to step 2.

2.     Matches the request against the rules in the URI ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.

3.     Matches the request against the rules in the advanced ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.

You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for TCP access filtering.

<Sysname> system-view

[Sysname]sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access acl 3000

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access ipv6 acl 3500

Related commands

filter tcp-access uri-acl

filter tcp-access uri-acl

Use filter tcp-access uri-acl to specify a URI ACL for TCP access filtering.

Use undo filter tcp-access uri-acl to remove the URI ACL configuration for TCP access filtering.

Syntax

filter tcp-access uri-acl uri-acl-name

undo filter tcp-access uri-acl

Default

A user can access only the TCP resources in the TCP port forwarding list authorized to the user.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for TCP access filtering.

For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:

1.     Matches the request against the authorized port forwarding list.

¡     If the request matches a port forwarding items in the list, the gateway forwards the request.

¡     If the request does not match any port forwarding items in the list, the gateway proceeds to step 2.

2.     Matches the request against the rules in the URI ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.

3.     Matches the request against the rules in the advanced ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure policy group abcpg to use URI ACL abcuriacl2 for TCP access filtering.

<Sysname> system-view

[Sysname] sslvpn context abc

[Sysname-sslvpn-context-abc] policy-group abcpg

[Sysname-sslvpn-context-abc-policy-group-abcpg] filter tcp-access uri-acl abcuriacl2

Related commands

filter tcp-access acl

filter web-access acl

Use filter web-access acl to specify an advanced ACL for Web access filtering.

Use undo filter web-access acl to remove the advanced ACL configuration for Web access filtering.

Syntax

filter web-access [ ipv6 ]  acl advanced-acl-number

undo filter web-access [ ipv6 ]  acl

Default

A user can access only the Web resources in the URL list authorized to the user.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.

acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for Web access filtering.

The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request:

1.     Matches the request against the authorized URL list.

¡     If the request matches a URL item in the list, the gateway forwards the request.

¡     If the request does not match any URL entries in the list, the gateway proceeds to step 2.

2.     Matches the request against rules in the URI ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.

3.     Matches the request against rules in the advanced ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for Web access filtering.

<Sysname> system-view

[Sysname]sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter web-access acl 3000

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter web-access ipv6 acl 3500

Related commands

filter web-access uri-acl

filter web-access uri-acl

Use filter web-access uri-acl to specify a URI ACL for Web access filtering.

Use undo filter web-access uri-acl to remove the URI ACL configuration for Web access filtering.

Syntax

filter web-access uri-acl uri-acl-name

undo filter web-access uri-acl

Default

Users can access only the Web resources authorized to them through the URL list.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request:

1.     Matches the request against the authorized URL list.

¡     If the request matches a URL item in the list, the gateway forwards the request.

¡     If the request does not match any URL entries in the list, the gateway proceeds to step 2.

2.     Matches the request against rules in the URI ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.

3.     Matches the request against rules in the advanced ACL:

¡     If the request matches a permit rule, the gateway forwards the request.

¡     If the request matches a deny rule, the gateway drops the request.

¡     If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure policy group abcpg to use URI ACL abcuriacl1 for Web access filtering.

<Sysname> system-view

[Sysname] sslvpn context abc

[Sysname-sslvpn-context-abc] policy-group abcpg

[Sysname-sslvpn-context-abc-policy-group-abcpg] filter web-access uri-acl abcuriacl1

Related commands

filter web-access acl

force-logout

Use force-logout to force online users to log out.

Syntax

force-logout [ all | session session-id | user user-name ]

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

all: Logs out all users.

session session-id: Logs out all users in a session. The session-id argument specifies the session ID in the range of 1 to 4294967295.

user user-name: Logs out a user. The user-name argument specifies the username, a case-sensitive string of 1 to 63 characters.

Examples

# Log out all users in session 1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] force-logout session 1

force-logout max-onlines enable

force-logout max-onlines enable to enable the force logout feature.

undo force-logout max-onlines enable to disable the force logout feature.

Syntax

force-logout max-onlines enable

undo force-logout max-onlines enable

Default

The force logout feature is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

By default, a user cannot log in if the number of logins using the account reaches the limit.

When a login is attempted but logins using the account reach the maximum, this feature logs out the user with the longest idle time to allow the new login.

Examples

# Enable the force logout feature.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] force-logout max-onlines enable

gateway

Use gateway to associate an SSL VPN context with an SSL VPN gateway.

Use undo gateway to remove associated SSL VPN gateways.

Syntax

gateway gateway-name [ domain domain-name | virtual-host virtual-host-name ]

undo gateway [ gateway-name ]

Default

An SSL VPN context is not associated with an SSL VPN gateway.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

gateway-name: Specifies an SSL VPN gateway by its name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).

domain domain-name: Specifies a domain name for the SSL VPN context, a case-insensitive string of 1 to 127 characters.

virtual-host virtual-host-name: Specifies a virtual host name for the SSL VPN context, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).

Usage guidelines

When you associate an SSL VPN context with an SSL VPN gateway, follow these guidelines:

·     Make sure the context has a domain name or virtual host name different than any existing contexts associated with the SSL VPN gateway.

The SSL VPN gateway uses the domain name or virtual host name that a remote user entered to determine the SSL VPN context to which the user belongs.

·     If you do not specify a domain name or virtual host name for the context, you cannot associate other SSL VPN contexts with the SSL VPN gateway.

You can associate an SSL VPN context with a maximum of 10 SSL VPN gateways.

Examples

# Associate SSL VPN context ctx1 with SSL VPN gateway gw1, and specify the domain name as domain1 for the context.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] gateway gw1 domain domain1

Related commands

display sslvpn context

heading

Use heading to configure a heading for a URL list.

Use undo heading to restore the default.

Syntax

heading string

undo heading

Default

The heading of a URL list is Web.

Views

URL list view

Predefined user roles

network-admin

Parameters

string: Specifies a URL list heading, a case-sensitive string of 1 to 31 characters.

Examples

# Specify urlhead as the heading of URL list url.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-list url

[Sysname-sslvpn-context-ctx1-url-list-url] heading urlhead

Related commands

sslvpn context

url-list

http-redirect

Use http-redirect to enable HTTP redirection.

Use undo http-redirect to disable HTTP redirection.

Syntax

http-redirect [ port port-number ]

undo http-redirect

Default

HTTP redirection is disabled. An SSL VPN gateway does not process HTTP traffic.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

port-number: Specifies the HTTP port number to listen to, a value of 80 (the default) or in the range of 1025 to 65535.

Usage guidelines

This command enables an SSL VPN gateway to perform the following operations:

1.     Listen to an HTTP port.

2.     Redirect HTTP requests with the port number to the port used by HTTPS.

3.     Send redirection packets to clients.

Examples

# Enable HTTP redirection for HTTP port 1025.

<Sysname> system-view

[Sysname] sslvpn gateway gateway1

[Sysname-sslvpn-gateway-gateway1] http-redirect port 1025

idle-cut traffic-threshold

Use idle-cut traffic-threshold to set the SSL VPN session idle-cut traffic threshold.

Use undo idle-cut traffic-threshold to restore the default.

Syntax

idle-cut traffic-threshold kilobytes

undo idle-cut traffic-threshold

Default

The SSL VPN session idle-cut traffic threshold is 0 Kilobytes. An SSL VPN session will be disconnected if no traffic is transmitted within the session idle timeout.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

kilobytes: Specifies the session idle-cut traffic threshold in Kilobytes. The value range is 1 to 4294967295.

Usage guidelines

The SSL VPN session idle-cut traffic threshold refers to the minimum traffic required in the session idle timeout interval for a session not to be disconnected as an idle session.

After the idle-cut traffic threshold is set, the system counts the traffic transmitted in each SSL VPN session at intervals specified by the timeout idle command. If the traffic is less than the idle-cut traffic threshold, the system determines the session to be idle and disconnects the session.

If you change the setting of the idle-cut traffic-threshold or timeout idle command in an SSL VPN context, all session idle-cut traffic counters in the SSL VPN context will be cleared.

Examples

# Set the SSL VPN session idle-cut traffic threshold to 1000 Kilobytes in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] idle-cut traffic-threshold 1000

Related commands

timeout idle

include

Use include to add an included route to a route list.

Use undo include to delete an included route from a route list.

Syntax

include ip-address { mask | mask-length }

undo include ip-address { mask | mask-length }

Default

No included routes exist.

Views

Route list view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the destination IP address of the route. It cannot be a multicast, broadcast, or loopback address. The specified IP address must be the address of the network segment where the internal servers reside.

mask: Specifies the subnet mask.

mask-length: Specifies the mask length of the route, an integer in the range of 0 to 32.

Usage guidelines

To permit user access to specific network nodes or segments behind an SSL VPN gateway, configure included routes for those nodes or segments.

When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway issues the included routes to the client. The client adds the included routes to the local routing table, using the VNIC as the output interface. Traffic that matches the included routes are sent to the SSL VPN gateway through the VNIC.

