Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-APR configuration
- 03-ARP attack protection configuration
- 04-ASPF configuration
- 05-IP source guard configuration
- 06-IPsec configuration
- 07-ND attack defense configuration
- 08-Password control configuration
- 09-PKI configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-SSL VPN configuration
- 13-URL filtering configuration
- 14-User profile configuration
- 15-Bandwidth management configuration
- 16-Public key management
- 17-Attack detection and prevention configuration
- 18-Session management
- 19-Connection limit configuration
- 20-Crypto engine configuration
- 21-Time range configuration
- 22-Protocol packet rate limit configuration
- 23-DPI engine configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 12-SSL VPN configuration | 428.84 KB |
Contents
Restrictions and guidelines: SSL VPN configuration
Configuring an SSL VPN gateway
Configuring an SSL VPN context
Configuring user authentication in an SSL VPN context
Configuring the Web access service
Web access service tasks at a glance
Configuring an SSL VPN policy group for Web access
Configuring the TCP access service
TCP access service tasks at a glance
Configuring a port forwarding list
Configuring an SSL VPN policy group for TCP access
Configuring the IP access service
Restrictions and guidelines for IP access service configuration
IP access service tasks at a glance
Configuring an SSL VPN AC interface for IP access
Creating an address pool for IP access users
Configuring IP access parameters in an SSL VPN context
Configuring an SSL VPN policy group for IP access
Binding IP addresses to an SSL VPN user
Configuring SSL VPN access for mobile clients
SSL VPN access for mobile clients tasks at a glance
Specifying an EMO server for mobile clients
Specifying a message server for mobile clients
Configuring the default policy group for an SSL VPN context
Configuring SSL VPN user control
Configuring an SSL VPN SNAT address pool
Display and maintenance commands for SSL VPN
Configuring SSL VPN
About SSL VPN
SSL VPN operating mechanism
To allow remote user access to protected resources behind an SSL VPN gateway, you must configure these resources on the gateway. Remote users can access only the resources authorized to them after they establish an SSL-encrypted connection to the gateway and pass the identity authentication.
As shown in Figure 1, SSL VPN operates as follows:
1. The remote user establishes an HTTPS connection to the SSL VPN gateway.
In this process, the remote user and the SSL VPN gateway perform SSL certificate authentication.
2. The remote user enters the username and password.
3. The SSL VPN gateway authenticates the credentials that the user entered, and authorizes the user to access a range of resources.
4. The user selects a resource to access.
An access request for that resource is sent to the SSL VPN gateway through the SSL connection.
5. The SSL VPN gateway resolves the request and forwards the request to the corresponding internal server.
6. The SSL VPN gateway forwards the server's reply to the user through the SSL connection.
Figure 1 SSL VPN network diagram
SSL VPN networking modes
Gateway mode
In gateway mode, the SSL VPN gateway acts as a gateway that connects remote users and the internal servers network, as shown in Figure 2. Because the SSL VPN gateway is deployed in line, it can provide full protection to the internal network but it affects data transmission performance.
Single-arm mode
In single-arm mode, the SSL VPN gateway is attached to the network gateway, as shown in Figure 3.
The gateway forwards user-to-server traffic to the SSL VPN gateway. The SSL VPN gateway processes the traffic and sends the processed traffic back to the gateway. The gateway forwards the traffic to the internal servers. The SSL VPN gateway is not a performance bottleneck in the network because it is not deployed on the key path. However, the SSL VPN gateway cannot provide full protection to the internal network.
SSL VPN access modes
Web access
In Web access mode, remote users use browsers to access Web resources allowed by an SSL VPN gateway through HTTPS. After login, a user can access any resources listed on the webpage. In Web access mode, all operations are performed on webpages.
The resources available for SSL VPN Web access users are Web servers only.
To implement Web access, you must configure a list of URLs on the SSL VPN gateway. A URL is the IP address or domain name of an internal Web server.
The Web access procedure is as follows:
1. A user uses a browser to log in to an SSL VPN gateway through HTTPS.
2. The SSL VPN gateway authenticates the user and authorizes the user to access the available URLs.
The authorized URLs are displayed on the SSL VPN gateway webpage as URL links.
3. The user selects a URL to access on the SSL VPN gateway webpage. The browser sends the access request to the SSL VPN gateway through the SSL connection for HTTPS.
4. The SSL VPN gateway resolves the request and sends the request to the Web server through HTTP or HTTPS.
5. After receiving the reply from the Web server, the SSL VPN gateway forwards the reply to the user through the SSL connection for HTTPS.
Figure 4 illustrates the Web access process. The administrator configures a URL of www.h3c.com on the SSL VPN gateway. Then, the SSL VPN user can access the internal Web server by accessing the URL on the SSL VPN gateway webpage.
Figure 4 Network diagram for Web access
TCP access
In TCP access mode, users access TCP applications on internal servers by accessing the applications' open ports. Supported applications include remote access services (such as Telnet), desktop sharing services, mail services, Notes services, and other TCP services that use fixed ports.
In TCP access mode, a user installs the TCP access client software on the SSL VPN client (the terminal device that the user uses). The client software uses an SSL connection to transmit the application layer data.
To implement TCP access, you must configure port forwarding instances on the SSL VPN gateway. A port forwarding instance maps a TCP service (identified by an IP address/domain name and port number) to an SSL VPN client's local IP address (or host name) and port number.
The TCP access procedure is as follows:
1. A user uses a browser to log in to an SSL VPN gateway through HTTPS.
2. The SSL VPN gateway authenticates the user and authorizes the user to access the Telnet service (port forwarding instance).
