· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

An SSL VPN username cannot carry ISP domain information. After this command is executed, an SSL VPN gateway uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users in the context.

Examples

# Specify ISP domain myserver for authentication, authorization, and accounting of SSL VPN users in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] aaa domain myserver

access-deny-client

Use access-deny-client to configure the client types that are denied access to the SSL VPN.

Use undo access-deny-client to restore SSL VPN access permissions of the denied client types.

Syntax

access-deny-client { browser | mobile-inode | pc-inode } *

undo access-deny-client { browser | mobile-inode | pc-inode } *

Default

No client types are denied access to the SSL VPN.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

browser: Specifies browsers.

mobile-inode: Specifies mobile iNode clients.

pc-inode: Specifies mobile iNode clients.

Usage guidelines

To deny users to use some types of client software to log in to the SSL VPN gateway, you can use this command to specify the denied SSL VPN client software types.

After browsers are denied, existing users and new users cannot use browsers to access the SSL VPN gateway. After browsers are restored permissions to SSL VPN access, users must refresh the login page to log in. The deny of other client types takes effect only on new users. Existing users are not affected.

In the same SSL VPN context, if you execute this command multiple times, all the specified client types take effect.

Examples

# In SSL VPN context ctx, specify the denied SSL VPN client type as browser.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] access-deny-client browser

authentication server-type

Use authentication server-type to specify the authentication server type.

Use undo authentication server-type to restore the default.

Syntax

authentication server-type { aaa | custom }

undo authentication server-type

Default

The SSL VPN authentication server is an AAA authentication server.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

aaa: Specifies the AAA authentication server.

custom: Specifies the custom authentication server.

Usage guidelines

If you use a custom authentication server, you must also configure custom authentication settings, such as the URL of the custom authentication server and custom authentication HTTP request and response settings.

If you use an AAA authentication server, you must configure the AAA server. For more information about AAA server configuration, see User Access and Authentication Configuration Guide.

Examples

# Specify the authentication server type as custom authentication server in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] authentication server-type custom

Related commands

custom-authentication request-header-field

custom-authentication request-method

custom-authentication request-template

custom-authentication response-custom-template

custom-authentication response-field

custom-authentication response-format

custom-authentication response-success-value

custom-authentication timeout

custom-authentication url

authentication use

Use authentication use to specify the authentication methods required for user login.

Use undo authentication use to restore the default.

Syntax

authentication use { all | any-one }

undo authentication use

Default

To log in to an SSL VPN context, a user must pass all the authentication methods enabled for the context.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

all: Uses all enabled authentication methods.

any-one: Uses any enabled authentication method.

Usage guidelines

You can enable username/password authentication, certificate authentication, or both for an SSL VPN context. The authentication methods required for logging in to the SSL VPN context depend on the configuration of this command:

· If the authentication use all command is configured, a user must pass all the enabled authentication methods for login.

· If the authentication use any-one command is configured, a user can log in after passing any enabled authentication method.

Examples

# Configure SSL VPN context ctx to allow users to log in after passing any enabled authentication method.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] authentication use any-one

Related commands

certificate-authentication enable

display sslvpn context

password-authentication enable

bandwidth

Use bandwidth to set the expected bandwidth for an interface.

Use undo bandwidth to restore the default.

Syntax

bandwidth bandwidth-value

undo bandwidth

Default

The expected bandwidth is 64 kbps for an interface.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.

Usage guidelines

The expected bandwidth for an interface affects CBQ bandwidth. For more information about CBQ bandwidth, see QoS configuration in QoS Configuration Guide.

Examples

# Set the expected bandwidth to 10000 kbps for SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] bandwidth 10000

certificate username-attribute

Use certificate username-attribute to specify the certificate attribute as the SSL VPN username.

Use undo certificate username-attribute to restore the default.

Syntax

certificate username-attribute { cn | email-prefix | oid extern-id }

undo certificate username-attribute

Default

The device uses the value of the CN attribute in the subject of the user certificate as the SSL VPN username.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

cn: Specifies the CN attribute value in the subject of the user certificate as the SSL VPN username.

email-prefix: Specifies the string before the at sign (@) of the email address in the subject of the user certificate as the SSL VPN username.

oid extern-id: Specifies a user certificate attribute by its OID. The value of the attribute will be used as the SSL VPN username. The extern-id argument represents the OID, which is an object identifier in dotted decimal notation.

Usage guidelines

The SSL VPN username specified by this command takes effect only after you execute the certificate-authentication enable command.

Examples

# Use the value of the attribute whose OID is 1.1.1.1 in the user certificate as the SSL VPN username.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] certificate username-attribute oid 1.1.1.1

Related commands

certificate-authentication enable

Use certificate-authentication enable to enable certificate authentication.

Use undo certificate-authentication enable to disable certificate authentication.

Syntax

certificate-authentication enable

undo certificate-authentication enable

Default

Certificate authentication is disabled.

Views

SSL VPN context view

Predefined user roles

network-admin

Usage guidelines

After you enable certificate authentication, you must also execute the client-verify command in SSL server policy view. The SSL VPN gateway uses the digital certificate sent by an SSL VPN client to authenticate the client's identity. If the client's username and the username in the digital certificate are not the same, the client cannot log in to the SSL VPN gateway.

Examples

# Enable certificate authentication.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] certificate-authentication enable

Related commands

client-verify enable

client-verify optional

content-type

Use content-type to configure a file policy to rewrite a file in an HTTP response to a specific type of file.

Use undo content-type to restore the default.

Syntax

content-type { css | html | javascript | other }

undo content-type

Default

A file policy rewrites a file carried in an HTTP response to a file of the type indicated by the content-type field in the HTTP response.

Views

File policy view

Predefined user roles

network-admin

Parameters

css: Changes the file type to CSS.

html: Changes the file type to HTML.

javascript: Changes the file type to JavaScript.

other: Does not change the file type.

Usage guidelines

A file policy rewrites a file carried in an HTTP response to a file of the type specified by this command. If the specified file type is different from that indicated by the content-type field in the HTTP response, users might not be able to read the file correctly.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure file policy fp to rewrite files to HTML files.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp] content-type html

country code

Use country-code to specify the mobile country code.

Use undo country-code to restore the default.