You can add multiple included routes to a route list.

If you execute the include and exclude command to add the same route to a route list, the most recent configuration takes effect.

Examples

# Add included route 10.0.0.0/8 to route list rtlist.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] ip-route-list rtlist

[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 10.0.0.0 8

Related commands

exclude

interface sslvpn-ac

Use interface sslvpn-ac to create an SSL VPN AC interface and enter its view, or enter the view of an existing SSL VPN AC interface.

Use undo interface sslvpn-ac to delete an SSL VPN AC interface.

Syntax

interface sslvpn-ac interface-number

undo interface sslvpn-ac interface-number

Default

No SSL VPN AC interfaces exist.

Views

System view

Predefined user roles

network-admin

Parameters

interface-number: Specifies an SSL VPN AC interface number in the range of 0 to 4095.

Examples

# Create SSL VPN AC 1000 and enter its view.

<Sysname>system-view

[Sysname]interface SSLVPN-AC 1000

[Sysname-SSLVPN-AC1000]

ip address

Use ip address to configure an IPv4 address and a port number for an SSL VPN gateway.

Use undo ip address to restore the default.

Syntax

ip address ip-address [ port port-number ]

undo ip address

Default

An SSL VPN gateway uses IPv4 address 0.0.0.0 and port number 443.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IP address for the SSL VPN gateway, in dotted decimal notation.

port port-number: Specifies a port number for the SSL VPN gateway. The port number is 443 (the default value) or in the range of 1025 to 65535.

Usage guidelines

A remote user uses the IPv4 address and port number configured by this command to access an SSL VPN gateway.

The specified IPv4 address must be the IP address of an interface on the gateway device and is reachable from clients and internal servers.

If the gateway uses the default address (0.0.0.0), make sure its port number is different from the port number of the HTTPS server on the device.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the IPv4 address of SSL VPN gateway gw1 as 10.10.1.1 and the port number as 8000.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip address 10.10.1.1 port 8000

Related commands

display sslvpn gateway

ip range

Use ip range to specify an IPv4 address range for an SSL VPN SNAT address pool.

Use undo ip range to restore the default.

Syntax

ip range start-ipv4-address end-ipv4-address

undo ip range

Default

No IPv4 address range is specified for an SSL VPN SNAT address pool.

Views

SSL VPN SNAT address pool view

Predefined user roles

network-admin

Parameters

start-ipv4-address end-ipv4-address: Specifies the start and end IPv4 addresses. The end IPv4 address must be greater than or equal to the start IPv4 address.

Usage guidelines

The addresses in the range are equally assigned to all engines. The number of addresses in the address range must be greater than or equal to the number of engines.

A SNAT address pool can have a maximum of 256 IPv4 addresses. No overlapping IPv4 addresses are allowed in different SNAT address pools.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify IPv4 address range 1.1.1.1 to 1.1.1.100 for SNAT address pool spool1.

<Sysname> system-view

[Sysname] sslvpn snat-pool spool1

[Sysname-sslvpn-snatpool-spool1] ip range 1.1.1.1 1.1.1.100

ip-route-list

Use ip-route-list to create a route list for an SSL VPN context and enter its view, or enter the view of an existing route list.

Use undo ip-route-list to delete a route list.

Syntax

ip-route-list list-name

undo ip-route-list list-name

Default

No route lists exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

list-name: Specifies a name for the route list, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can add routes to a route list. The routes can be issued to IP access clients for them to access internal servers behind the SSL VPN gateway.

You cannot delete a route list that is used by a policy group. To delete the route list, execute the undo ip-tunnel access-route command to remove the configuration and then execute the undo ip-route-list command.

Examples

# In SSL VPN context ctx1, create a route list named rtlist and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] ip-route-list rtlist

[Sysname-sslvpn-context-ctx1-route-list-rtlist]

Related commands

ip-tunnel access-route

ip-tunnel access-route

Use ip-tunnel access-route to specify the routes to be issued to clients.

Use undo ip-tunnel access-route to restore the default.

Syntax

ip-tunnel access-route { ip-address { mask-length | mask } | force-all | ip-route-list list-name }

undo ip-tunnel access-route

Default

No routes to be issued to clients are specified.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

ip-address { mask-length | mask }: Configures a route to be issued to a client. The ip-address argument specifies the destination address of the route. It cannot be a multicast, broadcast, or loopback address. The mask-length argument specifies the mask length of the route, in the range of 0 to 32.

force-all: Forces all traffic to be sent to the SSL VPN gateway.

ip-route-list list-name: Issues routes in the specified route list to clients. The list-name argument specifies the route list name, a case-insensitive string of 1 to 31 characters. The specified route list must have been created by using the ip-route-list command.

Usage guidelines

When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway issues the configured route or the specified routes to the client. The client adds the routes, using the VNIC as the output interface. Packets from the client to the internal servers match the routes, and therefore are sent to the SSL VPN gateway through the VNIC.

To issue multiple routes to a client, execute the ip-tunnel access-route ip-route-list list-name command. To issue a route to a client, execute the ip-tunnel access-route ip-address { mask-length | mask } command.

After you execute the ip-tunnel access-route force-all command, the SSL VPN gateway issues a default route to the SSL VPN client. The default route uses the VNIC as the output interface and has the highest priority among all default routes on the client. Packets for destinations not in the routing table are sent to the SSL VPN gateway through the VNIC. The SSL VPN gateway monitors the SSL VPN client in real time. It does not allow the client to delete the default route or add a default route with a higher priority.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# In the view of policy group pg1, configure the SSL VPN gateway to issue routes in route list rtlist to a client.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] ip-route-list rtlist

[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 10.0.0.0 8

[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 20.0.0.0 8

[Sysname-sslvpn-context-ctx1-route-list-rtlist] quit

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel access-route ip-route-list rtlist

Related commands

ip-route-list

ip-tunnel address-pool (SSL VPN context view)

Use ip-tunnel address-pool to specify an address pool for IP access in an SSL VPN context.

Use undo ip-tunnel address-pool to restore the default.

Syntax

ip-tunnel address-pool pool-name mask { mask-length | mask }

undo ip-tunnel address-pool

Default

No address pool is specified for IP access in an SSL VPN context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

pool-name: Specifies an address pool by its name, a case-insensitive string of 1 to 31 characters.

mask { mask-length | mask }: Specifies the mask length or mask of the address pool. The value range for the mask length is 1 to 30.

Usage guidelines

When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway allocates an IP address to the client from either of the following address pools:

·     Address pool specified for the policy group authorized to the client.

·     Address pool specified for the SSL VPN context. This address pool is used only if no address pool is specified for the policy group authorized to the client.

If no free address is available in the address pool or the address pool does not exist, address allocation to the client will fail and the client's IP access request will be rejected.

If you specify a nonexistent address pool, the pool is effective for address allocation after it is created.

You can specify only one address pool for an SSL VPN context. If you execute this command multiple times, the most recent configuration takes effect.

For IP access users to access the SSL VPN gateway correctly, make sure the IP addresses in the address pool do not conflict with the IP addresses used on the device.

Examples

# Specify address pool pool1 for IP access.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] ip-tunnel address-pool pool1 mask 24

Related commands

sslvpn ip address-pool

ip-tunnel address-pool (SSL VPN policy group view)

Use ip-tunnel address-pool to specify an address pool for IP access in an SSL VPN policy group.

Use undo ip-tunnel address-pool to restore the default.

Syntax

ip-tunnel address-pool pool-name mask { mask-length | mask }

undo ip-tunnel address-pool

Default

No address pool is specified for IP access in an SSL VPN policy group.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

pool-name: Specifies an address pool by its name, a case-insensitive string of 1 to 31 characters.

mask { mask-length | mask }: Specifies the mask length or mask of the address pool. The value range for the mask length is 1 to 30.

Usage guidelines

When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway allocates an IP address to the client from either of the following address pools:

·     Address pool specified for the policy group authorized to the client.

·     Address pool specified for the SSL VPN context. This address pool is used only if no address pool is specified for the policy group authorized to the client.

If no free address is available in the address pool or the address pool does not exist, address allocation to the client will fail and the client's IP access request will be rejected.

If you specify a nonexistent address pool, the pool is effective for address allocation after it is created.

You can specify only one address pool for an SSL VPN policy group. If you execute this command for an SSL VPN policy group multiple times, the most recent configuration takes effect.

For IP access users to access the SSL VPN gateway correctly, make sure the IP addresses in the address pool do not conflict with the IP addresses used on the device.

Examples

# Specify address pool pool1 for IP access in SSL VPN policy group pg1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel address-pool pool1 mask 24

Related commands

sslvpn ip address-pool

ip-tunnel bind address

Use ip-tunnel bind address to bind IP addresses to an SSL VPN user.

Use undo ip-tunnel bind address to restore the default.