3. The user downloads the TCP access client software from the webpage of the SSL VPN gateway, and launches the software. The software opens the authorized local port in the port forwarding instance.
4. The user tries to access the local IP address and port number. The TCP access client software sends the access request to the SSL VPN gateway through an SSL connection.
5. The SSL VPN gateway resolves the request and sends the request to the Telnet server according to the port forwarding instance.
6. After receiving the reply from the Telnet server, the SSL VPN gateway forwards the reply to the user through the SSL connection.
As shown in Figure 5, the administrator creates a port forwarding instance for the Telnet service on the SSL VPN gateway. The rule maps the internal Telnet server address 10.1.1.2 and port number 23 to the SSL VPN client's local address 127.0.0.1 and local port number 2000. Then, the SSL VPN user can access the internal Telnet server by telneting the local address 127.0.0.1 and local port number 2000.
Figure 5 Network diagram for TCP access
For mobile clients to use the TCP access mode, you do not need to configure port forwarding instances on the SSL VPN gateway. However, client software dedicated for mobile clients is required, and you must specify an Endpoint Mobile Office (EMO) server for mobile clients on the SSL VPN gateway. Mobile clients access internal resources through the EMO server. Figure 6 shows the access process.
Figure 6 Network diagram for mobile client access to internal servers
IP access
IP access implements secured IP communication between remote users and internal servers.
To access an internal server in IP access mode, a user must install dedicated IP access client software. The client software will install a virtual network interface card (VNIC) on the SSL VPN client.
To implement IP access, you must configure the following on the SSL VPN gateway:
· An SSL VPN AC interface.
· Routes to accessible IP resources. The routes will be issued to SSL VPN clients to instruct packet forwarding.
Figure 7 uses a ping operation to illustrate the IP access process. The administrator must first configure a route to the ping destination (server 10.1.1.2/24) on the SSL VPN gateway.
The access process is as follows:
1. The user installs the IP access client software and launches the client software to log in to the SSL VPN gateway.
2. The SSL VPN gateway performs the following operations:
a. Authenticates and authorizes the user.
b. Allocates an IP address to the VNIC of the user.
c. Issues the authorized IP access resources to the client.
In this example, a route to server 10.1.1.2/24 is issued.
3. The client specifies the allocated IP address as the VNIC's address and adds the route to the local routing table, using the VNIC as output interface.
4. The user pings the server address.
The ping request matches the route. Matching packets will be encapsulated by SSL.
5. The client uses SSL to encapsulate the ping request packet, and then sends the packet to the SSL VPN AC interface through the VNIC.
6. The SSL VPN gateway de-encapsulates the SSL packet into the IP packet and forwards the IP packet to the corresponding internal server.
7. The internal server sends a reply to the SSL VPN gateway.
8. The SSL VPN gateway uses SSL to encapsulate the reply packet and then sends the packet to the client through the SSL VPN AC interface.
Figure 7 Network diagram for IP access
SSL VPN user authentication
To access resources in an SSL VPN context, a user must first pass identity authentication to log in to the SSL VPN context. You can configure username/password authentication, certificate authentication, or both for an SSL VPN context.
To use username/password authentication for users, you must also create accounts for the users in AAA. For more information, see "Configuring AAA."
Username/password authentication
The username/password authentication process is as follows:
1. The SSL VPN user enters the login username and password on the SSL VPN login page. The username and password are sent to the SSL VPN gateway.
2. The SSL VPN gateway sends the received username and password to AAA for authentication, authorization, and accounting.
Certification authentication
As shown in Figure 8, the certificate authentication process is as follows:
1. The SSL VPN user selects the certificate for login when prompted. The certificate is sent in an SSL connection request to the SSL VPN gateway.
2. The SSL VPN gateway verifies the validity of the user certificate.
¡ If the certificate is verified as invalid, the gateway rejects the SSL connection request. The user cannot log in to the SSL VPN context.
¡ If the certificate is verified as valid, the SSL connection is established and the gateway performs the next step.
3. The SSL VPN gateway extracts the username from the CN field of the certificate, and then it sends the username to AAA for authorization and accounting.
|
|
NOTE: To use certificate authentication, make sure the username extracted from the CN field of the certificate exists on the local AAA server. |
Figure 8 Certificate authentication process
Combined username/password authentication and certificate authentication
The authentication process of combined username/password authentication and certificate authentication is as follows:
1. The SSL VPN user selects the certificate for login when prompted. The certificate is sent in an SSL connection request to the SSL VPN gateway.
2. The SSL VPN gateway verifies the validity of the user certificate.
¡ If the certificate is verified as invalid, the gateway rejects the SSL connection request. The user cannot log in to the SSL VPN context.
¡ If the certificate is verified as valid, the SSL connection is established and the gateway performs the next step.
3. The SSL VPN gateway extracts the username from the certificate and compares the extracted username with the username provided by the user:
¡ The user passes identity authentication if the two usernames match. The SSL VPN gateway then sends the username and password to AAA for authentication, authorization and accounting.
¡ The user fails the identity authentication if the two usernames do not match.
|
|
NOTE: A user might enter the username and password when the user selects the certificate or after the SSL connection is established, depending on the access mode. |
Resource access control
SSL VPN controls user access to resources on a per-user basis.
As shown in Figure 9, an SSL VPN gateway can be associated with multiple SSL VPN contexts. An SSL VPN context contains multiple policy groups. A policy group defines accessible Web resources, TCP resources, and IP resources.
Figure 9 SSL VPN resource access control
You can specify domain names or virtual host names for the SSL VPN contexts associated with an SSL VPN gateway. When a user logs in to the SSL VPN gateway, the SSL VPN gateway performs the following operations:
1. Uses the domain name or virtual host name that the user entered to determine the SSL VPN context to which the user belongs.
