Login
- Table of Contents
-
- 06-Network
- 01-VRF
- 02-Interface
- 03-Interface pairs
- 04-Interface collaboration
- 05-4G
- 06-Security zones
- 07-VLAN
- 08-MAC
- 09-DNS
- 10-ARP
- 11-ND
- 12-GRE
- 13-IPsec
- 14-ADVPN
- 15-L2TP
- 16-SSL VPN
- 17-Routing table
- 18-Static routing
- 19-Policy-based routing
- 20-OSPF
- 21-BGP
- 22-RIP
- 23-IP multicast routing
- 24-PIM
- 25-IGMP
- 26-DHCP
- 27-HTTP
- 28-SSH
- 29-NTP
- 30-FTP
- 31-Telnet
- 32-MAC authentication
- 33-MAC address whitelist
- 34-MAC access silent MAC info
- 35-MAC access advanced settings
- 36-IP authentication
- 37-IPv4 whitelist
- 38-IPv6 whitelist
- 39-Wireless
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-SSL VPN | 190.34 KB |
This help contains the following topics:
¡ Restrictions and guidelines: SSL VPN gateway configuration
¡ Restrictions and guidelines: Web access configuration
¡ Restrictions and guidelines: TCP access configuration
¡ Restrictions and guidelines: IP access configuration
¡ Restrictions and guidelines: Domain name configuration
¡ Restrictions and guidelines: LDAP authentication configuration
¡ Configure basic settings in an SSL VPN context
· FAQ
Introduction
SSL VPN operating mechanism
To allow remote user access to protected resources behind an SSL VPN gateway, you must configure these resources on the gateway. Remote users can access only the resources authorized to them after they establish an SSL-encrypted connection to the gateway and pass the identity authentication.
SSL VPN operates as follows:
1. The remote user establishes an HTTPS connection to the SSL VPN gateway.
In this process, the remote user and the SSL VPN gateway perform SSL certificate authentication.
2. The remote user enters the username and password.
3. The SSL VPN gateway authenticates the credentials that the user entered, and authorizes the user to access a range of resources.
4. The user selects a resource to access.
An access request for that resource is sent to the SSL VPN gateway through the SSL connection.
5. The SSL VPN gateway resolves the request and forwards the request to the corresponding internal server.
6. The SSL VPN gateway forwards the server's reply to the user through the SSL connection.
SSL VPN networking modes
SSL VPN supports the following networking modes:
· Gateway mode—In gateway mode, the SSL VPN gateway acts as a gateway that connects remote users and the internal servers network. Because the SSL VPN gateway is deployed in line, it can provide full protection to the internal network but it affects data transmission performance.
· Single-arm mode—In single-arm mode, the SSL VPN gateway is attached to the network gateway. The gateway forwards user-to-server traffic to the SSL VPN gateway. The SSL VPN gateway processes the traffic and sends the processed traffic back to the gateway. The gateway forwards the traffic to the internal servers. The SSL VPN gateway is not a performance bottleneck in the network because it is not deployed on the key path. However, the SSL VPN gateway cannot provide full protection to the internal network.
SSL VPN access modes
Web access
In Web access mode, remote users use browsers to access Web resources allowed by an SSL VPN gateway through HTTPS. After login, a user can access any resources listed on the webpage. In Web access mode, all operations are performed on webpages.
The resources available for SSL VPN Web access users are Web servers only.
TCP access
In TCP access mode, users access TCP applications on internal servers by accessing the applications' open ports. Supported applications include remote access services (such as Telnet), desktop sharing services, mail services, Notes services, and other TCP services that use fixed ports.
In TCP access mode, a user installs the TCP access client software on the SSL VPN client (the terminal device that the user uses). The client software uses an SSL connection to transmit the application layer data.
IP access
IP access implements secured IP communications between remote users and internal servers.
To access an internal server in IP access mode, a user must install dedicated IP access client software. The client software will install a virtual network interface card (VNIC) on the SSL VPN client.
BYOD access
BYOD access enables secured access to internal resources through mobile clients.
For mobile clients to access internal resources in BYOD access mode:
· On the SSL VPN gateway, you must specify an Endpoint Mobile Office (EMO) server for mobile clients. Mobile clients access internal resources through the EMO server.
· On the mobile client, the user must install SSL VPN client software dedicated for mobile clients.