Syntax

ip-tunnel bind address { ip-address-list | auto-allocate number }

undo ip-tunnel bind address

Default

An SSL VPN user is not bound to IP addresses.

Views

SSL VPN user view

Predefined user roles

network-admin

Parameters

ip-address-list: Specifies an IP address list, a string of 1 to 255 characters and can contain digits, dots (.), commas (,), and hyphens (-). The IP address list specifies comma-separated IP address items. Each item specifies an IP address or specifies a range of IP addresses in the form of start IP address-end IP address. For example, 10.1.1.5,10.1.1.10-10.1.1.20. The IP address list can contain a maximum of 10000 addresses excluding multicast addresses, broadcast addresses, and loopback addresses.

auto-allocate number: Enables the SSL VPN gateway to automatically bind the specified number of free IP addresses to the user. The value range for the number argument is 1 to 10.

Usage guidelines

When an SSL VPN user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway must assign an IP address to the user. This command allows you to specify the IP addresses that can be assigned to a user.

You can bind IP addresses to an SSL VPN user as follows:

·     Use the ip-address-list argument to bind a list of IP addresses to the user.

When the user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway assigns a bound IP address to the user.

If an IP address has been assigned to another user, the SSL VPN gateway terminates the connection for that user and releases the IP address.

·     Use the auto-allocate number option to enable the SSL VPN gateway to automatically bind the specified number of free addresses in the IP access address pool to the user.

The IP addresses to be bound to an SSL VPN user must meet the following requirements:

·     If an IP access address pool is specified for the SSL VPN policy group authorized to the user, the IP addresses must exist in the address pool.

·     If no address pool is specified for the SSL VPN policy group, the IP addresses must exist in the address pool specified for the SSL VPN context of the user.

You can bind the same IP address to different SSL VPN users only when the SSL VPN contexts of the users are associated with different VPN instances.

If you configure this command multiple times, the most recent configuration takes effect.

Examples

# Bind IP addresses 10.1.1.5, 10.1.1.10 through 10.1.1.20, and 10.1.1.30 to SSL VPN user user1.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] user user1

[Sysname-sslvpn-context-ctx-user-user1] ip-tunnel bind address 10.1.1.5,10.1.1.10-10.1.1.20,10.1.1.30

Related commands

user

ip-tunnel dns-server

Use ip-tunnel dns-server to specify a DNS server for IP access.

Use undo ip-tunnel dns-server to restore the default.

Syntax

ip-tunnel dns-server { primary | secondary } ip-address

undo ip-tunnel dns-server { primary | secondary }

Default

No DNS servers are specified for IP access.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

primary: Specifies the primary DNS server.

secondary: Specifies the secondary DNS server.

ip-address: Specifies the IP address of the DNS server. It cannot be a multicast, broadcast, or loopback address.

Examples

# Specify the primary DNS server 1.1.1.1 for IP access.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] ip-tunnel dns-server primary 1.1.1.1

ip-tunnel interface

Use ip-tunnel interface to specify an SSL VPN AC interface for IP access in an SSL VPN context.

Use undo ip-tunnel interface to restore the default.

Syntax

ip-tunnel interface sslvpn-ac interface-number

undo ip-tunnel interface

Default

No SSL VPN AC interface is specified for IP access in an SSL VPN context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

sslvpn-ac interface-number: Specifies the number of an SSL VPN AC interface. The interface must have been created.

Usage guidelines

The SSL VPN gateway uses the specified SSL VPN AC interface to communicate with SSL VPN users in IP access mode. It uses the SSL VPN AC interface to forward packets sent by the user to remote servers and to forward the servers' replies back to the user.

Examples

# Specify SSL VPN AC 100 for IP access.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] ip-tunnel interface sslvpn-ac 100

Related commands

interface sslvpn-ac

ip-tunnel keepalive

Use ip-tunnel keepalive to set the keepalive interval for IP access.

Use undo ip-tunnel keepalive to restore the default.

Syntax

ip-tunnel keepalive seconds

undo ip-tunnel keepalive

Default

The keepalive interval is 30 seconds for IP access.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

seconds: Specifies the keepalive interval in the range of 0 to 600 seconds. If the interval is set to 0 seconds, a client does not send keepalive messages to the SSL VPN gateway.

Usage guidelines

A client sends keepalive messages to the SSL VPN gateway to maintain sessions between them.

If an SSL VPN gateway does not receive any data or keepalive messages from a client during the session idle timeout time, it terminates the session with the client.

Set the keepalive interval to be shorter than the session idle timeout timer configured by the timeout idle command.

Examples

# Set the keepalive interval to 50 seconds for SSL VPN context ctx.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] ip-tunnel keepalive 50

ip-tunnel log connection-close

Use ip-tunnel log connection-close to enable logging for IP connection close events.

Use undo ip-tunnel log connection-close to disable logging for IP connection close events.

Syntax

ip-tunnel log connection-close

undo ip-tunnel log connection-close

Default

Logging for IP connection close events is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

This feature logs connection close events for IP access users. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for IP connection close events.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] ip-tunnel log connection-close

Related commands

sslvpn context

ip-tunnel web-resource auto-push

Use ip-tunnel web-resource auto-push to enable automatic pushing of accessible resources to IP access users through the Web page.

Use undo ip-tunnel web-resource auto-push to disable automatic pushing of accessible resources to IP access users through the Web page.

Syntax

ip-tunnel web-resource auto-push

undo ip-tunnel web-resource auto-push

Default

Automatic pushing of accessible resources to IP access users through the Web page is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

This feature enables automatic pushing of accessible resources to a user through the Web page after the user logs in to the SSL VPN gateway through the IP access client.

Examples

# Enable automatic pushing of accessible resources to IP access users through the Web page in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] ip-tunnel web-resource auto-push

ip-tunnel wins-server

Use ip-tunnel wins-server to specify a WINS server for IP access.

Use undo ip-tunnel wins-server to restore the default.

Syntax

ip-tunnel wins-server { primary | secondary } ip-address

undo ip-tunnel wins-server { primary | secondary }

Default

No WINS servers are specified for IP access.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

primary: Specifies the primary WINS server.

secondary: Specifies the secondary WINS server.

ip-address: Specifies the IPv4 address of the WINS server. It cannot be a multicast, broadcast, or loopback address.

Examples

# Specify the primary WINS server 1.1.1.1 for IP access.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] ip-tunnel wins-server primary 1.1.1.1

ipv6 address

Use ipv6 address to configure an IPv6 address and a port number for an SSL VPN gateway.

Use undo ipv6 address to restore the default.

Syntax

ipv6 address ipv6-address [ port port-number ]

undo ipv6 address

Default

No IPv6 address is configured for an SSL VPN gateway.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies an IPv6 address for the SSL VPN gateway, a 16-byte hexadecimal string separated by colons.

port port-number: Specifies a port number for the SSL VPN gateway. The port number is 443 (the default value) or in the range of 1025 to 65535.

Usage guidelines

A remote user uses the IPv6 address and port number configured by this command to access an SSL VPN gateway.

The specified IPv6 address must be the address of an interface on the gateway device and is reachable from clients and internal servers.

Do not use the management address of the device as the IPv6 address of the SSL VPN gateway.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the IPv6 address of SSL VPN gateway gw1 as 200::1 and the port number as 8000.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ipv6 address 200::1 port 8000

Related commands

display sslvpn gateway

ipv6 range

Use ipv6 range to specify an IPv6 address range for an SSL VPN SNAT address pool.

Use undo ipv6 range to restore the default.

Syntax

ipv6 range start-ipv6-address end-ipv6-address

undo ipv6 range

Default

No IPv6 address range is specified for an SSL VPN SNAT address pool.

Views

SSL VPN SNAT address pool view

Predefined user roles

network-admin

Parameters

start- ipv6-address end- ipv6-address: Specifies the start and end IPv6 addresses. The end IPv6 address must be greater than or equal to the start IPv6 address.

Usage guidelines

The addresses in the address range are equally assigned to all engines. The number of addresses in the address range must be greater than or equal to the number of engines.

A SNAT address pool can have a maximum of 65535 IPv6 addresses. No overlapping IPv6 addresses are allowed in different SNAT address pools.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify IPv6 address range 1234::100 to 1234::200 for SNAT address pool spool1.

<Sysname> system-view

[Sysname] sslvpn snat-pool spool1

[Sysname-sslvpn-snatpool-spool1] ipv6 range 1234::100 1234::200

local-port

Use local-port to configure a port forwarding instance for a port forwarding item.

Use undo local-port to remove the configuration.

Syntax

local-port local-port-number local-name local-name remote-server remote-server remote-port remote-port-number [ description text ]

undo local-port

Default

A port forwarding item does not contain a port forwarding instance.