2. Uses the authentication and authorization methods of the ISP domain specified for the context to perform authentication and authorization for the user.
¡ If the SSL VPN gateway authorizes the user to use a policy group, the user can access resources allowed by the policy group.
¡ If the SSL VPN gateway does not authorize the user to use a policy group, the user can access resources allowed by the default policy group.
|
|
NOTE: The SSL VPN gateway uses AAA to perform user authentication and authorization. SSL VPN supports AAA protocols RADIUS and LDAP. RADIUS is most often used. |
Restrictions and guidelines: SSL VPN configuration
The SSL VPN gateway generates only one session for a user who accesses both Web and IP resources in the following method:
1. First, the user accesses the SSL VPN gateway through a Web browser.
2. Then, the user downloads the IP access client through the Web page and launches the IP access client.
Once the user exits the Web browser or IP access client, the session is terminated and the user can access neither Web nor IP access resources.
SSL VPN tasks at a glance
To configure SSL VPN, perform the following tasks on the SSL VPN gateway:
1. Configuring an SSL VPN gateway
2. Configuring an SSL VPN context
3. Configuring user authentication in an SSL VPN context
5. Configuring SSL VPN access services
¡ Configuring the Web access service
¡ Configuring the TCP access service
¡ Configuring the IP access service
¡ Configuring SSL VPN access for mobile clients
6. (Optional.) Configuring the default policy group for an SSL VPN context
7. (Optional.) Configuring HTTP redirection
8. (Optional.) Customizing SSL VPN webpage
9. (Optional.) Configuring SSL VPN user control
10. (Optional.) Configuring an SSL VPN SNAT address pool
11. (Optional.) Enabling SSL VPN logging
Prerequisites for SSL VPN
Before you configure the SSL VPN gateway, complete the following tasks:
· Configure PKI and obtain a digital certificate for the SSL VPN gateway (see "Configuring PKI").
· Configure an SSL server policy to be used by the SSL VPN gateway (see "Configuring SSL").
Configuring an SSL VPN gateway
1. Enter system view.
system-view
2. Create an SSL VPN gateway and enter its view.
sslvpn gateway gateway-name
3. Configure an IPv4 address and a port number for the SSL VPN gateway.
ip address ip-address [ port port-number ]
By default, the SSL VPN gateway uses IPv4 address 0.0.0.0 and port number 443.
If you configure the ip address command without specifying a port number, the default port number (443) is used.
The configured IPv4 address and port number must be different from the management IP address and port number of the device.
4. Configure an IPv6 address and a port number for the SSL VPN gateway.
ipv6 address ipv6-address [ port port-number ]
By default, no IPv6 address or port number is configured for the SSL VPN gateway.
If you configure the ipv6 address command without specifying a port number, the default port number (443) is used.
The configured IPv6 address and port number must be different from the management IPv6 address and port number of the device.
5. Apply an SSL server policy to the SSL VPN gateway.
ssl server-policy policy-name
By default, an SSL VPN gateway uses the SSL server policy of its self-signed certificate.
As a best practice, apply an existing SSL server policy.
If the settings of the applied SSL server policy are changed, you must disable and then enable the SSL VPN gateway to use the modified policy.
6. Enable the SSL VPN gateway.
service enable
By default, the SSL VPN gateway is disabled.
Configuring an SSL VPN context
About this task
An SSL VPN context manages user sessions and resources available to users.
Restrictions and guidelines
When you associate an SSL VPN context with an SSL VPN gateway, follow these guidelines:
· Make sure the context has a domain name or virtual host name different than any existing contexts associated with the SSL VPN gateway.
· If you do not specify a domain name or virtual host name for the context, you cannot associate other SSL VPN contexts with the SSL VPN gateway.
· If you specify a virtual host name, deploy a DNS server in the network to resolve the virtual host name to the SSL VPN gateway's IP address.
You can associate an SSL VPN context with a maximum of 10 SSL VPN gateways.
Procedure
1. Enter system view.
system-view
2. Create an SSL VPN context and enter its view.
sslvpn context context-name
3. Associate the context with an SSL VPN gateway.
gateway gateway-name [ domain domain-name | virtual-host virtual-host-name ]
By default, the context is not associated with an SSL VPN gateway.
4. Specify an ISP domain for AAA of SSL VPN users in the context.
aaa domain domain-name
By default, the default ISP domain is used for AAA of SSL VPN users in an SSL VPN context.
An SSL VPN username cannot carry ISP domain information. After this command is executed, the SSL VPN gateway uses the specified domain for AAA of SSL VPN users in the context.
5. Enable the context.
service enable
By default, the context is disabled.
6. (Optional.) Set the maximum number of sessions for the context.
max-users max-number
By default, an SSL VPN context supports a maximum of 1048575 sessions.
7. (Optional.) Set the idle timeout timer for SSL VPN sessions.
timeout idle minutes
By default, the idle timeout timer for SSL VPN sessions is 30 minutes.
8. (Optional.) Set the idle-cut traffic threshold for SSL VPN sessions.
idle-cut traffic-threshold
By default, the SSL VPN session idle-cut traffic threshold is 0 bytes. An SSL VPN session will be disconnected if no traffic is transmitted within the session idle timeout time specified by the timeout idle command.
9. (Optional.) Apply an SSL client policy to the SSL VPN context.
ssl client-policy policy-name
The default SSL client policy for SSL VPN is used. This policy supports the dhe_rsa_aes_128_cbc_sha, dhe_rsa_aes_256_cbc_sha, rsa_3des_ede_cbc_sha, rsa_aes_128_cbc_sha, and rsa_aes_256_cbc_sha cipher suites.