Resource access control
SSL VPN controls user access to resources on a per-user basis.
As shown in Figure 1, an SSL VPN gateway can be associated with multiple SSL VPN contexts. An SSL VPN context contains multiple resource groups. A resource group defines accessible Web resources, TCP resources, and IP resources.
Figure 1 SSL VPN resource access control
An SSL VPN user can access an SSL VPN gateway by using the following methods:
· Direct access—If the SSL VPN gateway is associated with only one SSL VPN context, the user can access the SSL VPN context directly by entering the IP address and port number of the SSL VPN gateway.
· By domain list—The SSL VPN gateway can be associated with multiple SSL VPN contexts through different domain names. The user will be prompted to select a domain name from the domain list displayed on the SSL VPN gateway login page. The SSL VPN gateway determines the SSL VPN context to which the user belongs based on the selected domain name.
· By virtual host name—The SSL VPN gateway can be associated with multiple SSL VPN contexts through different virtual host names. The SSL VPN gateway determines the SSL VPN context to which the user belongs based on the virtual host name entered on the SSL VPN gateway login page.
After determining the SSL VPN context for a user, the SSL VPN gateway uses the authentication and authorization methods of the ISP domain specified for the context to perform authentication and authorization for the user.
· If the SSL VPN gateway authorizes the user to use a resource group, the user can access resources allowed by the resource group.
· If the SSL VPN gateway does not authorize the user to use a resource group, the user can access resources allowed by the default resource group.
|
|
The SSL VPN gateway uses AAA to perform user authentication and authorization. SSL VPN supports AAA protocols RADIUS and LDAP. RADIUS is most often used. |
Restrictions and guidelines
Restrictions and guidelines: SSL VPN gateway configuration
If the SSL server policy used by an SSL VPN gateway is changed, or the policy settings are changed, you must re-enable the gateway to make the configuration take effect.
Restrictions and guidelines: Web access configuration
If the SSL VPN gateway device has more than one security engines, you must create an SNAT address pool and specify the SNAT address pool in an SSL VPN context for the Web access service.
The SNAT address pool must reside on the same network segment as the internal Web servers. The number of addresses in the address pool must be greater than or equal to the number of engines.
Restrictions and guidelines: TCP access configuration
· When configuring the client address for a port forwarding item on the SSL VPN gateway, use an address in network segment 127.0.0.0/8, or use the host name or domain name.
· For a user to access TCP resources through a host, modifications to the hosts file on the host might be required. Make sure the user has the administrator privileges on the host.
· The host used for TCP access must have Java Runtime Environment (JRE7) or a later version installed.
· If the SSL VPN gateway device has more than one security engines, you must create an SNAT address pool and specify the SNAT address pool in an SSL VPN context for the TCP access service.
The SNAT address pool must reside on the same network segment as the internal servers hosting the accessible TCP resources. The number of addresses in the address pool must be greater than or equal to the number of engines.
Restrictions and guidelines: IP access configuration
When you configure the IP access address pool for IP access clients, follow these restrictions and guidelines:
· The IP access address pool and the IP address of the NIC used on an IP access client host must belong to different network segments.
· To avoid address conflicts, make sure the IP access pool does not contain the IP addresses of interfaces on the SSL VPN gateway device.
· Make sure the IP access address pool and the IP addresses of internal servers hosting accessible IP resources belong to different network segments.
When you bind IP addresses to an SSL VPN user, follow these restrictions and guidelines:
· If an IP access address pool is specified for the SSL VPN resource group authorized to the user, the IP addresses must exist in the address pool.
· If no address pool is specified for the SSL VPN resource group, the IP addresses must exist in the address pool specified for the SSL VPN context of the user.
· You can bind the same IP address to different SSL VPN users only when the SSL VPN contexts of the users are associated with different VPN instances.
Make sure NAT is configured for address translation on the interfaces that connect an SSL VPN gateway to internal IP resource servers. Otherwise, the response packets will use the IP addresses of VNICs as the destination addresses and cannot be sent to the correct engines.
Follow these guidelines when you configure NAT:
· Make sure the addresses in the NAT address group reside on the same network segment as the addresses of the SSL VPN gateway interfaces connected to the internal servers.
· Make sure the source addresses used for NAT are the addresses assigned to IP access clients.