Views

Port forwarding item view

Predefined user roles

network-admin

Parameters

local-port-number: Specifies a local port number in the range of 1 to 65535. The specified port number must be different from the port numbers of any existing services on the SSL VPN client.

local-name local-name: Specifies a local address or a local host name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.). To specify an IPv4 address, use an address in the network segment 127.0.0.0/8. To specify an IPv6 address, enclose the IPv6 address in brackets. For example, local-name [1234::5678].

remote-server remote-server: Specifies the IP address or domain name of a TCP service on an internal server. The remote-server argument is a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.). To specify an IPv6 address, enclose the IPv6 address in brackets. For example, remote-server [1234::5678].

remote-port remote-port-number: Specifies the port number of the TCP service on the internal server, in the range of 1 to 65535.

description text: Specifies a description, a case-sensitive string of 1 to 63 characters.

Usage guidelines

A port forwarding instance maps a TCP service on an internal server to a local address and port number on an SSL VPN client.

For example, for an SSL VPN client to use local address 127.0.0.1 and port 80 to access the internal HTTP server 192.168.0.213, perform the following tasks:

1.     Create a port forwarding item (tcp1 in this example).

2.     Configure a port forwarding instance for the port forwarding item.

local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80

The port forwarding instance will be displayed together with the port forwarding item name on the SSL VPN Web page. In this example, tcp1 (127.0.0.1:80 -> 192.168.0.213) will be displayed.

If you map a TCP service to a local host name, the TCP access client software will add the IP address corresponding to the host name to the host file hosts. When the client logs out, the software restores the original host file. The host file hosts is in the directory C:\Windows\System32\drivers\etc of the client host.

You can configure only one port forwarding instance for a port forwarding item. If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect.

Examples

# Configure a port forwarding instance for port forwarding item pfitem1. The port forwarding instance maps IP address 192.168.0.213 and port 80 of the internal HTTP server to local address 127.0.0.1 and port 80.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1

[Sysname-sslvpn-context-ctx1-port-forward-item-pfitem1] local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80 description http

Related commands

port-forward-item

log resource-access enable

Use log resource-access enable to enable resource access logging.

Use undo log resource-access enable to disable resource access logging.

Syntax

log resource-access enable [ brief | filtering ] *

undo log resource-access enable

Default

Resource access logging is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

brief: Records brief resource access information. If you specify this keyword, only the address and port number of the accessed resource will be recorded. If you do not specify this keyword, a large amount of information including webpage formatting information will be recorded.

filtering: Enables resource access log filtering. With this keyword specified, the device generates only one log for accesses of the same user to the same resource in a minute. If this keyword is not specified, the device generates a log for each resource access.

Usage guidelines

This feature logs resource accesses of SSL VPN users. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Enable resource access logging.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] log resource-access enable

log user-login enable

Use log user-login enable to enable logging for user login and logoff events.

Use undo log user-login enable to disable logging for user login and logoff events.

Syntax

log user-login enable

undo log user-login enable

Default

Logging for user login and logoff events is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

This feature logs user login and logoff events. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable logging for user logins and logouts.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] log user-login enable

login-message

Use login-message to configure the welcome message to be displayed on the SSL VPN login page.

Use undo log login-message to restore the default.

Syntax

login-message { chinese chinese-message | english english-message }

undo login-message { chinese | english }

Default

The login welcome message is Welcome to SSL VPN.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

chinese chinese-message: Configures a login welcome message in Chinese, a case-sensitive string of 1 to 255 characters.

english english-message: Configures a login welcome message in English, a case-sensitive string of 1 to 255 characters.

Examples

# Configure the login welcome message as hello.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] login-message english hello

logo

Use logo to specify a logo to be displayed on SSL VPN webpages.

Use undo logo to restore the default.

Syntax

logo { file file-name | none }

undo logo

Default

The logo displayed on SSL VPN webpages is H3C.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

file file-name: Specifies a logo file by its name, a case-insensitive string of 1 to 255 characters. The file must be a .gif, .jpg, or .png file, and its size cannot exceed 100 KB. As a best practice, use a file whose image resolution is 110*30 pixels.

none: Specifies that no logo is displayed.

Usage guidelines

The specified logo file must exist on the local device.

After you specify a logo file, the logo is displayed on SSL VPN webpages even if the file is deleted.

Examples

# Specify the logo in file flash:/mylogo.gif as the logo displayed on SSL VPN webpages.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] logo file flash:/mylogo.gif

max-onlines

Use max-onlines to set the maximum number of concurrent logins for each account.

Use undo max-onlines to restore the default.

Syntax

max-onlines number

undo max-onlines

Default

The maximum number of concurrent logins for each account is 32.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

number: Specifies the maximum number, in the range of 0 to 1048575. Value 0 indicates that the number of concurrent logins for each account is not limited.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the maximum number of concurrent logins for each account to 50.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] max-onlines 50

max-users

Use max-users to set the maximum number of sessions for an SSL VPN context.

Use undo max-users to restore the default.

Syntax

max-users max-number

undo max-users

Default

An SSL VPN context supports a maximum of 1048575 sessions.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of sessions, in the range of 1 to 1048575

Usage guidelines

If the limit is reached, new users cannot access the SSL VPN gateway.

Examples

# Set the maximum number of sessions to 500 for SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] max-users 500

Related commands

display sslvpn context

message-server

Use message-server to specify a message server for mobile clients.

Use undo message-server to restore the default.

Syntax

message-server address { host-name | ipv4-address } port port-number

undo message-server

Default

No message server is specified for mobile clients.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

address: Specifies the host name or IPv4 address of the message server.

host-name: Specifies the host name of the message server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).

ipv4-address: Specifies the IPv4 address of the message server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.

port port-number: Specifies the port number of the message server, in the range of 1025 to 65535.

Usage guidelines

A message server provides services for mobile clients. The SSL VPN gateway issues the message server information to the clients, and the clients can access the message server.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the IP address of the message server as 10.10.1.1 and the port number as 8000 for context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] message-server address 10.10.1.1 port 8000

Related commands

sslvpn context

mtu

Use mtu to set the MTU of an SSL VPN AC interface.

Use undo mtu to restore the default.

Syntax

mtu size

undo mtu

Default

The default setting varies by device model.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

size: Specifies an MTU value in the range of 100 to 64000 bytes.

Examples

# Set the MTU of interface SSL VPN AC 1000 to 1430 bytes.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] mtu 1430

new-content

Use new-content to specify the new content used to replace the old content.

Use undo new-content to restore the default.

Syntax

new-content string

undo new-content

Default

The new content used to replace the old content is not specified.

Views

Rewrite rule view

Predefined user roles

network-admin

Parameters

string: Specifies the new content, a case-sensitive string of 1 to 256 characters.

Usage guidelines

During file content rewriting, the new content will replace the old content specified by using the old-content command.

If the new content contains spaces, enclose the content in double quotation marks.

Examples

# Specify the new content in rewrite rule rule1 of file policy fp.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite-rule rule1

[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1] new-content sslvpn_rewrite_htmlcode(d)

Related commands

old-content

old-content

Use old-content to specify the old file content to be rewritten.

Use undo old-content to restore the default.

Syntax

old-content string

undo old-content

Default

The old file content to be rewritten is not specified.

Views

Rewrite rule view

Predefined user roles

network-admin

Parameters

string: Specifies the old content, a case-sensitive string of 1 to 256 characters.

Usage guidelines

During file content rewriting, the old file content will be replaced by the new content specified by using the new-content command.

If the old content contains spaces, enclose the content in double quotation marks.

In the same file policy, the old content specified in different rewrite rules must be unique.

Examples

# Specify the content to be rewritten in rewrite rule rule1 of file policy fp.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite rule rule1

[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1] old-content "a.b.c.innerHTML = d;"

Related commands

new-content

password-authentication enable

Use password-authentication enable to enable username/password authentication.

Use undo password-authentication enable to disable username/password authentication.

Syntax

password-authentication enable

undo password-authentication enable

Default

Username/password authentication is enabled for an SSL VPN context.

Views

SSL VPN context

Predefined user roles

network-admin

Examples

# Disable username/password authentication for SSL VPN context ctx.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] undo password-authentication enable

Related commands

certificate-authentication enable

display sslvpn context

policy-group

Use policy-group to create an SSL VPN policy group and enter its view, or enter the view of an existing SSL VPN policy group.

Use undo policy-group to delete a policy group.

Syntax

policy-group group-name

undo policy-group group-name

Default

No SSL VPN policy groups exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

group-name: Specifies a name for the policy group, a case-insensitive string of 1 to 31 characters.

Usage guidelines

An SSL VPN policy group contains a set of rules for resource access authorization.

You can configure multiple SSL VPN policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not authorize the user to use a policy group, the user can access only the resources allowed by the default policy group.

Examples

# Create a policy group named pg1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1]

Related commands

default-policy-group

port-forward

Use port-forward to create a port forwarding list for an SSL VPN context and enter its view, or enter the view of an existing port forwarding list.

Use undo port-forward to delete a port forwarding list.