The SSL VPN gateway will use the settings in the specified SSL client policy to connect to HTTPS servers.
Configuring user authentication in an SSL VPN context
About this task
You can enable username/password authentication, certificate authentication, or both in an SSL VPN context. Whether these authentication methods are required for logging in to the SSL VPN context depend on the configuration of the authentication use all command:
· If the authentication use all command is configured, a user must pass all the enabled authentication methods for login.
· If the authentication use any-one command is configured, a user can log in after passing any enabled authentication method.
You can also enable the verification code authentication, dynamic password verification, and IMC SMS message verification in an SSL VPN context. These authentication methods are required if they are configured.
Restrictions and guidelines
How certificate authentication works depends on the configuration of the client-verify command in SSL server policy view. You can use the command to enable mandatory or optional SSL client authentication. Mandatory certificate authentication is supported only for Web users and IP access users. For TCP access users and mobile client users to access the SSL VPN gateway successfully, optional SSL client authentication must be used.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Enable username/password authentication.
password-authentication enable
Username/password authentication is enabled by default.
4. (Optional.) Enable certificate authentication.
certificate-authentication enable
Certificate authentication is disabled by default.
5. Specify the authentication methods required for user login
authentication use { all | any-one }
By default, a user must pass all the enabled authentication methods to log in to an SSL VPN context.
6. (Optional.) Enable verification code authentication.
verify-code enable
By default, verification code authentication is enabled.
7. (Optional.) Enable dynamic password verification.
dynamic-password enable
By default, dynamic password verification is disabled.
8. (Optional.) Enable IMC SMS message verification.
a. Specify an IMC server.
sms-imc address ip-address port port-number [ vpn-instance vpn-instance-name ]
By default, no IMC server is specified.
b. Enable IMC SMS message verification.
sms-imc enable
By default, IMC SMS message verification is disabled.
Configuring a URI ACL
About this task
A URI ACL is a set of rules that permit or deny access to resources. You can use URI ACLs for fine-grained IP, TCP, and Web access filtering of SSL VPN users.
You can add multiple rules to a URI ACL. The device matches a packet against the rules in ascending order of rule ID. The match process stops once a matching rule is found.
You can create multiple URI ACLs in an SSL VPN context.
A URI ACL supports filtering traffic based on protocol type, address, domain name, port number, and URL. It can be used to filter HTTP, HTTPS, TCP, UDP, ICMP, and IP traffic.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create a URI ACL and enter its view.
uri-acl uri-acl-name
4. Configure a rule in the URI ACL.
rule [ rule-id ] { deny | permit } uri uri-pattern-string
By default, no rules are configured in a URI ACL.
Configuring the Web access service
Web access service tasks at a glance
To configure the Web access service, perform the following tasks:
2. Configuring an SSL VPN policy group for Web access
3. (Optional.) Configuring a file policy
4. (Optional.) Configuring shortcuts
Configuring a URL list
About this task
A URL list is a list of URL items that define the accessible Web resources behind the SSL VPN gateway. Each URL item corresponds to an internal Web resource.
The SSL VPN gateway rewrites the resource URL returned from the internal server before sending the URL to the requesting user. The URL mapping type determines how the gateway rewrites the URL.
The following example describes how URL mapping works when the user accesses internal resources at URL http://www.server.com:8080. The SSL VPN gateway name is gw, domain name is https://www.gateway.com:4430, and IP address is 1.1.1.1.
· Normal mapping—This is the default mapping method. The resource URL returned to the client will be rewritten to https://www.gateway.com:4430/_proxy2/http/8080/www.server.com.
· Domain mapping—The resource URL returned to the client will be rewritten to https://mapped domain name:4430, where mapped domain name is the user-defined domain name.
· Port mapping—You can specify a gateway name with or without a virtual host name for port mapping. For example:
¡ If you specify gw2 as the gateway name and do not specify a virtual host name, the resource URL will be rewritten to https://2.2.2.2:4430, where 2.2.2.2 and 4430 are the IP address and port number of SSL VPN gateway gw2.
¡ If you specify gw as the gateway name and vhosta as the virtual host name, the resource URL will be rewritten to https://vhosta:4430.
Restrictions and guidelines
Resource URL mapping is available only for resource access responses that contain HTML, CSS, or JS files.
Normal mapping might cause problems such as missed URL rewriting and rewriting errors, resulting in SSL VPN clients not being able to access the internal resources. Use domain mapping or URL mapping as a best practice.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create a URL item and enter its view.
url-item name
4. Specify the resource URL in the URL item.
url url
By default, no resource URL is specified in a URL item.
If you do not specify a protocol type in the resource URL, the default protocol (HTTP) is used.
5. (Optional.) Specify a URI ACL in the URL item.
resource uri-acl uri-acl-name
By default, no URI ACL is specified.
6. (Optional.) Configure the URL mapping method.
url-mapping { domain-mapping domain-name | port-mapping gateway gateway-name [ virtual-host virtual-host-name ] } [ rewrite-enable ]
By default, the normal mapping method is used.
7. Return to SSL VPN context view.
quit
8. Create a URL list and enter its view.
url-list name
9. (Optional.) Configure a heading for the URL list.
heading string
By default, the URL list heading is Web.
10. Add the URL item to the URL list.
resources url-item name
By default, a URL list does not contain any URL items.
Configuring an SSL VPN policy group for Web access
About this task
To configure an SSL VPN policy group for Web access, associate a URL list with the policy group. After the AAA server authorizes a user to use a policy group, the user can access the Web resources provided by the URL list associated with the policy group.