Syntax

country-code country-code

undo country-code

Default

The country code is 86.

Views

SMS gateway authentication view

Predefined user roles

network-admin

Parameters

country-code: Specifies the country code, a string of 1 to 7 digits.

Examples

# Set the country code to 86 in SMS gateway authentication view.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] sms-auth sms-gw

[Sysname-sslvpn-context-ctx1-sms-auth-sms-gw] country-code 86

custom-authentication request-header-field

Use custom-authentication request-header-field to configure an HTTP request header field for custom authentication.

Use undo custom-authentication request-header-field to remove the configuration of an HTTP request header field for custom authentication.

Syntax

custom-authentication request-header-field field-name value value

undo custom-authentication request-header-field field-name

Default

A custom authentication request header includes the following fields:

· Content-type:application/x-www-form-urlencoded.

· User-Agent:nodejs 4.1.

· Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

field-name: Specifies a request header field name, a case-insensitive string of 1 to 63 characters. The name cannot include the following characters:

· ()<>@,;:\"/[]?={}

· Spaces.

· Horizontal tabs.

· ASCII characters with codes ≤ 31 or ≥ 127.

value value: Specifies the value of the request header field, a string of 1 to 255 characters, which cannot contain question mark (?) metacharacters.

Usage guidelines

Use this command to configure HTTP request header fields sent to the custom authentication server. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication request settings, such as the HTTP request method and the request template.

Execute this command multiple times to configure multiple HTTP request header fields. For the same field, the most recent configuration takes effect.

Examples

# Specify the host field as 192.168.56.2:8080 in the HTTP request header for custom authentication in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication request-header-field host value 192.168.56.2:8080

Related commands

authentication server-type

custom-authentication request-method

custom-authentication request-template

custom-authentication url

custom-authentication request-method

Use custom-authentication request-method to configure the HTTP request method for custom authentication.

Use undo custom-authentication request-method to restore the default.

Syntax

custom-authentication request-method { get | post }

undo custom-authentication request-method

Default

The HTTP request method is GET.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

get: Specifies the GET method.

post: Specifies the POST method.

Usage guidelines

Use this command to configure the HTTP request method for authentication requests sent to the custom authentication server. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication request settings, such as the HTTP request header fields and the request template.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the POST request method for custom authentication in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication request-method post

Related commands

authentication server-type

custom-authentication request-template

custom-authentication url

custom-authentication request-template

Use custom-authentication request-template to configure the request template for custom authentication.

Use undo custom-authentication request-template to restore the default.

Syntax

custom-authentication request-template template

undo custom-authentication request-template

Default

No request template is configured for custom authentication.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

template: Specifies the request template through which the SSL VPN gateway sends username and password information to the custom authentication server. The template is a case-insensitive string of 1 to 255 characters.

Usage guidelines

Use this command to configure the HTTP request template through which the SSL VPN gateway sends the username and password to the custom authentication server. Perform this configuration after the custom authentication server is specified by the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication request settings, such as the HTTP request header fields and the request method.

If you execute this command multiple times, the most recent configuration takes effect.

This command supports the following request template formats:

· Form format for the POST and GET methods: username=$$USERNAME$$&password=$$PASSWORD_MD5$$&resid=1234.

· JSON type for the POST method: {“name”:”$$USERNAME$$”,“password”:”,$$PASSWORD$$”,“resid”:”1234”}.

· XML type for the GET method: <uname>$$USERNAME$$</uname><psw>$$PASSWORD$$</psw>.

The USERNAME, PASSWORD, and PASSWORD_MD5 between $$ pairs in the request templates are variables. The PASSWORD_MD5 represents a password encrypted by MD5. When a user logs in to the SSL VPN gateway, the gateway replaces these variables with the login username and password. Then, the SSL VPN gateway sends the authentication request to the custom authentication server.

Examples

# Configure the custom authentication HTTP request template as username=$$USERNAME$$&password=$$PASSWORD_MD5$$&resid=1952252223973828 in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication request-template username=$$USERNAME$$&password=$$PASSWORD_MD5$$&resid=1952252223973828

Related commands

authentication server-type

custom-authentication request-template

custom-authentication url

custom-authentication response-custom-template

Use custom-authentication response-custom-template to configure response templates for the fields in the HTTP response for custom authentication.

Use undo custom-authentication response-custom-template to restore the default.

Syntax

custom-authentication response-custom-template { group | message | result } template

undo custom-authentication response-custom-template { group | message | result }

Default

No response templates are configured for custom authentication.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

group: Specifies the group field in the authentication response.

message: Specifies the message field in the authentication response.

result: Specifies the result field in the authentication response.

template: Specifies the content of the response template for the specified field. The template is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to configure the response templates for the device to identify the fields in a custom-format authentication response. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. This configuration is applicable when the HTTP response format is custom. When you configure response templates, the response template for the result field is required.

When you configure a response template for a field, follow these restrictions and guidelines:

· A response template for a field must contain $$value$$.

¡ The value keyword represents the field value in the response.

¡ The pairs of dollar signs ($$) are used to identify the start and end of the field in a response. The device considers the content before the first $$ the start identifier and that after the second $$ the end identifier for parsing the field of the response.

· Make sure the contents before and after $$value$$ in the response template are consistent with those before and after the field value in the response from the authentication server.

Here is an example. Assume that the result field information in the response from the authentication server is auth-result=true,. You must configure the response template for the result field as auth-result=$$value$$,. The contents before and after $$value$$ are auth-result= and a comma (,), which are the same as those before and after true, respectively. Then, the device can use the auth-result=$$value$$, template to correctly identify and parse the result field in the authentication response.

Examples

# Configure the response templates in SSL VPN context ctx1 as result=$$value$$,company=$$value$$,message=$$value$$.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication response-custom-template result result=$$value$$,

[Sysname-sslvpn-context-ctx1] custom-authentication response-custom-template group company=$$value$$,

[Sysname-sslvpn-context-ctx1] custom-authentication response-custom-template message message=$$value$$

Related commands

authentication server-type

custom-authentication response-format

custom-authentication response-success-value

custom-authentication response-field

Use custom-authentication response-field to configure a field name in the HTTP response for custom authentication.

Use undo custom-authentication response-field to restore the default.