Syntax

port-forward port-forward-name

undo port-forward port-forward-name

Default

No port forwarding lists exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

port-forward-name: Specifies a name for the port forwarding list, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Port forwarding lists provide TCP access services for SSL VPN users.

In port forwarding list view, you can use the port-forward-item command to create port forwarding items. Each port forwarding item defines an accessible TCP service provided on an internal server.

You can assign a port forwarding list to a policy group by using the resources port-forward command. After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the port forwarding list assigned to the group. The user can access the TCP services provided by the port forwarding list.

Examples

# Create port forwarding list pflist1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] port-forward pflist1

[Sysname-sslvpn-context-ctx1-port-forward-pflist1]

Related commands

local-port

resources port-forward

port-forward-item

Use port-forward-item to create a port forwarding item and enter its view, or enter the view of an existing port forwarding item.

Use undo port-forward-item to delete a port forwarding item.

Syntax

port-forward-item item-name

undo port-forward-item item-name

Default

No port forwarding items exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

item-name: Specifies a name for the port forwarding item, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A port forwarding item defines an accessible TCP service provided on an internal server. It contains the following settings:

·     A port forwarding instance.

A port forwarding instance is configured by using the local-port command. It makes an internal TCP service accessible through a local address and port number on the SSL VPN client.

·     (Optional.) A resource link.

A resource link is configured by using the execution command.

After you configure a resource link for a port forwarding item, the port forwarding item name will be displayed on the SSL VPN Web page as a link. You can click the link to access the resource directly.

Make sure the resource link matches the TCP service specified by the port forwarding instance.

After you create a port forwarding item, you can assign it to a port forwarding list by using the resources port-forward-item command.

Examples

# Create a port forwarding item named pfitem1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1

[Sysname-sslvpn-context-ctx1-port-forward-item-pfitem1]

Related commands

execution

local-port

resources port-forward-item

reset counters interface sslvpn-ac

Use reset counters interface sslvpn-ac to clear SSL VPN AC interface statistics.

Syntax

reset counters interface [ sslvpn-ac [ interface-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears statistics for all interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command clears statistics for all existing SSL VPN AC interfaces.

Usage guidelines

Use this command to clear old statistics so you can observe new traffic statistics on an SSL VPN AC interface.

Examples

# Clear statistics for SSL VPN AC 1000.

<Sysname> reset counters interface sslvpn-ac 1000

Related commands

display interface sslvpn-ac

reset sslvpn ip-tunnel statistics

Use reset sslvpn ip-tunnel statistics to clear packet statistics for IP access users.

Syntax

reset sslvpn ip-tunnel statistics [ context context-name [ session session-id ] ]

Views

User view

Predefined user roles

network-admin

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command clear packet statistics for IP access users in all SSL VPN contexts.

session session-id: Specifies a session by its ID in the range of 1 to 4294967295. If you do not specify a session, this command clears packet statistics for all IP access users in the specified SSL VPN context.

Usage guidelines

To view the SSL VPN sessions in different SSL VPN contexts, execute the display sslvpn session command.

If you do not specify any parameters, this command clear packets statistics for all IP access users in all SSL VPN contexts.

Examples

# Clear the IP access packet statistics in all SSL VPN contexts.

<Sysname> reset sslvpn ip-tunnel statistics

# Clear the IP access packet statistics in SSL VPN context ctx1.

<Sysname> reset sslvpn ip-tunnel statistics context ctx1

# Clear the IP access packet statistics of session 1 in SSL VPN context ctx.

<Sysname> reset sslvpn ip-tunnel statistics context ctx1 session 1

Related commands

display sslvpn ip-tunnel statistics

display sslvpn session

resources port-forward

Use resources port-forward to assign a port forwarding list to an SSL VPN policy group.

Use undo resources port-forward to remove the configuration.

Syntax

resources port-forward port-forward-name

undo resources port-forward

Default

An SSL VPN policy group does not contain a port forwarding list.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

port-forward-name: Specifies the name of an existing port forwarding list. A port forwarding list name is a case-insensitive string of 1 to 31 characters.

Usage guidelines

After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the port forwarding list assigned to the group. The user can access the TCP services provided by the port forwarding list.

Examples

# Assign port forwarding list pflist1 to SSL VPN policy group pg1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources port-forward pflist1

Related commands

local-port

port-forward

resources port-forward-item

Use resources port-forward-item to assign a port forwarding item to a port forwarding list.

Use undo resources port-forward-item to remove a port forwarding item from a port forwarding list.

Syntax

resources port-forward-item item-name

undo resources port-forward-item item-name

Default

A port forwarding list does not contain any port forwarding items.

Views

Port forwarding list view

Predefined user roles

network-admin

Parameters

item-name: Specifies a port forwarding item by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Before you assign a port forwarding item to a port forwarding list, make sure the port forwarding item has been created by using the port-forward-item command.

You can assign multiple port forwarding items to a port forwarding list.

Examples

# Create a port forwarding item named pfitem1, and then assign it to port forwarding list pflist1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1

[Sysname-sslvpn-context-ctx1-port-forward-pflist1-port-forward-item-pfitem1] quit

[Sysname-sslvpn-context-ctx1] port-forward pflist1

[Sysname-sslvpn-context-ctx1-port-forward-pflist1] resources port-forward-item pfitem1

Related commands

port-forward-item

resources shortcut

Use resources shortcut to assign a shortcut to a shortcut list.

Use undo resources shortcut to remove a shortcut from a shortcut list.

Syntax

resources shortcut shortcut-name

undo resources shortcut shortcut-name

Default

A shortcut list does not contain any shortcuts.

Views

Shortcut list view

Predefined user roles

network-admin

Parameters

shortcut-name: Specifies a shortcut by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can assign multiple shortcuts to a shortcut list.

Examples

# Assign shortcut list1 to shortcut list shortcut1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] shortcut shortcut1

[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] quit

[Sysname-sslvpn-context-ctx1] shortcut-list list1

[Sysname-sslvpn-context-ctx1-shortcut-list-list1] resources shortcut shortcut1

resources shortcut-list

Use resources shortcut-list to assign a shortcut list to an SSL VPN policy group.

Use undo resources shortcut-list to restore the default.

Syntax

resources shortcut-list list-name

undo resources shortcut-list

Default

An SSL VPN policy group does not contain a shortcut list.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

list-name: Specifies a shortcut list by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can assign only one shortcut list to an SSL VPN policy group. After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the shortcut list assigned to the group. The user can click a shortcut to access the associated resource.

If you execute this command for an SSL VPN policy group multiple times, the most recent configuration takes effect.

Examples

# Assign shortcut list list1 to SSL VPN policy group pg1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] shortcut-list list1

[Sysname-sslvpn-context-ctx1-shortcut-list-list1] quit

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources shortcut-list list1

resources snat-pool

Use resources snat-pool to specify a SNAT address pool for an SSL VPN context.

Use undo resources snat-pool to remove the configuration.

Syntax

resources snat-pool snat-pool-name

undo resources snat-pool

Default

No SNAT address pool is specified for an SSL VPN context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

snat-pool-name: Specifies a SNAT address pool by its name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_). The specified SNAT address pool must have been created.

Usage guidelines

After a SNAT address pool is specified for an SSL VPN context, address management entries and OpenFlow flow entries are issued to the VPN instance associated with the SSL VPN context.

Examples

# Specify SNAT address pool spool for context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] resources snat-pool spool

resources uri-acl

Use resources uri-acl to specify a URI ACL for URL resource filtering in a URL item.

Use undo resources uri-acl to remove the URI ACL configuration from a URL item.

Syntax

resources uri-acl uri-acl-name

undo resources uri-acl

Default

No URI ACL is specified for URL resource filtering in a URL item.

Views

URL item view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

The specified URI ACL will be used to filter the accessible resources under the URL specified in the URL item.

Examples

# Specify URI ACL abc in URL item serverA.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-item serverA

[Sysname-sslvpn-context-ctx1-url-item-serverA] resources uri-acl abc

Related commands

uri-acl

resources url-item

Use resources url-item to assign a URL item to a URL list.

Use undo resources url-item to remove a URL item from a URL list.

Syntax

resources url-item url-item-name

undo resources url-item url-item-name

Default

A URL list does not contain any URL items.

Views

URL list view

Predefined user roles

network-admin

Parameters

url-item-name: Specifies a URL item by its name, a case-insensitive string of 1 to 31 characters. The specified URL item must already exist.

Usage guidelines

You can assign multiple URL items to a URL list.

Examples

# Assign URL item serverA to URL list list1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-list list1

[Sysname-sslvpn-context-ctx1-url-list-list1] resources url-item serverA

Related commands

url-item

resources url-list

Use resources url-list to assign a URL list to an SSL VPN policy group.

Use undo resources url-list to remove the configuration.

Syntax

resources url-list url-list-name

undo resources url-list url-list-name

Default

An SSL VPN policy group does not contain a URL list.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

url-list-name: Specifies an existing URL list by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

In Web access mode, a remote user can use a Web browser to access URL resources in the URL list assigned to the authorized SSL VPN policy group.