In a policy group, you can specify an advanced ACL and a URI ACL to filter users' Web access requests.
The advanced ACL supports filtering Web access requests by destination IP address and destination port number. The URI ACL supports filtering Web access requests by protocol type, destination address, domain name, port number, and URL.
The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request:
1. Matches the request against the authorized URL list.
¡ If the request matches a URL item in the list, the gateway forwards the request.
¡ If the request does not match any URL items in the list, the gateway proceeds to the next step.
2. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to the next step.
3. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create an SSL VPN policy group and enter SSL VPN policy group view.
policy-group group-name
4. Associate a URL list with the policy group.
resources url-list url-list-name
By default, no URL list associated with a policy group.
5. (Optional.) Specify the ACLs for Web access filtering:
¡ Specify an advanced ACL for Web access filtering.
filter web-access [ ipv6 ] acl advanced-acl-number
¡ Specify a URI ACL for Web access filtering.
filter web-access uri-acl uri-acl-name
By default, users can access only the Web resources authorized to them through the URL list.
Configuring a file policy
About this task
A file policy enables the SSL VPN gateway to rewrite Web page files before forwarding them to requesting Web access users.
A file policy contains the following settings:
· A URL that identifies the path of the file to which the file policy is applied.
· One or more rewrite rules.
A rewrite rule defines the old file content to be rewritten and the new content used to replace the old content.
· (Optional.) The file type that the file is changed to after being rewritten by the file policy.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create a file policy and enter its view.
file-policy policy-name
By default, no file policies exist.
4. Specify the URL of the file to be rewritten.
url url
By default, no file URL is specified in a file policy.
5. Specify the file type that a file is changed to after being rewritten by the file policy.
content-type { css | html | javascript | other }
By default, a file policy rewrites a file in an HTTP response to the file type indicated by the content-type field in the HTTP response.
6. Create a rewrite rule and enter its view.
rewrite-rule rule-name
7. Specify the old content to be rewritten.
old-content string
By default, the old content to be rewritten is not specified.
8. Specify the new content used to replace the old content.
new-content string
By default, the new content used to replace the old content is not specified.
Configuring shortcuts
About this task
To provide quick access to resources on internal servers, configure shortcuts for these resources. A shortcut provides the access link to a protected resource on the SSL VPN Web page. Users can click a shortcut name on the SSL VPN Web page to access the associated resource.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create a shortcut and enter its view.
shortcut shortcut-name
By default, no shortcuts exist.
4. (Optional.) Configure a description for the shortcut.
description text
By default, no description is configured for a shortcut.
5. Configure a resource link for the shortcut.
execution script
By default, no resource link is configured for a shortcut.
6. Return to SSL VPN context view.
quit
7. Create a shortcut list and enter its view.
shortcut-list list-name
8. Assign the shortcut to the shortcut list.
resources shortcut shortcut-name
By default, a shortcut list does not contain shortcuts.
9. Return to SSL VPN context view.
quit
10. Enter SSL VPN policy group view.
policy-group group-name
11. Assign the shortcut list to the SSL VPN policy group.
resources shortcut-list list-name
By default, an SSL VPN policy group does not contain a shortcut list.
Configuring the TCP access service
To allow remote users to access internal resources in TCP access mode, you must configure TCP access resources and associate the resources with an SSL VPN policy group.
TCP access service tasks at a glance
To configure the TCP access service, perform the following tasks:
1. Configuring a port forwarding list
2. Configuring an SSL VPN policy group for TCP access
Configuring a port forwarding list
About this task
A port forwarding list is a list of port forwarding items. Each port forwarding item contains a port forwarding instance.
A port forwarding instance maps a TCP service (such as Telnet, SSH, or POP3) hosted on an internal server to a local address and port number on the SSL VPN client. Remote users can access the TCP service though the local address and port number.
The port forwarding instance is displayed together with the port forwarding item name on the SSL VPN Web page. If you configure a resource link for the port forwarding item, the port forwarding item name will be displayed as a link on the SSL VPN Web page. You can click the link to access the resource directly.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create a port forwarding item and enter its view.
port-forward-item item-name
4. Configure a port forwarding instance for the port forwarding item.
local-port local-port-number local-name local-name remote-server remote-server remote-port remote-port-number [ description text ]
5. (Optional.) Configure a resource link for the port forwarding item.
execution script
6. Return to SSL VPN context view.
quit
7. Create a port forwarding list and enter its view.
port-forward port-forward-name
8. Assign the port forwarding item to the port forwarding list.
resources port-forward-item item-name
By default, a port forwarding list does not contain port forwarding items.
Configuring an SSL VPN policy group for TCP access
About this task
To configure an SSL VPN policy group for TCP access, associate a port forwarding list with the policy group. After the AAA server authorizes a user to use a policy group, the user can access the TCP services provided by the port forwarding list associated with the policy group.
In a policy group, you can specify an advanced ACL and a URI ACL to filter users' TCP access requests.
The advanced ACL supports filtering TCP access requests by destination IP address and destination port number. The URI ACL supports filtering Web access requests by protocol type, destination address, domain name, port number, and URL.
For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.
For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:
1. Matches the request against the authorized port forwarding list.
¡ If the request matches a port forwarding item in the list, the gateway forwards the request.
¡ If the request does not match any port forwarding items in the list, the gateway proceeds to the next step.
2. Matches the request against the rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to the next step.
3. Matches the request against the rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create an SSL VPN policy group and enter SSL VPN policy group view.
policy-group group-name
4. Associate a port forwarding list with the policy group.
resources port-forward port-forward-name
By default, no port forwarding list is associated with a policy group.