Syntax

custom-authentication response-field { group group | message message | result result }

undo custom-authentication response-field { group | message | result }

Default

No HTTP response field names are configured.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

group group: Specifies the name of the policy group field in the HTTP response, a case-insensitive string of 1 to 31 characters. In the authentication response, the value following the group argument represents the policy groups authorized to the user.

message message: Specifies the name of the message field in the HTTP response, a case-insensitive string of 1 to 31 characters. In the authentication response, the value following the message argument represents the authentication prompt.

result result: Specifies the name of the result field in the HTTP response, a case-insensitive string of 1 to 31 characters. In the authentication response, the value following the message argument represents the authentication result.

Usage guidelines

Use this command to configure the names of the fields in the HTTP response. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. This configuration is applicable when the HTTP response format is JSON or XML. When you configure HTTP response field names, the result field name is required.

The device uses the configured field names to parse the HTTP response returned from the custom authentication server, as follows:

· If you specify the policy field name, the SSL VPN gateway uses the specified name to identify the policy group field in the response. For example, if the policy group field name is specified as company, the device uses the value following company in the response as the server-authorized policy group.

The policy group finally assigned to the user is determined as follows:

¡ If the SSL VPN context has the server-authorized policy group configured, the gateway assigns the authorized policy group to the user.

¡ If the SSL VPN context has no policy groups, or the server does not authorize a policy group, the gateway assigned the default policy to the user.

· If you specify the message field name, the SSL VPN gateway uses the specified name to identify the authentication result message in the response. The message indicates the authentication result, such as authentication success or failure.

· If you specify the result field name, the SSL VPN gateway uses the specified name to identify the authentication result value in the response. The gateway then determines the authentication result based on the configured authentication success value (see the custom-authentication response-success-value command).

If you execute this command multiple times for a field, the most recent configuration takes effect.

Examples

# Specify the group field name as company and the message field name as resultDescription in the custom authentication response for SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication response-field group company

[Sysname-sslvpn-context-ctx1] custom-authentication response-field message resultDescription

Related commands

authentication server-type

custom-authentication response-format

Use custom-authentication response-format to specify the HTTP response format for custom authentication.

Use undo custom-authentication response-format to restore the default.

Syntax

custom-authentication response-format { custom | json | xml }

undo custom-authentication response-format

Default

The HTTP response format for custom authentication is JSON.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

custom: Specifies the XML format.

json: Specifies the JSON format.

xml: Specifies the custom response format.

Usage guidelines

Use this command to configure the HTTP response format for custom authentication after the custom authentication server is specified by using the authentication server-type custom command. After you specify the HTTP response format, you must also configure corresponding HTTP response settings (such as the HTTP response templates and field names) for the specified format.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the HTTP response format as JSON in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication response-format json

Related commands

authentication server-type

custom-authentication response-custom-template

custom-authentication response-success-value

Use custom-authentication response-success-value to configure the authentication success value in the HTTP response for custom authentication.

Use undo custom-authentication response-success-value to restore the default.

Syntax

custom-authentication response-success-value success-value

undo custom-authentication response-success-value

Default

No authentication success value is configured for custom authentication.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

success-value: Specifies the value that represents the authentication success result, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Use this command to configure the authentication success value in the HTTP response. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication settings, such as specifying the result field name in the HTTP response.

The SSL VPN gateway considers the user authentication successful only when the value of the result field in the custom authentication response is the value specified by this command.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the authentication success value as true in the custom authentication response for SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication response-success-value true

Related commands

authentication server-type

custom-authentication response-field

custom-authentication timeout

Use custom-authentication timeout to specify the custom authentication timeout.

Use undo custom-authentication timeout to restore the default.

Syntax

custom-authentication timeout seconds

undo custom-authentication timeout

Default

The custom authentication timeout is 15 seconds.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

seconds: Specifies the custom authentication timeout, in the range of 5 to 50 seconds.

Usage guidelines

After sending an HTTP request to the custom authentication server, the SSL VPN gateway waits for responses from the server. If the gateway receives no response within the authentication timeout, it returns an authentication failure message to the SSL VPN client.

Examples

# Specify the custom authentication timeout as 20 seconds in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication timeout 20

Related commands

authentication server-type

custom-authentication url

Use custom-authentication url to configure the URL of the custom authentication server.

Use undo custom-authentication url to restore the default.

Syntax

custom-authentication url url

undo custom-authentication url

Default

No URL is configured for the custom authentication server.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

url: Specifies the URL of the authentication server in an HTTP request sent by the SSL VPN gateway to the custom authentication server. The URL is a case-insensitive string of 1 to 255 characters, and it cannot contain question mark (?) metacharacters.

Usage guidelines

Use this command to configure the URL of the custom authentication server after the custom authentication server is specified by the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication settings, such as the HTTP request header fields, request method, and request template.

A URL consists of the protocol type, host name or address, port number, and resource path. The complete URL format is protocol type://host name or address:port number/resource path. The protocol type currently supports only HTTP and HTTPS. If not specified, the protocol type is HTTP by default.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the URL of the custom authentication server in SSL VPN context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] custom-authentication url http://192.168.56.2:8080/register/user/checkUserAndPwd

Related commands

authentication server-type

custom-authentication request-method

custom-authentication request-template

default

Use default to restore the default settings for an SSL VPN AC interface.

Syntax

default

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION:

The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you use it on a live network.

This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.

Examples

# Restore the default settings of sslvpn-ac 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] default

This command will restore the default settings. Continue? [Y/N]:y

default-policy-group

Use default-policy-group to specify a policy group as the default policy group.

Use undo default-policy-group to restore the default.

Syntax

default-policy-group group-name

undo default-policy-group

Default

No policy group is specified as the default policy group.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters. The specified policy group must have been created.

Usage guidelines

You can configure multiple policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not issue an authorized policy group to the user, the user can access only the resources allowed by the default policy group.

Examples

# Specify policy group pg1 as the default policy group.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] quit

[Sysname-sslvpn-context-ctx1] default-policy-group pg1

Related commands

display sslvpn context

policy-group

description (SSL VPN AC interface view)

Use description to configure the description of an interface.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The description of an interface is interface name Interface, for example, SSLVPN-AC1000 Interface.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

Configure descriptions for interfaces for identification and management purposes.