Restrictions and guidelines: Domain name configuration
Make sure you specify valid domain names for SSL VPN configuration items such as Web resource URLs or port forwarding entries.
SSL VPN does not check the existence or validity of the specified domain names.
Restrictions and guidelines: LDAP authentication configuration
If you configure LDAP authentication for SSL VPN users, you must also configure LDAP authorization. Configure LDAP authorization settings from the CLI on the device.
Troubleshooting SSL VPN
For information about troubleshooting SSL VPN issues, see "Troubleshooting SSL VPN".
Configure SSL VPN
Configure an SSL VPN context as shown in Figure 2.
Figure 2 SSL VPN configuration procedure
In addition to the preceding configuration procedure, you can also perform the following tasks in SSL VPN:
· Create and edit SSL VPN gateways on the Network > SSL VPN > SSL VPN Gateways page.
· Create and edit IP access address pools on the Network > SSL VPN > IP Access Address Pools page.
· Create and edit SNAT address pools on the Network > SSL VPN > SNAT Address Pools page.
· Create and edit SSL VPN AC interfaces on the Network > SSL VPN > SSL VPN AC Interfaces page.
· Edit the title, login welcome message, hide-password-box setting, and logo for the SSL VPN Webpage on the Webpage settings tab of the Edit SSL VPN Context page.
· Upload the custom IP access client file on the Network > SSL VPN > Global Settings page. Users can download the client and use it to log in to the SSL VPN gateway.
· View the online user information and IP access statistics on the Network > SSL VPN > Statistics page.
Configure basic settings in an SSL VPN context
Configure the basic settings for an SSL VPN context, including the following:
· Associated SSL VPN gateways.
· VRF (VPN instance) to which the SSL VPN context belongs.
· SNAT address pool.
· ISP domain used for authentication.
· Enabling status of the SSL VPN context.
Configure URI ACLs
You can create multiple URI ACLs in an SSL VPN context.
A URI ACL is a set of rules that permit or deny access to resources. You can add multiple rules to a URI ACL. The device matches a packet against the rules in ascending order of the rule ID. The match process stops once a matching rule is found.
A URL ACL can be used for the following purposes:
· Filter accessible resources under the URL specified in a URL item.
· Filer Web, TCP, and IP access requests in an SSL VPN resource group.
Configure access services
After you select an access service on the Create SSL VPN Context page, you can configure access resources for the access service.
Configure the Web access service
On the Web access service configuration page, perform the following tasks:
1. Select the SSL client policy used by the SSL VPN gateway to access internal HTTPS servers.
By default, the SSL VPN gateway uses the default SSL client policy to access internal HTTPS servers. The default SSL client policy uses cipher suite rsa_rc4_128_md5.
2. Create a URL item for an internal Web resource:
a. Create a URL item.
b. Specify the URL of the Web resource for the URL item.
c. Select an existing URI ACL to filter the Web resources under the specified URL.
d. Select a mapping type for the resource URL. Options are Normal mapping (the default), Domain mapping, and Port mapping.
The SSL VPN gateway rewrites the resource URL before sending it to the client. The URL mapping type determines how the gateway rewrites the URL.
The following example describes how URL mapping works when the user accesses internal resource URL http://www.server.com:8080 behind SSL VPN gateway with name gw, domain name https://www.gateway.com:4430, and IP address 1.1.1.1.
¡ Normal mapping—The resource URL returned to the client will be rewritten to https://www.gateway.com:4430/_proxy2/http/8080/www.server.com. Normal mapping may cause problems such as missed URL rewriting and rewriting errors, resulting in SSL VPN clients not being able to access the internal resources. Use domain mapping or URL mapping as a best practice.
¡ Domain mapping—The Domain name item is displayed after Domain mapping is selected. The resource URL returned to the client will be rewritten to https://mapped domain name:4430, where mapped domain name is the domain name you entered for the Domain name item.
¡ Port mapping—The Gateway name and Virtual host items are displayed after Port mapping is selected. The virtual host name is optional.
- If you enter gw2 for the Gateway name item and do not enter the virtual host name, the resource URL will be rewritten to https://2.2.2.2:4430, where 2.2.2.2 and 4430 are the IP address and port number of SSL VPN gateway gw2.
- If you enter gw for the Gateway name item and vhosta for the Virtual host item, the resource URL will be rewritten to https://vhosta:4430.