5. (Optional.) Specify the ACLs for TCP access filtering:
¡ Specify an advanced ACL for TCP access filtering.
filter tcp-access [ ipv6 ] acl advanced-acl-number
¡ Specify a URI ACL for TCP access filtering.
filter tcp-access uri-acl uri-acl-name
By default, users can access only the TCP resources authorized to them through the TCP port forwarding list.
Configuring the IP access service
To allow remote users to access internal resources in IP access mode, you must configure IP access resources and associate the resources with an SSL VPN policy group.
Restrictions and guidelines for IP access service configuration
To ensure correct forwarding of reply packets to an SSL VPN client, configure static routes from the internal servers to the network segment where the client's VNIC resides.
IP access service tasks at a glance
To configure the IP access service, perform the following tasks:
1. Configuring an SSL VPN AC interface for IP access
2. Creating an address pool for IP access users
3. Configuring IP access parameters in an SSL VPN context
4. Configuring an SSL VPN policy group for IP access
5. (Optional.) Binding IP addresses to an SSL VPN user
Configuring an SSL VPN AC interface for IP access
Configuring an SSL VPN AC interface
1. Enter system view.
system-view
2. Create an SSL VPN AC interface and enter its view.
interface sslvpn-ac interface-number
3. Configure an IP address for the interface.
ip address ip-address { mask | mask-length }
By default, no IP address is configured for an AC interface.
4. (Optional.) Set the expected bandwidth for the interface.
bandwidth bandwidth-value
The expected bandwidth is 64 kbps by default.
The expected bandwidth is an informational parameter used only by higher-layer protocols for calculation. You cannot adjust the actual bandwidth of an interface by using this command.
5. (Optional.) Configure the description of the interface.
description text
The default interface description is interface name Interface. For example, SSLVPN-AC1000 Interface.
6. (Optional.) Set the MTU of the interface.
mtu size
The default setting varies by device model.
7. Bring up the interface.
undo shutdown
By default, an SSL VPN AC interface is up.
Restoring the default settings for the SSL VPN AC interface
|
|
IMPORTANT: Restoring the default interface settings might interrupt ongoing network services. Make sure you are fully aware of the impact of this operation when you perform it on a live network. |
To restore the default settings for the SSL VPN AC interface:
1. Enter system view.
system-view
2. Enter SSL VPN AC interface view.
interface sslvpn-ac interface-number
3. Restore the default settings for the SSL VPN AC interface.
default
This command might fail to restore the default settings for some commands for reasons such as command dependencies and system restrictions. You can use the display this command in interface view to check for these commands, and use their undo forms or follow the command reference to restore their respective default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.
Creating an address pool for IP access users
About this task
An address pool defines the IP addresses that can be assigned to IP access users.
Procedure
1. Enter system view.
system-view
2. Create an address pool.
sslvpn ip address-pool pool-name start-ip-address end-ip-address
Configuring IP access parameters in an SSL VPN context
About this task
To provide service to IP access users, you must configure IP access parameters in an SSL VPN context, including the SSL VPN AC interface, address pool, and route list. After a user passes identity authentication, the SSL VPN context allocates an IP address to the VNIC of the user from the specified address pool. The route list can be used by an SSL VPN policy group to issue route entries to users.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Specify an SSL VPN AC interface for IP access.
ip-tunnel interface sslvpn-ac interface-number
By default, no SSL VPN AC interface is specified for IP access in the SSL VPN context.
4. Create a route list and enter its view.
ip-route-list list-name
5. Add an included route to the route list.
include ip-address { mask | mask-length }
6. Add an excluded route to the route list.
exclude ip-address { mask | mask-length }
7. Return to SSL VPN context view.
quit
8. Specify an address pool for IP access.
ip-tunnel address-pool pool-name mask { mask-length | mask }
By default, no address pool is specified for IP access.
9. (Optional.) Set the keepalive interval.
ip-tunnel keepalive seconds
By default, the keepalive interval is 30 seconds.
10. (Optional.) Specify a DNS server for IP access.
ip-tunnel dns-server { primary | secondary } ip-address
By default, no DNS servers are specified for IP access.
11. (Optional.) Specify a WINS server for IP access.
ip-tunnel wins-server { primary | secondary } ip-address
By default, no WINS servers are specified for IP access.
12. (Optional.) Enable automatic startup of the IP access client after Web login.
web-access ip-client auto-activate
By default, automatic startup of the IP access client after Web login is disabled.
13. (Optional.) Enable automatic pushing of accessible resources to IP access users through the Web page.
ip-tunnel web-resource auto-push
By default, automatic pushing of accessible resources to IP access users through the Web page is disabled.
Configuring an SSL VPN policy group for IP access
About this task
To configure an SSL VPN policy group for IP access, configure routes for the accessible IP resources in the policy group. After the AAA server authorizes a user to use a policy group, the SSL VPN gateway issues the routes to the user so the user can access the IP resources.
You can configure the routes to be issued to users by using one of the following methods:
· Manually configure a route.
· Specify a route list.
· Force all traffic to be sent to the SSL VPN gateway.
The SSL VPN gateway issues a default route to the SSL VPN client. The default route uses the VNIC as the output interface and has the highest priority among all default routes on the client. Packets for destinations not in the routing table are sent to the SSL VPN gateway through the VNIC. The SSL VPN gateway monitors the SSL VPN client in real time. It does not allow the client to delete the default route or add a default route with a higher priority.
In a policy group, you can specify an advanced ACL and a URI ACL to filter users' IP access requests.
The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:
1. Matches the request against the rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.
2. Matches the request against the rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
The advanced ACL supports filtering IP access requests by using the following criteria:
· Destination IP address.
· Destination port number.
· Source IP address.