You can use the display interface command to display the configured interface descriptions.

Examples

# Configure a description of SSL VPN A for SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] description SSL VPN A

display interface sslvpn-ac

Use display interface sslvpn-ac to display SSL VPN AC interface information.

Syntax

display interface [ sslvpn-ac [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify the sslvpn-ac keyword, this command displays information about all interfaces except virtual access (VA) interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all SSL VPN AC interfaces. For more information about VA interfaces, see PPP configuration in Network Connectivity Configuration Guide.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.

down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.

Examples

# Display detailed information about SSL VPN AC 1000.

<Sysname> display interface sslvpn-ac 1000

SSLVPN-AC1000

Current state: UP

Line protocol state: DOWN

Description: SSLVPN-AC1000 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1500

Internet protocol processing: Disabled

Link layer protocol is SSLVPN

Last clearing of counters: Never

Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec

Input: 0 packets, 0 bytes, 0 drops

Output: 0 packets, 0 bytes, 0 drops

Table 1 Command output

Field	Description
SSLVPN-AC1000	Information about interface SSL VPN AC 1000.
Current state	Physical link state of the interface: · Administratively DOWN—The interface has been shut down by using the shutdown command. · DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). · UP—The interface is both administratively and physically up.
Line protocol state	Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol is down.
Description	Description of the interface.
Bandwidth	Expected bandwidth of the interface.
Maximum transmission unit	MTU of the interface.
Internet protocol processing: Disabled	The interface is not assigned an IP address and cannot process IP packets.
Internet address: ip-address/mask-length (Type)	IP address of the interface and type of the address in parentheses. Possible IP address types include: Primary—Manually configured primary IP address.
Last clearing of counters	Most recent time the counters were cleared by using the reset counters interface command. If the reset counters interface command has never been executed since the device starts up, this field displays Never.
Last 300 seconds input rate	Average input rate in the last 300 seconds.
Last 300 seconds output rate	Average output rate in the last 300 seconds.

# Display brief information about all SSL VPN AC interfaces.

<Sysname> display interface sslvpn-ac brief

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

SSLVPN-AC1000 UP DOWN --

# Display brief information about SSL VPN AC 1000, including the complete interface description.

<Sysname> display interface sslvpn-ac 1000 brief description

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface Link Protocol Primary IP Description

SSLVPN-AC1000 UP UP 1.1.1.1 SSLVPN-AC1000 Interface

# Display information about interfaces in DOWN state and the causes.

<Sysname> display interface sslvpn-ac brief down

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface Link Cause

SSLVPN-AC1000 ADM

SSLVPN-AC1001 ADM

Table 2 Command output

Field	Description
Brief information of interfaces in route mode:	Brief information about Layer 3 interfaces.
Interface	Abbreviated interface name.
Link	Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Stby—The interface is a backup interface in standby state.
Protocol	Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol of the interface is down.
Primary IP	Primary IP address of the interface.
Description	Description of the interface.
Cause	Cause for the physical link state of an interface to be DOWN: · Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Not connected—No physical connection exists (possibly because the network cable is disconnected or faulty).

Related commands

reset counters interface

display sslvpn context

Use display sslvpn context to display SSL VPN context information.

Syntax

display sslvpn context [ brief | name context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief SSL VPN context information. If you do not specify this keyword, the command displays detailed SSL VPN context information.

name context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN contexts.

Examples

# Display detailed information about all SSL VPN contexts.

<Sysname> display sslvpn context

Context name: ctx1

Operation state: Up

AAA domain: domain1

Certificate authentication: Enabled

Certificate username-attribute: CN

Password authentication: Enabled

Authentication use: All

Authentication server-type: aaa

SMS auth type: iMC

Code verification: Disabled

Default policy group: Not configured

Associated SSL VPN gateway: gw1

Domain name: 1

Associated SSL VPN gateway: gw2

Virtual host: abc.com

Associated SSL VPN gateway: gw3

SSL client policy configured: ssl1

SSL client policy in use: ssl

Maximum users allowed: 200

VPN instance:vpn1

Idle timeout: 30 min

Idle-cut traffic threshold: 100 Kilobytes

Password changing: Disabled

Context name: ctx2

Operation state: Down

Down reason: Administratively down

AAA domain not specified

Certificate authentication: Enabled

Certificate username-attribute: OID(2.5.4.10)

Password authentication: Disabled

Authentication use: Any-one

Authentication server-type: custom

SMS auth type: sms-gw

Code verification: Disabled

Default group policy: gp

Associated SSL VPN gateway: -

SSL client policy configured: ssl1

SSL client policy in use: ssl

Maximum users allowed: 200

VPN instance not configured

Idle timeout: 50 min

Idle-cut traffic threshold: 100 Kilobytes

Address pool: Conflicted with an IP address on the device

Password changing: Disabled

Denied client types: Browsers

Table 3 Command output

Field	Description
Context name	Name of the SSL VPN context.
Operation state	Operation state of the SSL VPN context: · Up—The context is running. · Down—The context is not running.
Down reason	Causes for the Down operations status: · Administratively down—The context is disabled. To enable the context, use the service enable command. · No gateway associated—The context is not associated with an SSL VPN gateway. · Applying SSL client-policy failed—Failed to apply the SSL client policy to the SSL VPN context.
AAA domain	ISP domain for the SSL VPN context.
Certificate authentication	Whether certificate authentication is enabled for the SSL VPN context.
Certificate username-attribute	Certificate attribute whose value is used as the SSL VPN username: · CN—CN attribute in the subject of the user certificate. · Email-prefix—String before the at sign (@) of the email address in the subject of the user certificate. · OID(x.x.x.x)—Object identifier of a user certificate attribute in dotted decimal notation. This field is available only when certificate authentication is enabled.
Password authentication	Whether username/password authentication is enabled for the SSL VPN context.
Authentication use	Authentication methods required for user login: · All—A user must pass all the enabled authentication methods to log in to the SSL VPN context. · Any-one—A user can log in to the SSL VPN context after passing any enabled authentication method.
Authentication server-type	Authentication server types: · aaa—AAA server. · custom—Custom authentication server.
SMS auth type	SMS authentication types: · iMC—SMS authentication by an IMC server. · sms-gw—SMS authentication by an SMS gateway.
Code verification	Whether code verification is enabled for the SSL VPN context.
Default policy group	Default policy group used by the SSL VPN context.
Associated SSL VPN gateway	SSL VPN gateway associated with the SSL VPN context.
Domain name	Domain name specified for the SSL VPN context.
Virtual host	Virtual host name specified for the SSL VPN context.
SSL client policy configured	SSL client policy configured for the SSL VPN context. A newly configured SSL client policy takes effect only after the SSL VPN context is restarted.
SSL client policy in use	SSL client policy being used by the SSL VPN context.
Maximum users allowed	Maximum number of sessions allowed in the SSL VPN context.
VPN instance	VPN instance associated with the SSL VPN context.
Idle timeout	Maximum idle time of an SSL VPN session, in minutes.
Idle-cut traffic threshold	SSL VPN idle session disconnection traffic threshold.
Address pool: Conflicted with an IP address on the device	An IP address conflict was detected in the SSL VPN context.
Password changing	Status of the SSL VPN login password modification feature: · Enabled. · Disabled.
Denied client types	Denied SSL VPN client types: · Browsers. · PC-iNode. · Mobile-iNode. · Not configured.