3. Create a URL list and assign URL items to the URL list.
The URL lists can be assigned to resource groups. After the AAA server authorizes a user to use a resource group, the user can access the Web resources provided by the URL list in the resource group.
Configure the TCP access service
On the TCP access service configuration page, perform the following tasks:
1. Create a port forwarding item.
A port forwarding item maps a TCP service (such as Telnet, SSH, and POP3) provided on an internal server to a local address and port number on the SSL VPN client. Remote users can access the TCP service though the local address and port number.
For example, you can configure a port forwarding item to allow a client to access HTTP service provided on port 80 of server 192.168.0.213 through IP address 127.0.0.1 and port 80.
Configure a port forwarding item as follows:
a. Specify a name for the port forwarding item.
b. Specify the client host address, client port number, server address, and server port number.
c. Configure a description for the port forwarding item.
d. Specify the resource link for the port forwarding item as needed.
If you configure a resource link for a port forwarding item, the port forwarding item name will be displayed as a link on the SSL VPN Web page. You can click the link to access the resource directly.
2. Create a port forwarding list:
a. Specify a name for the port forwarding list.
b. Add the port forwarding items to the port forwarding list.
The port forwarding lists can be assigned to resource groups. After the AAA server authorizes a user to use a resource group, the user can access the TCP services provided by the port forwarding list in the resource group.
Configure the IP access service
On the IP access service configuration page, perform the following tasks:
1. Specify an SSL VPN AC interface for IP access.
2. Specify an IP access address pool.
After a user passes the authentication, the SSL VPN gateway allocates an IP address to the VNIC of the user from the specified address pool.
3. Configure route lists.
A route list contains the routing entries to be issued to SSL VPN clients.
You can configure the following types of routing entries in a route list:
¡ Included route—Client packets matching an included routing entry will be forwarded to the SSL VPN gateway through the VNIC of the client host.
¡ Excluded route—Client packets matching an excluded routing entry will not be forwarded to the SSL VPN gateway.
The route lists can be assigned to resource groups. After the AAA server authorizes a user to use a resource group, the SSL VPN gateway will issue the routing entries in the route list of the resource group to the user. The user can then access the IP resources provided by the route list in the resource group.
4. To enable automatic startup of the IP access client after Web login, select Start IP access client. After a user logs in to the SSL VPN gateway through a Web browser, the IP access client on the user host will automatically connect to the gateway. If the IP access client software is not installed, the user will be prompted to install the software. For the IP access client to connect the SSL VPN gateway correctly, make sure the IP access resources are configured on the SSL VPN gateway.
5. To enable automatic pushing of accessible resources to IP access users, select Push Web resources. After a user logs in to the SSL VPN gateway through the IP access client, the SSL VPN gateway automatically pushes accessible SSL VPN resources to the user through the Web page. For successful push of SSL VPN resources through the Web page, make sure SSL VPN resources are configured on the SSL VPN gateway.
6. Configure the rate limits for upstream traffic and downstream traffic. IP access packets will be dropped if the rate limit is exceeded.
7. Create the user-to-IP address bindings.
Bind IP addresses to an SSL VPN user in one of the following methods:
¡ Bind a range of IP addresses to the user.
¡ Enable the SSL VPN gateway to automatically bind the specified number of free addresses in the IP access address pool to the user.
When the user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway assigns a bound IP address to the user. If an IP address in the specified IP address range has been assigned to another user, the SSL VPN gateway terminates the connection for that user and releases the IP address.
Configure the BYOD access service
On the BYOD access service configuration page, configure the following items:
· Address and port number of the EMO server.
· Address and port number of the message server.
Configure a shortcut list
To provide quick access to frequently accessed internal resources on the SSL VPN Web page, configure shortcuts for these resources and add the shortcuts to a shortcut list.
You can create multiple shortcut lists in an SSL VPN context.
When you configure a resource group, you can assign a shortcut list to the group. The shortcuts on the shortcut list will be displayed on the SSL VPN Web page for the user authorized to use the resource group. The user can click a shortcut to access the associated resource directly.
Configure a resource group
1. Create a resource group.
2. Configure accessible Web resources in the resource group:
a. Select the one or more URL lists.
b. Specify an IPv4 ACL to filter IPv4 Web access requests.
c. Specify an IPv6 ACL to filter IPv6 Web access requests.
d. Specify a URI ACL to filter Web access requests.