Examples

# Assign URL list url1 to SSL VPN policy group pg1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources url-list url1

Related commands

policy-group

sslvpn context

url-list

rewrite-rule

Use rewrite-rule to create a rewrite rule and enter its view, or enter the view of an existing rewrite rule.

Use undo rewrite-rule to delete a rewrite rule.

Syntax

rewrite-rule rule-name

undo rewrite-rule rule-name

Default

No rewrite rules exist.

Views

File policy view

Predefined user roles

network-admin

Parameters

rule-name: Specifies a rule name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can configure multiple rewrite rules in a file policy.

Examples

# Create a rewrite rule named rule1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite-rule rule1

[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1]

rule

Use rule to create a rule for a URI ACL.

Use undo rule to remove a rule from a URI ACL.

Syntax

rule [ rule-id ] { deny | permit } uri uri-pattern-string

undo rule rule-id

Default

No URL ACL rules exist in a URI ACL

Views

URI ACL view

Predefined user roles

network-admin

Parameters

deny: Denies matching packets to pass.

permit: Allows matching packets to pass.

rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. The numbering step is 5 for automatic numbering of rule IDs. An automatically assigned rule ID takes the nearest multiple of 5 higher than the current highest rule ID. For example, if the current highest rule ID is 28, the rule is numbered 30.

uri uri-pattern-string: Specifies a URI pattern. The URI pattern can contain a maximum of 256 characters in the format of protocol://host:port/path, where protocol and host are required. See Table 12 for descriptions of the fields in a URI pattern.

Table 12 URI field descriptions

Field

Description

protocol

Protocol name. Options are:

·     http.

·     https.

·     tcp.

·     udp.

·     icmp.

·     ip.

host

Domain name or address of a host.

·     Valid host address formats:

¡     IPv4 or IPv6 address. For example, 192.168.1.1.

¡     IPv4 or IPv6 address range in the format of start address-end address. For example, 3.3.3.1-3.3.3.200.

¡     IPv4 address with a mask length or IPv6 address with a prefix length. For example 2.2.2.2/24.

¡     A combination of the preceding host address formats separated by comma (,). For example, 192.168.1.1,3.3.3.1-3.3.3.200,2.2.2.2/24.

·     Valid domain name formats:

¡     Fully qualified domain name. For example, www.domain.com

¡     Domain name with the following wildcard characters:
Asterisk (*)—Matches zero or more characters. For example, *.com.
Question mark (?)—Matches one character. For example, www.do?main.com.
Percent sign (%)—Matches one or more characters in a field of the domain name. For example, www.%.com.

port

Port number. If no port number is specified, the default port number of the protocol is used.

Valid formats for this field:

·     Single port number. For example, 1002.

·     Port number range in the format of start port-end port. For example, 8080-8088.

·     A combination of the preceding formats separate by comma (,). For example, 1002,90,8080-8088.

path

String that identifies a directory or file on the host. The path is a sequence of fields separated by forward or backward slashes.

The following wildcard characters are supported:

·     Asterisk (*)—Matches zero or more characters. For example, /path1/*.

·     Question mark (?)—Matches one character. For example, /path?/.

·     Percent sign (%)—Matches one or more characters in a field of the path. For example, /path1/%/.

 

Usage guidelines

You can add multiple rules to a URI ACL. The device matches a packet against the rules in ascending order of rule ID. The match process stops once a matching rule is found.

Examples

# Add a rule to URI ACL uriacla.

<Sysname> system-view

[Sysname] sslvpn context abc

[Sysname-sslvpn-context-abc] uri-acl uriacla

[Sysname-sslvpn-context-abc-uri-acl-uriacla] rule 1 permit uri

service enable (SSL VPN context view)

Use service enable to enable an SSL VPN context.

Use undo service enable to disable an SSL VPN context.

Syntax

service enable

undo service enable

Default

An SSL VPN context is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Examples

# Enable SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] service enable

Related commands

display sslvpn context

service enable (SSL VPN gateway view)

Use service enable to enable an SSL VPN gateway.

Use undo service enable to disable an SSL VPN gateway.

Syntax

service enable

undo service enable

Default

An SSL VPN gateway is disabled.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Examples

# Enable SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] service enable

Related commands

display sslvpn gateway

session-connections

Use session-connections to set the maximum number of connections allowed per session.

Use undo session-connections to restore the default.

Syntax

session-connections number

undo session-connections

Default

A maximum of 64 connections are allowed per session.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

number: Set the maximum number of connections allowed per session. The value can be 0 or in the range of 10 to 1000. Value 0 indicates that the number of connections per session is not limited.

Usage guidelines

If the number of connections in a session has reached the maximum, new connection requests for the session will be rejected with a 503 Service Unavailable message.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the maximum number of connections allowed per session to 10.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] session-connections 10

shortcut

Use shortcut to create a shortcut and enter its view, or enter the view of an existing shortcut.

Use undo shortcut to delete a shortcut.

Syntax

shortcut shortcut-name

undo shortcut shortcut-name

Default

No shortcuts exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

shortcut-name: Specifies a shortcut name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After you create a shortcut, use the execution command to configure a resource link for it. Users can then click the shortcut name on the SSL VPN Web page to access the associated resource.

Examples

# Create a shortcut named shortcut1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] shortcut shortcut1

[Sysname-sslvpn-context-ctx1-shortcut-shortcut1]

shortcut-list

Use shortcut-list to create a shortcut list and enter its view, or enter the view of an existing shortcut list.

Use undo shortcut-list to delete a shortcut list.

Syntax

shortcut-list list-name

undo shortcut-list list-name

Default

No shortcut lists exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

list-name: Specifies a name for the shortcut list, a case-insensitive string of 1 to 31 characters.

Examples

# Create a shortcut list named list1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] shortcut-list list1

[Sysname-sslvpn-context-ctx1-shortcut-list-list1]

shutdown

Use shutdown to shut down an SSL VPN AC interface.

Use undo shutdown to bring up an SSL VPN AC interface.

Syntax

shutdown

undo shutdown

Default

An SSL VPN AC interface is up.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Examples

# Shut down SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] shutdown

sms-imc address

Use sms-imc address to specify an IMC server for SMS message verification.

Use undo sms-imc address to restore the default.

Syntax

sms-imc address ip-address port port-number [ vpn-instance vpn-instance-name ]

undo sms-imc address

Default

No IMC server is specified for SMS message verification.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IP address of the IMC server, in dotted decimal notation.

port port-number: Specifies the port number of the IMC server, in the range of 1 to 65535.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IMC server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. Do not specify this option if the IMC server is on the public network.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify an IMC server (with IP address 192.168.10.1 and port 2000) in VPN instance vpn1 for SMS message verification of users in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] sms-imc address 192.168.10.1 port 2000 vpn-instance vpn1

Related commands

sms-imc enable

sms-imc enable

Use sms-imc enable to enable IMC SMS message verification.

Use undo sms-imc enable to disable IMC SMS message verification.

Syntax

sms-imc enable

undo sms-imc enable

Default

IMC SMS message verification is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

Before you execute this command, make sure SMS message verification has been configured on the IMC server.

In Web or IP access mode, the authentication process for an SSL VPN user is as follows:

1.     The SSL VPN gateway obtains the verification code request from the user's login request and sends the verification code request to the IMC server.

2.     The IMC server sends a verification code to the user through an SMS message.

3.     The user enters the username, password, and the received verification code on the login page to pass authentication through the IMC server.

Examples

# Enable IMC SMS message verification.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] sms-imc enable

Related commands

sms-imc address

ssl client-policy

Use ssl client-policy to apply an SSL client policy to an SSL VPN context.

Use undo ssl client-policy to restore the default.

Syntax

ssl client-policy policy-name

undo ssl client-policy

Default

The default SSL client policy for SSL VPN is used. This policy supports the dhe_rsa_aes_128_cbc_sha, dhe_rsa_aes_256_cbc_sha, rsa_3des_ede_cbc_sha, rsa_aes_128_cbc_sha, and rsa_aes_256_cbc_sha cipher suites.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can apply only one SSL client policy to an SSL VPN context. For the applied SSL client policy to take effect, you must enable the SSL VPN context by using the service enable command. The SSL VPN gateway will use the parameters defined by the policy to establish SSL connections to HTTPS servers.

If you execute this command multiple times, the new configuration overwrites the previous configuration, but does not take effect. For the new configuration to take effect, disable the SSL VPN context and then re-enable it.

For information about configuring SSL client policies, see Security Configuration Guide.

Examples

# Apply SSL client policy abc to SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] ssl client-policy abc

ssl server-policy

Use ssl server-policy to apply an SSL server policy to an SSL VPN gateway.

Use undo ssl server-policy to remove the application.