# Display brief information about all SSL VPN contexts.

<Sysname> display sslvpn context brief

Context name Admin Operation VPN instance Gateway Domain/VHost

ctx1 Up Up - gw1 -/1

gw2 abc.com/-

gw3 -/-

ctx2 Down Down - - -/-

Table 4 Command output

Field	Description
Context name	Name of the SSL VPN context.
Admin	Administrative status of the SSL VPN context: · Up—The context has been enabled by using the service enable command. · Down—The context is disabled.
Operation	Operation state of the SSL VPN context: · Up—The context is running. · Down—The context is not running.
VPN instance	VPN instance associated with the SSL VPN context.
Gateway	SSL VPN gateway associated with the SSL VPN context.
Domain/VHost	Domain name or virtual host name specified for the SSL VPN context.

‌

display sslvpn gateway

Use display sslvpn gateway to display SSL VPN gateway information.

Syntax

display sslvpn gateway [ brief | name gateway-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief SSL VPN gateway information. If you do not specify this keyword, the command displays detailed SSL VPN gateway information.

name gateway-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN gateways.

Examples

# Display detailed information about all SSL VPN gateways.

<Sysname> display sslvpn gateway

Gateway name: gw1

Operation state: Up

IP: 192.168.10.75 Port: 443

HTTP redirect port: 80

SSL server policy configured: ssl1

SSL server policy in use: ssl

Front VPN instance: vpn1

Gateway name: gw2

Operation state: Down

Down reason: Administratively down

IP: 0.0.0.0 Port: 443

SSL server policy configured: ssl1

SSL server policy in use: ssl

Front VPN instance: Not configured

Table 5 Command output

Field	Description
Gateway name	Name of the SSL VPN gateway.
Operation state	Operation state of the SSL VPN gateway: · Up—The gateway is running. · Down—The gateway is not running.
Down reason	Causes for the Down operation status: · Administratively down—The SSL VPN gateway is disabled. To enable the gateway, use the service enable command. · VPN instance not exist—The VPN instance to which the SSL VPN gateway belongs does not exist. · Applying SSL server-policy failed—Failed to apply the SSL server policy to the SSL VPN gateway.
IP	IPv4 address of the SSL VPN gateway.
Port	Port number of the SSL VPN gateway.
HTTP redirect port	HTTP redirection port number of the SSL VPN gateway.
SSL server policy configured	SSL server policy configured for the SSL VPN gateway. A newly configured SSL server policy takes effect only after the SSL VPN gateway is restarted.
SSL server policy in use	SSL server policy being used by the SSL VPN gateway.
Front VPN instance	Front VPN instance to which the SSL VPN gateway belongs.

‌

# Display brief information about all SSL VPN gateways.

<Sysname> display sslvpn gateway brief

Gateway name Admin Operation

gw1 Up Up

gw2 Down Down (Administratively down)

gw3 Up Up

Table 6 Command output

Field	Description
Gateway name	Name of the SSL VPN gateway.
Admin	Administrative status of the SSL VPN gateway: · Up—The gateway has been enabled by using the service enable command. · Down—The gateway is disabled.
Operation	Operation state of the SSL VPN gateway: · Up—The gateway is running. · Down (Administratively down)—The gateway is disabled. To enable the gateway, use the service enable command. · Down (VPN instance not exist)—The gateway is down because the VPN instance to which the gateway belongs does not exist. · Down (Applying SSL server-policy failed)—The gateway is down because the SSL server policy failed to be applied to the gateway.

‌

display sslvpn ip-tunnel statistics

Use display sslvpn ip-tunnel statistics to display packet statistics for IP access users.

Syntax

display sslvpn ip-tunnel statistics [ context context-name ] [ user user-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_).

user user-name: Specifies an IP access user by username, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays IP access packets statistics for all SSL VPN contexts.

If you only specify an SSL VPN context, this command displays IP access packet statistics for the specified context and for each SSL VPN user in the context.

If you only specify an SSL VPN user, this command displays IP access packet statistics for the specified user in all SSL VPN contexts.

If you specify both an SSL VPN context and user, this command displays IP access packet statistics for the specified user in the specified context.