· Source port number.
· Protocol type.
· Packet priority.
· Fragment information.
· TCP flag.
· ICMP message type and message code.
The URI ACL supports filtering IP access requests by protocol type, destination address, domain name, port number, and URL.
Restrictions and guidelines
If a rule in the URI ACL specified for IP access filtering contains HTTP or HTTPS settings, the rule does not take effect.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create an SSL VPN policy group and enter SSL VPN policy group view.
policy-group group-name
4. Specify the routes to be issued to clients.
ip-tunnel access-route { ip-address { mask-length | mask } | force-all | ip-route-list list-name }
By default, no routes are configured.
5. (Optional.) Specify the ACLs for IP access filtering:
¡ Specify an advanced ACL for IP access filtering.
filter ip-tunnel [ ipv6 ] acl advanced-acl-number
¡ Specify a URI ACL for IP access filtering.
filter ip-tunnel uri-acl uri-acl-name
By default, an SSL VPN gateway denies all IP access requests.
6. (Optional.) Specify an address pool for IP access.
ip-tunnel address-pool pool-name mask { mask-length | mask }
By default, no address pool is specified for IP access in an SSL VPN policy group.
If no free address is available in the address pool or the address pool does not exist, address allocation to IP access users will fail and the users' access requests will be rejected.
If no address pool is specified for the policy group, the SSL VPN gateway allocates IP addresses to users from the address pool specified for the SSL VPN context.
Binding IP addresses to an SSL VPN user
About this task
When an SSL VPN user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway must assign an IP address to the user. This feature allows you to specify the IP addresses that can be assigned to a user.
You can bind IP addresses to an SSL VPN user as follows:
· Bind a list of IP addresses to the user. When the user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway assigns a bound IP address to the user.
· Enable the SSL VPN gateway to automatically bind the specified number of free addresses in the IP access address pool to the user.
Restrictions and guidelines
The IP addresses to be bound to an SSL VPN user must meet the following requirements:
· If an IP access address pool is specified for the SSL VPN policy group authorized to the user, the IP addresses must exist in the address pool.
· If no address pool is specified for the SSL VPN policy group, the IP addresses must exist in the address pool specified for the SSL VPN context of the user.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create an SSL VPN user and enter SSL VPN user view.
user username
4. Bind IP addresses to the SSL VPN user.
ip-tunnel bind address { ip-address-list | auto-allocate number }
By default, an SSL VPN user does not have bound IP addresses.
Configuring SSL VPN access for mobile clients
SSL VPN access for mobile clients tasks at a glance
To configure SSL VPN access for mobile clients, perform the following tasks:
1. Specifying an EMO server for mobile clients
2. (Optional.) Specifying a message server for mobile clients
Specifying an EMO server for mobile clients
About this task
An EMO server provides services for mobile clients. After you specify an EMO server for mobile clients, the SSL VPN gateway issues the EMO server information to the clients. The clients can access available service resources through the EMO server.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Specify an EMO server for mobile clients.
emo-server address { host-name | ipv4-address } port port-number
By default, no EMO server is specified for mobile clients.
Specifying a message server for mobile clients
About this task
A message server provides services for mobile clients. After you specify a message server for mobile clients, the SSL VPN gateway issues the message server information to the clients. The clients can access the message server.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Specify a message server for mobile clients.
message-server address { host-name | ipv4-address } port port-number
By default, no message server is specified for mobile clients.
Configuring the default policy group for an SSL VPN context
About this task
If the AAA server does not authorize a policy group to a user after the user logs in, the SSL VPN gateway authorizes the default policy group to the user. If no default policy group is configured, the SSL VPN gateway denies all access requests from the user.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Create an SSL VPN policy group and enter SSL VPN policy group view.
policy-group group-name
4. Configure accessible resources in the policy group:
¡ Configure Web access resources.
resources url-list url-list-name
By default, no Web access resources are configured in a policy group.
¡ Configure TCP access resources.
resources port-forward port-forward-name
By default, no TCP access resources are configured in a policy group.
¡ Configure IP access resources.
ip-tunnel access-route { ip-address { mask-length | mask } | force-all | ip-route-list list-name }
By default, no IP access resources are configured in a policy group.
5. (Optional.) Specify the ACLs for Web access filtering:
¡ Specify an advanced ACL for Web access filtering.
filter web-access [ ipv6 ] acl advanced-acl-number
¡ Specify a URI ACL for Web access filtering.
filter web-access uri-acl uri-acl-name
By default, users can access only the Web resources authorized to them through the URL list.
6. (Optional.) Specify the ACLs for TCP access filtering:
¡ Specify an advanced ACL for TCP access filtering.
filter tcp-access [ ipv6 ] acl advanced-acl-number
¡ Specify a URI ACL for TCP access filtering.
filter tcp-access uri-acl uri-acl-name
By default, users can access only the TCP resources authorized to them through the TCP port forwarding list.
7. (Optional.) Specify the ACLs for IP access filtering:
¡ Specify an advanced ACL for IP access filtering.
filter ip-tunnel [ ipv6 ] acl advanced-acl-number
¡ Specify a URI ACL for IP access filtering.
filter ip-tunnel uri-acl uri-acl-name
By default, an SSL VPN gateway denies all IP access requests.
8. Return to SSL VPN context view.
quit
9. Specify the policy group as the default policy group for the SSL VPN context.
default-policy-group group-name
By default, no default policy group is specified for an SSL VPN context.
Configuring HTTP redirection
About this task
An SSL VPN gateway communicates with users through HTTPS. To allow HTTP to access the SSL VPN gateway, you must configure HTTP redirection.