Syntax

ssl server-policy policy-name

undo ssl server-policy

Default

An SSL VPN gateway uses the SSL server policy of its self-signed certificate.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the name of an SSL server policy, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can apply only one SSL server policy to an SSL VPN gateway. For the applied SSL server policy to take effect, you must enable the SSL VPN gateway by using the service enable command. The SSL VPN gateway will use the parameters defined by the policy to establish SSL connections to remote users.

If you execute this command multiple times, the new configuration overwrites the previous configuration but does not take effect. For the new configuration to take effect, disable the SSL VPN gateway and then enable the SSL VPN gateway. To disable and enable an SSL VPN gateway, use the undo service enable and service enable commands.

After you modify the content of the SSL server policy applied to an SSL VPN gateway, you must disable and then re-enable the gateway to validate the policy. To disable and enable an SSL VPN gateway, use the undo service enable and service enable commands.

Examples

# Apply SSL server policy CA_CERT to SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ssl server-policy CA_CERT

Related commands

display sslvpn gateway

sslvpn context

Use sslvpn context to create an SSL VPN context and enter its view, or enter the view of an existing SSL VPN context.

Use undo sslvpn context to delete an SSL VPN context.

Syntax

sslvpn context context-name

undo sslvpn context context-name

Default

No SSL VPN contexts exist.

Views

System view

Predefined user roles

network-admin

Parameters

context-name: Specifies an SSL VPN context name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).

Usage guidelines

SSL VPN contexts contain different user sessions, accessible resources, and user authentication methods.

An SSL VPN gateway can be associated with multiple SSL VPN contexts. After a remote user logs in to an SSL VPN gateway, the user can access only the resources in the SSL VPN context to which the user belongs.

Examples

# Create an SSL VPN context named ctx1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1]

Related commands

display sslvpn context

sslvpn gateway

Use sslvpn gateway to create an SSL VPN gateway and enter its view, or enter the view of an existing SSL VPN gateway.

Use undo sslvpn gateway to delete an SSL VPN gateway.

Syntax

sslvpn gateway gateway-name

undo sslvpn gateway gateway-name

Default

No SSL VPN gateways exist.

Views

System view

Predefined user roles

network-admin

Parameters

gateway-name: Specifies an SSL VPN gateway name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).

Usage guidelines

An SSL VPN gateway resides between remote users and the enterprise network to ensure secure access of remote users to the enterprise internal network. The SSL VPN gateway establishes an SSL connection to a remote user, and then authenticates the user before allowing the user to access an internal server.

You must perform the following tasks in the view of an SSL VPN gateway:

·     Execute the ip address command to configure an IP address and a port number for the SSL VPN gateway.

·     Execute the ssl server-policy command to apply an SSL server policy to the SSL VPN gateway.

·     Execute the service enable command to enable the SSL VPN gateway.

You cannot delete an SSL VPN gateway that has been associated with an SSL VPN context. To delete the SSL VPN gateway, execute the undo gateway command to remove the association and then execute the undo sslvpn gateway command.

Examples

# Create an SSL VPN context named gw1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1]

Related commands

display sslvpn gateway

sslvpn ip address-pool

Use sslvpn ip address-pool to create an address pool.

Use undo sslvpn ip address-pool to delete an address pool.

Syntax

sslvpn ip address-pool pool-name start-ip-address end-ip-address

undo sslvpn ip address-pool pool-name

Default

No address pools exist.

Views

System view

Predefined user roles

network-admin

Parameters

pool-name: Specifies a name for the address pool, a case-insensitive string of 1 to 31 characters.

start-ip-address end-ip-address: Specifies the start IP address and end IP address for the pool. The end IP address must be greater than the start IP address. The start IP address and end IP address cannot be a multicast, broadcast, or loopback address.

Usage guidelines

An SSL VPN gateway uses address pools to assign IP addresses to IP access clients.

To specify an address pool for a policy group, you must first create the address pool by using this command.

Examples

# Create an address pool named pool1 and specify the address range as 10.1.1.1 to 10.1.1.254.

<Sysname> system-view

[Sysname] sslvpn ip address-pool pool1 10.1.1.1 10.1.1.254

sslvpn log enable

Use sslvpn log enable to enable the SSL VPN global logging feature.

Use undo sslvpn log enable to disable the SSL VPN global logging feature.

Syntax

sslvpn log enable

undo sslvpn log enable

Default

The SSL VPN global logging feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This feature logs the following global events:

·     SSL VPN access failures because of not associating SSL VPN contexts with gateways.

·     SSL VPN access failures because of not enabling SSL VPN contexts.

The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.

Examples

# Enable the SSL VPN global logging feature.

<Sysname> system-view

[Sysname] sslvpn log enable

sslvpn snat-pool

Use sslvpn snat-pool to create a SNAT address pool and enter its view.

Use undo sslvpn snat-pool to delete a SNAT address pool.

Syntax

sslvpn snat-pool pool-name

undo sslvpn snat-pool pool-name

Default

No SNAT address pools exist.

Views

System view

Predefined user roles

network-admin

Parameters

pool-name: Specifies the SNAT address pool name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).

Usage guidelines

After you create a SNAT address pool, you can specify an address range for the pool.

SNAT address pools are used for the SSL VPN gateway to direct traffic to corresponding security engines for processing.

The SSL VPN gateway assigns addresses in the pools to security engines and uses the addresses to generate route entries and OpenFlow flow entries.

When the TCP or Web access service establishes a connection to a remote server, SSL VPN gateway associates the security engine of the service with an assigned address. The SSL VPN gateway uses this address as the source address of the request sent to the server. The server uses this address as the destination address of the reply packet sent to the gateway.

After receiving the reply packet from the server, the SSL VPN gateway uses the destination address to find a matching OpenFlow flow entry and route entry. The SSL VPN gateway uses the matching entries to find the corresponding security engine and forward the packet of the server to that security engine for processing.

Examples

# Create SNAT address pool spool1 and enter SNAT address pool view.

<Sysname> system-view

[Sysname] sslvpn snat-pool spool1

[Sysname-sslvpn-snatpool-spool1]

timeout idle

Use timeout idle to set the idle timeout timer for SSL VPN sessions.

Use undo timeout idle to restore the default.

Syntax

timeout idle minutes

undo timeout idle

Default

The idle timeout timer is 30 minutes for SSL VPN sessions.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

seconds: Specifies the idle timeout timer in the range of 1 to 1440 minutes.

Usage guidelines

If the idle time of an SSL VPN session exceeds the specified idle timeout time, the session is terminated.

Examples

# Set the idle timeout timer to 50 minutes for SSL VPN sessions.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] timeout idle 50

Related commands

display sslvpn policy-group

title

Use title to configure a title to be displayed on SSL VPN webpages.

Use undo title to restore the default.

Syntax

title { chinese chinese-title | english english-title }

undo title { chinese | english }

Default

The title is SSL VPN.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

chinese chinese-title: Configures a title in Chinese, a case-sensitive string of 1 to 255 characters.

english english-title: Configures a title in English, a case-sensitive string of 1 to 255 characters.

Examples

# Configure the title as SSL VPN service for company A.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] title english SSL VPN service for company A

uri-acl

Use uri-acl to create a URI ACL and enter its view, or enter the view of an existing URI ACL.

Use undo uri-acl to delete a URI ACL.

Syntax

uri-acl uri-acl-name

undo uri-acl uri-acl-name

Default

No URI ACLs exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a name for the URI ACL, a case-insensitive string of 1 to 31 characters.

Usage guidelines

A URI ACL is a set of rules that permit or deny access to resources. You can use URI ACLs for IP, TCP, and Web access filtering of SSL VPN users.

You can create multiple URI ACLs in an SSL VPN context.

Examples

# Create a URI ACL named uriacla and enter its view.

<Sysname> system-view

[Sysname] sslvpn context abc

[Sysname-sslvpn-context-abc] uri-acl uriacla

[Sysname-sslvpn-context-abc-uri-acl-uriacla]

url (file policy view)

Use url to specify the URL of the Web page file to be rewritten in a file policy.

Use undo url to restore the default.

Syntax

url url

undo url

Default

No file URL is specified in a file policy.

Views

File policy view

Predefined user roles

network-admin

Parameters

url: Specifies the complete file path, a case-insensitive string of 1 to 256 characters.

Usage guidelines

A file policy can be used to modify only the Web page file whose URL is the same as the URL configured in the policy.

A file URL is in the format of scheme://user:password@host:port/path. Table 13 describes the fields in the file URL.

Table 13 URL field descriptions

Field

Description

scheme

Protocol type. Options include http and https.

user:password

Username and password used to access the file.

host

Host name or IP address of the server where the file resides.

To specify an IPv6 address, enclose the IPv6 address in brackets. For example, http://[1234::5678]:8080/a.html.

port

Port number on which the server listens for resource access requests.

If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS.

path

Local path of the file on the server.

 

You can specify only one file URL in a file policy. In the same SSL VPN context, the URL specified for each file policy must be unique.