Examples

# Display IP access packet statistics for all SSL VPN contexts.

<Sysname> display sslvpn ip-tunnel statistics

IP-tunnel statistics in SSL VPN context ctx1:

Client:

In bytes : 125574 Out bytes : 1717349

Server:

In bytes : 1717349 Out bytes : 116186

IP-tunnel statistics in SSL VPN context ctx2:

Client:

In bytes : 521 Out bytes : 1011

Server:

In bytes : 1011 Out bytes : 498

# Display IP access packet statistics for SSL VPN context ctx1 and for each user in the context.

<Sysname> display sslvpn ip-tunnel statistics context ctx1

IP-tunnel statistics in SSL VPN context ctx1:

Client:

In bytes : 125574 Out bytes : 1717349

Server:

In bytes : 1717349 Out bytes : 116186

SSL VPN session IP-tunnel statistics:

Context : ctx1

User : user1

Session ID : 1

User IPv4 address : 192.168.56.1

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Context : ctx1

User : user2

Session ID : 2

User IPv6 address : 1234::5001

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

# Display IP access packet statistics for user user1 in all SSL VPN contexts.

<Sysname> display sslvpn ip-tunnel statistics user user1

SSL VPN session IP-tunnel statistics:

Context : ctx1

User : user1

Session ID : 1

User IPv4 address : 192.168.56.1

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Context : ctx2

User : user1

Session ID : 2

User IPv6 address : 1234::5001

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalives replies : 1

Received configuration updates: 0

Sent configuration updates : 0

# Display IP access packet statistics for user user1 in SSL VPN context ctx1.

<Sysname> display sslvpn ip-tunnel statistics context ctx1 user user1

SSL VPN session IP-tunnel statistics:

Context : ctx1

User : user1

Session ID : 1

User IPv4 address : 192.168.56.1

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalive replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Context : ctx1

User : user1

Session ID : 2

User IPv6 address : 1234::5001

Received requests : 81

Sent requests : 0

Dropped requests : 81

Received replies : 0

Sent replies : 0

Dropped replies : 0

Received keepalives : 1

Sent keepalives replies : 1

Received configuration updates: 0

Sent configuration updates : 0

Table 7 Command output

Field	Description
Context	SSL VPN context to which the SSL VPN user belongs.
User	Login username used by the SSL VPN user.
User IPv4 address	IPv4 address of the SSL VPN user.
User IPv6 address	IPv6 address of the SSL VPN user.
Received requests	Number of IP access requests received by the SSL VPN gateway from the user.
Sent requests	Number of IP access requests forwarded by the SSL VPN gateway to internal servers.
Dropped requests	Number of IP access requests dropped by the SSL VPN gateway.
Received replies	Number of IP access replies received by the SSL VPN gateway from internal servers.
Sent replies	Number of IP access replies forwarded by the SSL VPN gateway to the user.
Dropped replies	Number of IP access replies dropped by the SSL VPN gateway.
Received keepalives	Number of keepalive messages received by the SSL VPN gateway from the user.
Sent keepalives replies	Number of keepalive replies sent by the SSL VPN gateway to the user.
Received configuration updates	Number of configuration update messages received by the SSL VPN gateway from the user.
Sent configuration updates	Number of configuration update messages sent by the SSL VPN gateway to the user.
Client	Statistics of the traffic transmitted between the SSL VPN gateway and the IP access client: · In bytes—Number of bytes received by the SSL VPN gateway from the client. · Out bytes—Number of bytes sent by the SSL VPN gateway to the client.
Server	Statistics of the traffic transmitted between the SSL VPN gateway and the server: · In bytes—Number of bytes received by the SSL VPN gateway from the server. · Out bytes—Number of bytes sent by the SSL VPN gateway to the client.

‌

display sslvpn policy-group

Use display sslvpn policy-group to display SSL VPN policy group information.

Syntax

display sslvpn policy-group group-name [ context context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters.

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about policy groups with the specified group name in all SSL VPN contexts.

Examples

# Display information about policy groups named pg1 in all SSL VPN contexts.

<Sysname> display sslvpn policy-group pg1

Group policy: pg1

Context: context1

Idle timeout: 35 min

Redirect resource type: url-item

Redirect resource name: url1

Context: context2

Idle timeout: 40 min

Redirect resource: Not configured

Table 8 Command output

Field	Description
Idle timeout	Maximum idle time of an SSL VPN session, in minutes.
Redirect resource	Redirect resource in the policy group assigned to the SSL VPN context.

‌

display sslvpn port-forward connection

Use display sslvpn port-forward connection to display TCP port forwarding connection information.

Syntax

display sslvpn port-forward connection [ context context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays TCP port forwarding connection information for all SSL VPN contexts.

Examples

# Display TCP port forwarding connection information for all SSL VPN contexts.

<Sysname> display sslvpn port-forward connection

SSL VPN context : ctx1

Client address : 192.0.2.1

Client port : 1025

Server address : 192.168.0.39

Server port : 80

Status : Connected

SSL VPN context : ctx2

Client address : 3000::983F:7A36:BD06:342D

Client port : 56190

Server address : 300::1

Server port : 23

Status : Connecting

Table 9 Command output

Field	Description
Client address	IP address of the SSL VPN client.
Client port	Port number of the SSL VPN client.
Server address	IP address of the internal server.
Server port	Port number of the internal server.
Status	Connection status, Connected or Connecting.

‌

display sslvpn prevent-cracking frozen-ip

Use display sslvpn prevent-cracking frozen-ip to display information about IP addresses frozen for cracking prevention.

Syntax

display sslvpn prevent-cracking frozen-ip { statistics | table } [ context context-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

statistics: Displays frozen IP address statistics.

table: Displays information about frozen IP address entries.

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays frozen IP address information for all SSL VPN contexts.

Examples

# Display frozen IP address statistics in all SSL VPN contexts.

<Sysname> display sslvpn prevent-cracking frozen-ip statistics

SSL VPN context: ctx1

Total number of frozen IP addresses: 1

Total number of username/password authentication failures: 1

Total number of code verification failures: 1

Total number of SMS authentication failures: 1

Total number of custom authentication failures: 1

SSL VPN context: ctx2

Total number of frozen IP addresses: 1

Total number of username/password authentication failures: 1

Total number of code verification failures: 1

Total number of SMS authentication failures: 1

Total number of custom authentication failures: 1

# Display frozen IP address entries in all SSL VPN contexts.

<Sysname> display sslvpn prevent-cracking frozen-ip table

SSL VPN context: ctx1

IP address Authentication method Frozen at Unfrozen at

8.1.1.80 code verification 2019-10-08 08:30:01 2019-10-08 08:35:04

3.3.3.30 Username/password authentication 2019-10-08 08:35:01 2019-10-08 08:39:04

SSL VPN context: ctx2

IP address Authentication method Frozen at Unfrozen at

121.5.5.32 Username/password authentication 2019-10-08 08:31:01 2019-10-08 08:45:04

123.3.3.3 code verification 2019-10-08 08:35:01 2019-10-08 08:55:04

Table 10 Command output

Field	Description
SSL VPN context	Name of the SSL VPN context.
IP address	Frozen IP address.
Authentication method	Authentication methods required for logging in to the SSL VPN context. Options include: · Username/password authentication. · Code verification. · SMS authentication. · Custom authentication. The use of authentication methods must meet the following requirements: · You can enable one or multiple authentication methods. · Username/password authentication must be enabled in an SSL VPN context. · Custom authentication and SMS authentication cannot both be enabled at the same time. All authentication methods can be used independently except for code verification.
Frozen at	Time when the IP address was frozen.
Unfrozen at	Time when the frozen IP address is to be unfrozen. N/A means that the IP address will never be unfrozen.