HTTP redirection enables an SSL VPN gateway to perform the following operations:
1. Listen to an HTTP port.
2. Redirect HTTP requests with the port number to the port used by HTTPS.
3. Send redirection packets to clients.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN gateway view.
sslvpn gateway gateway-name
3. Enable HTTP redirection.
http-redirect [ port port-number ]
By default, HTTP redirection is disabled. An SSL VPN gateway does not process HTTP traffic.
Customizing SSL VPN webpage
About this task
You can customize the following elements on the SSL VPN webpage:
· Login message.
· Title.
· Logo.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Configure a login message.
login-message { chinese chinese-message | english english-message }
By default, the login message is Welcome to SSL VPN.
4. Configure a title.
title { chinese chinese-title | english english-title }
By default, the title is SSL VPN.
5. Specify a logo.
logo { file file-name | none }
By default, the H3C logo is displayed.
Configuring SSL VPN user control
About this task
Perform this task to configure the SSL VPN user login control features, such as the force logout feature, the maximum number of concurrent logins for each account, and the maximum number of connections allowed per session.
Procedure
1. Enter system view.
system-view
2. Enter SSL VPN context view.
sslvpn context context-name
3. Force online users to log out.
force-logout [ all | session session-id | user user-name ]
4. Set the maximum number of concurrent logins for each account.
max-onlines number
By default, the maximum number of concurrent logins for each account is 32.
5. Enable the force logout feature.
force-logout max-onlines enable
By default, the force logout feature is disabled. A user cannot log in if the number of logins using the account reaches the maximum.
When a login is attempted but logins using the account reach the maximum, this feature logs out the user with the longest idle time to allow the new login.
6. Set the maximum number of connections allowed per session.
session-connections number
By default, a maximum of 64 connections are allowed per session.
If the number of connections in a session has reached the maximum, new connection requests for the session will be rejected with a 503 Service Unavailable message.
Configuring an SSL VPN SNAT address pool
About this task
SNAT address pools are used for the SSL VPN gateway to direct traffic to corresponding security engines for processing.
The SSL VPN gateway assigns addresses in the pools to security engines and uses the addresses to generate route entries and OpenFlow flow entries.
When the TCP or Web access service establishes a connection to a remote server, SSL VPN gateway associates the security engine of the service with an assigned address. The SSL VPN gateway uses this address as the source address of the request sent to the server. The server uses this address as the destination address of the reply packet sent to the gateway.
After receiving the reply packet from the server, the SSL VPN gateway uses the destination address to find a matching OpenFlow flow entry and route entry. The SSL VPN gateway uses the matching entries to find the corresponding security engine and forward the packet of the server to that security engine for processing.
You can specify an IPv4 address range, IPv6 address range, or both for an SNAT address pool. The addresses in the address range are equally assigned to all engines. The number of addresses in the address range must be greater than or equal to the number of engines.
A SNAT address pool can contain a maximum of 256 IPv4 addresses and 65535 IPv6 addresses. No overlapping addresses are allowed in different SNAT address pools.
Procedure
1. Enter system view.
system-view
2. Create an SSL VPN SNAT address pool and enter its view.
sslvpn snat-pool pool-name
3. Specify an IPv4 address range for the pool.
ip range start-ipv4-address end-ipv4-address
By default, no IPv4 address range is specified for an SSL VPN SNAT address pool.
4. Specify an IPv6 address range for the pool.
ipv6 range start-ipv6-address end-ipv6-address
By default, no IPv6 address range is specified for an SSL VPN SNAT address pool.
5. Return to system view.
quit
6. Enter SSL VPN context view.
sslvpn context context-name
7. Specify the SNAT address pool for the context.
resources snat-pool snat-pool-name
By default, no SNAT address pool is specified for an SSL VPN context.
Enabling SSL VPN logging
About this task
The SSL VPN logging feature can log the following events:
· Global events, including access failures caused by not associating SSL VPN contexts with gateways or not enabling SSL VPN contexts.
· User login and logoff events.
· Resource access events.
· IP connection close events.
The generated logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable the SSL VPN global logging feature.
sslvpn log enable
By default, the SSL VPN global logging feature is disabled.
3. Enter SSL VPN context view.
sslvpn context context-name
4. Enable logging for user login and logoff events.
log user-login enable
By default, logging for user login and logoff events is disabled.
5. Enable logging for resource accesses of users.
log resource-access enable [ brief | filtering ] *
By default, resource access logging is disabled.
6. Enable logging for IP connection close events.
ip-tunnel log connection-close
By default, logging for IP connection close events is disabled.
Display and maintenance commands for SSL VPN
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display SSL VPN AC interface information. |
display interface sslvpn-ac [ interface-number ] [ brief [ description | down ] ] |
|
Display SSL VPN context information. |
display sslvpn context [ brief | name context-name ] |
|
Display SSL VPN gateway information. |
display sslvpn gateway [ brief | name gateway-name ] |
|
Display packet statistics for IP access users. |
display sslvpn ip-tunnel statistics [ context context-name ] [ user user-name ] |
|
Display SSL VPN policy group information. |
display sslvpn policy-group group-name [ context context-name ] |
|
Display TCP port forwarding connection information. |
display sslvpn port-forward connection [ context context-name ] In IRF mode: display sslvpn port-forward connection [ context context-name ] [ slot slot-number ] |
|
Display SSL VPN session information. |
display sslvpn session [ context context-name ] [ user user-name | verbose ] |
|
Clear SSL VPN AC interface statistics. |
reset counters interface [ sslvpn-ac [ interface-number ] ] |
|
Clear packet statistics for IP access users. |
reset sslvpn ip-tunnel statistics [ context context-name [ session session-id ] ] |