3. Configure accessible TCP resources in the resource group:
a. Select a TCP port forwarding list.
b. Specify an IPv4 ACL to filter IPv4 TCP access requests.
c. Specify an IPv6 ACL to filter IPv6 TCP access requests.
d. Specify a URI ACL to filter TCP access requests.
4. Configure accessible IP resources in the resource group:
a. Force all traffic to SSL VPN—Select this option to force all client packets for which no matching routes can be found in the local routing table to the SSL VPN gateway. The SSL VPN gateway will issue a default route to the SSL VPN client. The default route uses the VNIC as the output interface and has the highest priority among all default routes on the client. Packets for destinations not in the routing table are sent to the SSL VPN gateway through the VNIC. The SSL VPN gateway monitors the SSL VPN client in real time. It does not allow the client to delete the default route or add a default route with a higher priority.
b. Issue routes to client—Select a route list to issue the routes in the list to the client, or select Host IPv4 address and configure a routing entry to issue to the client.
c. Specify an IPv4 ACL to filter IPv4 access requests.
d. Specify an IPv6 ACL to filter IPv6 access requests.
e. Specify a URI ACL to filter IP access requests.
5. Specify an IP access address pool for the resource group.
The SSL VPN gateway will assign IP addresses in the specified address pool to IP access users authorized to use the resource group.
If no addresses are available for assignment to a user, the IP access request of the user will be rejected.
If no IP access address pool is specified for a resource group, the SSL VPN gateway will assign IP addresses in the address pool specified for the SSL VPN context to IP access users.
FAQ
After I change resource authorization settings in SSL VPN, the settings do not take effect immediately. Why?
The SSL VPN gateway does not support dynamic authorization. Table 1 describes how and when changed resource authorization settings in SSL VPN will take effect.
Table 1 How and when changed authorization settings take effect
|
Changed item |
How and when the changes take effect |
|
Authorization to a remote server |
The changes take effect only on new users. Users already logged in are not affected. |
|
ACL or ACL rules in a resource group |
For IP, TCP, and Web access users, the changes take effect immediately. |
|
Accessible Web resources |
The changes take effect after the user refreshes the SSL VPN Web page. |
|
Accessible TCP resources |
The changes take effect after the user restarts the TCP access client software. |
|
Routing entries, DNS server address, and WINS server address configured for the IP access service |
The changes take effect immediately. |
Do SSL VPN users need to pass certificate authentication to log in to an SSL VPN gateway?
Whether users need to pass certificate authentication to log in to an SSL VPN gateway depends on the following settings:
· Whether certificate authentication is enabled in the SSL VPN context associated with the SSL VPN gateway.
· Type of certificate authentication method configured in the SSL server policy used by the SSL VPN gateway.
Table 2 describes the possible certificate authentication methods that users might encounter when connecting the SSL VPN gateway.
Table 2 Certificate authentication methods
|
Authentication method |
Description |
|
Certificate authentication disabled |
The user will not be asked to select a certificate for authentication when connecting the SSL VPN gateway through the Web browser. |
|
Mandatory certificate authentication enabled |
The user will be asked to select a certificate for authentication when connecting the SSL VPN gateway through the Web browser. The connection request will be rejected if the user does not have a certificate. |
|
Optional certificate authentication enabled |
The user will be asked to select a certificate for authentication when accessing the SSL VPN gateway through the Web browser. A connection to the SSL VPN gateway will be established in either of the following situations: · The user selects a certificate and passes the identity authentication. · The user chooses not to select a certificate and proceed with the connection request. |
If you want users to pass certificate authentication to log in to an SSL VPN gateway, make sure the following requirements are met:
· Certificate authentication is enabled in the SSL VPN context associated with the SSL VPN gateway.
· Mandatory or optional SSL client authentication is enabled in the SSL server policy used by the SSL VPN gateway.
After receiving the client certificate, the SSL VPN gateway will extract the username from the CN field of the certificate, and then sends the username to the AAA server. The user passes the authentication only when extracted username exists on the local AAA server.
Mandatory certificate authentication is supported only for Web users and IP access users. For TCP access users and mobile client users to access the SSL VPN gateway successfully, you need to enable the optional SSL client authentication.