‌

display sslvpn session

Use display sslvpn session to display SSL VPN session information.

Syntax

display sslvpn session [ context context-name ] [ user user-name | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays SSL VPN session information for all SSL VPN contexts.

user user-name: Specifies an SSL VPN user by the username, a case-insensitive string of 1 to 63 characters. If you specify a user, this command displays detailed SSL VPN session information for the user. If you do not specify a user, this command displays brief SSL VPN session information for all users.

verbose: Displays detailed SSL VPN session information for all SSL VPN users. If you do not specify this keyword, the command displays brief SSL VPN session information for the specified or all SSL VPN users.

Examples

# Display brief SSL VPN session information for all users in all SSL VPN contexts.

<Sysname> display sslvpn session

Total users: 4

SSL VPN context: ctx1

Users: 2

Username Connections Idle time Created User IP

user1 5 0/00:00:23 0/04:47:16 192.0.2.1

user2 5 0/00:00:46 0/04:48:36 192.0.2.2

SSL VPN context: ctx2

Users: 2

Username Connections Idle time Created User IP

user3 5 0/00:00:30 0/04:50:06 192.168.2.1

user4 5 0/00:00:50 0/04:51:16 192.168.2.2

Table 11 Command output

Field	Description
Total users	Total number of users in all SSL VPN contexts.
SSL VPN context	Name of the SSL VPN context.
Users	Number of users in the SSL VPN context.
Username	Login name for the SSL VPN session.
Connections	Number of connections in the SSL VPN session.
Idle time	Duration that the SSL VPN session has been idle, in the format of days/hh:mm:ss.
Created	Time elapsed since the SSL VPN session was created, in the format of days/hh:mm:ss.
User IP	IP address used by the SSL VPN session.

# Display SSL VPN session information for SSL VPN user user1.

<Sysname> display sslvpn session user user1

User : user1

Authentication method : Username/password authentication

Context : context1

Policy group : pgroup

Idle timeout : 30 min

Created at : 13:49:27 UTC Wed 05/14/2014

Lastest : 17:50:58 UTC Wed 05/14/2014

Allocated IPv4 : 2.2.2.1

Allocated IPv6 : 2000::1

User IPv4 address : 192.0.2.1

Session ID : 1

Web browser/OS : Internet Explorer

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 0.00 B

Received bytes : 0.00 B

User : user1

Authentication method : Username/password authentication

Context : context2

Policy group : Default

Idle timeout : 2100 sec

Created at : 14:15:12 UTC Wed 05/14/2014

Lastest : 18:56:58 UTC Wed 05/14/2014

User IPv6 address : 0:30::983F:7A36:BD06:342D

Session ID : 5

Web browser/OS : Internet Explorer

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 0.00 B

Received bytes : 0.00 B

# Display detailed SSL VPN session information for all users in all SSL VPN contexts.

<Sysname> display sslvpn session verbose

User : user1

Authentication method : Username/password authentication

Context : context1

Policy group : pgroup

Idle timeout : 30 min

Created at : 13:49:27 UTC Wed 05/14/2014

Lastest : 17:50:58 UTC Wed 05/14/2014

User IPv4 address : 192.0.2.1

Session ID : 1

Web browser/OS : Internet Explorer

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 0.00 B

Received bytes : 0.00 B

User : user1

Authentication method : Username/password authentication

Context : context2

Policy group : Default

Idle timeout : 2100 sec

Created at : 14:15:12 UTC Wed 05/14/2014

Lastest : 18:56:58 UTC Wed 05/14/2014

User IPv6 address : 0:30::983F:7A36:BD06:342D

Session ID : 5

Web browser/OS : Internet Explorer

Send rate : 0.00 B/s

Receive rate : 0.00 B/s

Sent bytes : 0.00 B

Received bytes : 0.00 B

Table 12 Command output

Field	Description
User	SSL VPN username.
Authentication method	Authentication methods required for logging in to the SSL VPN context. Options include: · Username/password authentication. · Certificate authentication. · Code verification. · SMS authentication. · Custom authentication. The use of authentication methods must meet the following requirements: · You can enable one or multiple authentication methods. · Username/password authentication, certificate authentication, or both must be enabled in an SSL VPN context. · Custom authentication and SMS authentication cannot both be enabled at the same time. · All authentication methods can be used independently except for code verification.
Context	Context to which the user belongs.
Policy group	Policy group used by the user.
Idle timeout	Idle timeout time of the SSL VPN session, in seconds.
Created at	Time at which the SSL VPN session was created.
Lastest	Most recent time when the SSL VPN user accessed resources through the SSL VPN session.
Allocated IPv4	IPv4 address allocated to the iNode client of the SSL VPN user. This field is displayed only for iNode users.
Allocated IPv6	IPv6 address allocated to the iNode client of the SSL VPN user. This field is displayed only for iNode users.
User IPv4 address	IPv4 address used by the SSL VPN session.
User IPv6 address	IPv6 address used by the SSL VPN session.
Web browser/OS	Web browser or operating system used by the SSL VPN user.
Send rate	Sending rate of the SSL VPN session in one of the following units: · B/s—Bytes per second. · KB/s—Kilobytes per second. · MB/s—Megabytes per second. · GB/s—Gigabytes per second. · TB/s—Terabytes per second. · PB/s—Petabytes per second.
Receive rate	Receiving rate of the SSL VPN session in one of the following units: · B/s—Bytes per second. · KB/s—Kilobytes per second. · MB/s—Megabytes per second. · GB/s—Gigabytes per second. · TB/s—Terabytes per second. · PB/s—Petabytes per second.
Sent bytes	Traffic sent by the SSL VPN session in one of the following units: · B—Bytes. · KB—Kilobytes. · MB—Megabytes. · GB—Gigabytes. · TB—Terabytes. · PB—Petabytes.
Received bytes	Traffic received by the SSL VPN session in one of the following units: · B—Bytes. · KB—Kilobytes. · MB—Megabytes. · GB—Gigabytes. · TB—Terabytes. · PB—Petabytes.