Examples

# Specify a file URL for file policy fp.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp] url http://192.168.1.1:8080/js/test.js

url (URL item view)

Use url to specify a URL in a URL item.

Use undo url to remove the URL from a URL item.

Syntax

url url

undo url

Default

No URL is specified in a URL item.

Views

URL item view

Predefined user roles

network-admin

Parameters

url: Specifies a URL, a case-insensitive string of 1 to 253 characters in the format of protocol://host:port/path.

Usage guidelines

Table 14 describes the fields in a URL.

Table 14 URL field descriptions

Field

Description

protocol

Protocol name. Options are:

·     http.

·     https.

If you do not specify a protocol name, the default protocol (HTTP) is used.

host

Domain name or IP address of a host.

To specify an IPv6 address, enclose the IPv6 address in brackets. For example. http://[1234::5678]:8080.

port

Port number.

If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS.

path

Path to the resource on the host.

 

You can specify only one URL in a URL item. If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify www.abc.com as the URL in URL item serverA.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-item serverA

[Sysname-sslvpn-context-ctx1-url-item-serverA] url www.abc.com

url-item

Use url-item to create a URL item and enter its view, or enter the view of an existing URL item.

Use undo url-item to delete a URL item.

Syntax

url-item url-item-name

undo url-item url-item-name

Default

No URL items exist in an SSL VPN context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

url-item-name: Specifies a name for the URL item, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can create multiple URL items in an SSL VPN context. Each URL item contains an accessible resource URL and can be assigned to a URL list in the SSL VPN context.

A URL item that has been assigned to a URL list cannot be deleted.

Examples

# Create a URL item named serverA and enter URL item view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-item serverA

[Sysname-sslvpn-context-ctx1-url-item-serverA]

url-list

Use url-list to create a URL list and enter its view, or enter the view of an existing URL list.

Use undo url-list to delete a URL list.

Syntax

url-list name

undo url-list name

Default

No URL lists exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

name: Specifies a name for the URL list, a case-insensitive string of 1 to 31 characters.

Examples

# Create a URL list named url1 and enter URL list view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-list url1

[Sysname-sslvpn-context-ctx1-url-list-url1]

Related commands

sslvpn context

url-mapping

Use url-mapping to configure URL mapping in a URL item.

Use undo url-mapping to restore the default.

Syntax

url-mapping { domain-mapping domain-name | port-mapping gateway gateway-name [ virtual-host virtual-host-name ] } [ rewrite-enable ]

undo url-mapping

Default

By default, the normal mapping method is used.

Views

URL item view

Predefined user roles

network-admin

Parameters

domain-mapping domain-name: Specifies the domain name mapping method. This method maps the URL to a domain name, a case-insensitive string of 1 to 127 characters which can contain letters, digits, underscores (_), hyphens (-), and dots (.). The specified domain cannot be the same as the domain name of the SSL VPN gateway.

port-mapping gateway gateway-name: Specifies the port mapping method. This method maps the URL to a gateway name and an optional virtual host name. The gateway-name argument specifies the gateway name, a case-insensitive string of 1 to 31 characters which can contain letters, digits, and underscores (_). The specified SSL VPN gateway name must be the name of an existing SSL VPN gateway.

virtual-host virtual-host-name: Specifies the virtual host name, a case-insensitive string of 1 to 127 characters which can contain letters, digits, underscores (_), hyphens (-), and dots (.). Do not specify a virtual host name if you want to use the SSL VPN gateway exclusively for the URL item.

rewrite-enable: Enables the SSL VPN gateway to rewrite all the accessible URLs in the resource access response according to their respective URL mapping configuration. By default, the SSL VPN gateway does not rewrite other URLs in the response packet of the currently requested URL. Enable this rewriting feature as a best practice.

Usage guidelines

The SSL VPN gateway rewrites the resource URLs in resource access responses that contain HTML, CSS, or JS files before sending the URLs to the requesting users. By default, the normal mapping method is used for the URL rewriting. You can also configure the SSL VPN gateway to use the domain mapping or port mapping method.

Normal mapping might cause problems such as missed URL rewriting and rewriting errors, resulting in SSL VPN clients not being able to access the internal resources. Use domain mapping or port mapping as a best practice. For more information about these mapping methods, see SSL VPN configuration in Security Configuration Guide.

When configuring the domain mapping method, make sure the SSL VPN client can resolve the mapped domain name (through DNS or the Hosts file) into the IP address of the SSL VPN gateway.

When configuring the port mapping method, you can specify an SSL VPN gateway exclusively for a URL item by specifying the gateway name without a virtual host name. To share an SSL VPN gateway with other URL items or SSL VPN contexts, specify the SSL VPN gateway name together with a virtual host name.

If you execute this command for a URL item multiple times, the most recent configuration takes effect.

Examples

# Create URL item serverA and specify www.server.com as the resource URL. Map the resource URL to domain name www.domain.com and enable URL rewriting.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-item serverA

[Sysname-sslvpn-context-ctx1-url-item-serverA] url www.server.com

[Sysname-sslvpn-context-ctx1-url-item-serverA] url-mapping domain-mapping www.domain.com rewrite-enable

# Create URL item serverB and specify www.server.com as the resource URL. Map the resource URL to gateway gw1 with virtual host name host1 and enable URL rewriting.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] url-item serverB

[Sysname-sslvpn-context-ctx1-url-item-serverB] url www.server.com

[Sysname-sslvpn-context-ctx1-url-item-serverB] url-mapping port-mapping gateway gw1 virtual-host host1 rewrite-enable

Related commands

url-item

url

user

Use user to create an SSL VPN user and enter SSL VPN user view, or enter the view of an existing SSL VPN user.

Use undo user to delete an SSL VPN user.

Syntax

user username

undo user username

Default

No SSL VPN users exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

username: Specifies the SSL VPN username, a case-sensitive string of 1 to 63 characters. The username cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).

Usage guidelines

You can create multiple SSL VPN users in an SSL VPN context.

Examples

# Create SSL VPN user user1 and enter SSL VPN user view.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] user user1

[Sysname-sslvpn-context-ctx-user-user1]

verify-code

Use verify-code enable to enable code verification.

Use undo verify-code enable to disable code verification.

Syntax

verify-code enable

undo verify-code enable

Default

Code verification is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

After code verification is enabled, a user must enter a correct verification code to log in to the SSL VPN webpage.

Examples

# Enable code verification.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] verify-code enable

vpn-instance (SSL VPN context view)

Use vpn-instance to associate an SSL VPN context with a VPN instance.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

An SSL VPN context is associated with the public network.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.

Usage guidelines

After you associate an SSL VPN context with a VPN instance, the resources managed by the context belong to the VPN instance.

An SSL VPN context can be associated with only one VPN instance.

You can associate an SSL VPN context with a nonexistent VPN instance. The context does not take effect until the associated VPN instance is created.

If you change the VPN instance associated with an SSL VPN context, all user-to-IP address bindings configured for SSL VPN users in the SSL VPN context will be removed.

Examples

# Associate SSL VPN context context1 with VPN instance vpn1.

<Sysname> System-view

[Sysname] sslvpn context context1

[Sysname-sslvpn-context-context1] vpn-instance vpn1

vpn-instance (SSL VPN gateway view)

Use vpn-instance to specify a VPN instance for an SSL VPN gateway.

Use undo vpn-instance to restore the default.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

An SSL VPN gateway belongs to the public network.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN instance specified for an SSL VPN gateway is called a front VPN instance.

You can specify only one VPN instance for an SSL VPN gateway.

You can specify a nonexistent VPN instance for an SSL VPN gateway. The SSL VPN gateway does not take effect until the VPN instance is created.

Examples

# Specify VPN instance vpn1 for SSL VPN gateway gateway1.

<Sysname> system-view

[Sysname] sslvpn gateway gateway1

[Sysname-sslvpn-gateway-gateway1] vpn-instance vpn1

web-access ip-client auto-activate

Use web-access ip-client auto-activate to enable automatic startup of the IP access client after Web login.

Use undo web-access ip-client auto-activate to disable automatic startup of the IP access client after Web login.

Syntax

web-access ip-client auto-activate

undo web-access ip-client auto-activate

Default

Automatic startup of the IP access client after Web login is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

With this feature enabled, after a user logs in to the SSL VPN gateway through a Web browser, the IP access client on the user host will automatically connect to the gateway. If the IP access client software is not installed, the user will be prompted to install the software first.

For the IP access client to connect to the SSL VPN gateway correctly, make sure the IP access service and resources are configured on the SSL VPN gateway.

If an SSL VPN user has already logged in through an IP access client when this feature is enabled, the user cannot access the SSL VPN gateway directly through the Web browser. To access the SSL VPN gateway through the Web browser, the user must click Open Resource List in the IP access client.

Examples

# Enable automatic startup of the IP access client after Web login in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] web-access ip-client auto-activate