‌

display sslvpn webpage-customize template

Use display sslvpn webpage-customize template to display SSL VPN webpage template information.

Syntax

display sslvpn webpage-customize template

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about all webpage templates.

<Sysname> display sslvpn webpage-customize template

Template name Type Status

default Pre-defined Normal

system Predefined Normal

User1 User-defined File login.html missing

User2 User-defined File home.html missing

Table 13 Command output

Field	Description
Template name	Name of the SSL VPN webpage template.
Type	Type of the SSL VPN webpage template: · Pre-defined. · User-defined.
Status	State of the SSL VPN webpage template: · Normal—The template is complete and can be used. · File login.html missing—The login.html file is missing in the template. · File home.html missing—The home.html file is missing in the template.

‌

Related commands

sslvpn webpage-customize

webpage-customize

emo-server

Use emo-server to specify an Endpoint Mobile Office (EMO) server for mobile clients.

Use undo emo-server to restore the default.

Syntax

emo-server address { host-name | ipv4-address } port port-number

undo emo-server

Default

No EMO server is specified for mobile clients.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

address: Specifies the host name or IPv4 address of the EMO server.

host-name: Specifies the host name of the EMO server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).

ipv4-address: Specifies the IPv4 address of the EMO server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.

port port-number: Specifies the port number of the EMO server, in the range of 1025 to 65535.

Usage guidelines

An EMO server provides services for mobile clients. The SSL VPN gateway issues the EMO server information to the clients, and the clients can access available service resources through the EMO server.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the IP address of the EMO server as 10.10.1.1 and the port number as 9058 for context ctx1.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] emo-server address 10.10.1.1 port 9058

file-policy

Use file-policy to create a file policy and enter its view, or enter the view of an existing file policy.

Use undo file-policy to delete a file policy.

Syntax

file-policy policy-name

undo file-policy policy-name

Default

No file policies exist.

Views

SSL VPN context view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a file policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The SSL VPN gateway uses a file policy to rewrite the content of Web page files before forwarding them to requesting Web access users.

You can configure multiple file policies in an SSL VPN context.

Examples

# Create a file policy named fp and enter its view.

<Sysname> system-view

[Sysname] sslvpn context ctx

[Sysname-sslvpn-context-ctx] file-policy fp

[Sysname-sslvpn-context-ctx-file-policy-fp]

Related commands

sslvpn context

filter ip-tunnel acl

Use filter ip-tunnel acl to specify an advanced ACL for IP access filtering.

Use undo filter ip-tunnel acl to remove the advanced ACL configuration for IP access filtering.

Syntax

filter ip-tunnel acl advanced-acl-number

undo filter ip-tunnel acl

Default

All IP accesses are permitted.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for IP access filtering.

The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:

1. Matches the request against rules in the URI ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.

2. Matches the request against rules in the advanced ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

If no URI ACL or advanced ACL is specified for IP access filtering, the SSL VPN gateway permits all IP accesses by default.

You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 for IP access filtering.

<Sysname> system-view

[Sysname] sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel acl 3000

Related commands

filter ip-tunnel uri-acl

Use filter ip-tunnel uri-acl to specify a URI ACL for IP access filtering.

Use undo filter ip-tunnel uri-acl to remove the URI ACL configuration for IP access filtering.

Syntax

filter ip-tunnel uri-acl uri-acl-name

undo filter ip-tunnel uri-acl

Default

All IP accesses are permitted.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for IP access filtering.

The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:

1. Matches the request against rules in the URI ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.

2. Matches the request against rules in the advanced ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

If no URI ACL or advanced ACL is specified for IP access filtering, the SSL VPN gateway permits all IP accesses by default.

If a rule in the URI ACL specified for IP access filtering contains HTTP or HTTPS settings, the rule does not take effect.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure policy group abcpg to use URI ACL abcuriacl for IP access filtering.

<Sysname> system-view

[Sysname] sslvpn context abc

[Sysname-sslvpn-context-abc] policy-group abcpg

[Sysname-sslvpn-context-abc-policy-group-abcpg] filter ip-tunnel uri-acl abcuriacl

filter tcp-access acl

Use filter tcp-access acl to specify an advanced ACL for TCP access filtering.

Use undo filter tcp-access acl to remove the advanced ACL configuration for TCP access filtering.

Syntax

filter tcp-access acl advanced-acl-number

undo filter tcp-access acl

Default

A user can access only the TCP resources in the TCP port forwarding list authorized to the user.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for TCP access filtering.

For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:

1. Matches the request against the authorized port forwarding list.

¡ If the request matches a port forwarding item in the list, the gateway forwards the request.

¡ If the request does not match any port forwarding items in the list, the gateway proceeds to step 2.

2. Matches the request against the rules in the URI ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.

3. Matches the request against the rules in the advanced ACL:

¡ If the request matches a permit rule, the gateway forwards the request.

¡ If the request matches a deny rule, the gateway drops the request.

¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.

For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 for TCP access filtering.

<Sysname> system-view

[Sysname]sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access acl 3000

Related commands

filter tcp-access uri-acl

Use filter tcp-access uri-acl to specify a URI ACL for TCP access filtering.

Use undo filter tcp-access uri-acl to remove the URI ACL configuration for TCP access filtering.

Syntax

filter tcp-access uri-acl uri-acl-name

undo filter tcp-access uri-acl

Default

A user can access only the TCP resources in the TCP port forwarding list authorized to the user.

Views

SSL VPN policy group view

Predefined user roles

network-admin

Parameters

uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

Usage guidelines

You can specify both an advanced ACL and a URI ACL for TCP access filtering.

For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:

1. Matches the request against the authorized port forwarding list.

¡ If the request matches a port forwarding items in the list, the gateway forwards the request.