Login
- Table of Contents
-
- H3C SecPath Security Products FAQ(V7)-6W100
- 00-Preface
- 01-System management and maintenance FAQ
- 02-Device forwarding FAQ
- 03-License management FAQ
- 04-RBM-based hot backup FAQ
- 05-NAT FAQ
- 06-User access and authentication FAQ
- 07-Attack detection and prevention FAQ
- 08-IPS FAQ
- 09-Anti-virus FAQ
- 10-URL filtering FAQ
- 11-File filtering FAQ
- 12-Bandwidth management FAQ
- 13-SSL VPN FAQ
- 14-IPsec FAQ
- 15-Load balancing FAQ
- 16-Mirroring FAQ
- 17-IRF FAQ
- 18-Security policy FAQ
- 19-Security zone FAQ
- 20-ASPF FAQ
- 21-PKI FAQ
- 22-APR FAQ
- 23-DPI FAQ
- 24-Application audit and management FAQ
- 25-Data filtering FAQ
- 26-Data analysis center FAQ
- 27-WAF FAQ
- 28-AFT FAQ
- 29-SSL decryption FAQ
- 30-NetShare control FAQ
- 31-FAQ on Intranet security comprehensive scoring (Security overview)
- 32-Web operations FAQ
- Related Documents
-
13-SSL VPN FAQ
SSL VPN FAQ
Q. Do I need to install a certificate under a user context?
A. Yes. A user context is equivalent to an independent virtual device that requires a certificate.
Q. Why the page cannot display an Web resource completely after I access the Web resource?
A. The SSL VPN gateway will rewrite a Web resource after receiving a resource access request. Only the following rewrites are supported:
· Rewriting text/html to .html/htm/jsp/php.
· Rewriting text/css to .css.
· Rewriting text/javascript to .js.
The resources that do not meet the above requirements cannot be displayed.
Q. What resources can be accessed after I log in to the SSL VPN gateway via a mobile browser?
A. Only Web resources can be accessed when you log in to the gateway via a mobile browser.
Q. What authentication methods are available for SSL VPN users?
A. The following authentication are available for SSL VPN users: RADIUS authentication, LDAP authentication, certificate authentication, and local authentication.
Among these authentication methods, RADIUS authentication and LDAP authentication are performed through AAA authentication and authorization.
Q. Can I access the gateway after the SSL policy changed?
A. To access the gateway after the SSL policy changed, re-enable the gateway.
Q. Why cannot I access the changed resources?
A. To access the resources that have changed, you must log in to the gateway again to access the changed resources. If you do not log out, the resources you can access are still those allocated to users by the SSL VPN instance upon login.
Q. Why cannot I access resources after I successfully log in to the SSL VPN gateway through IP access?
A. Verify that the following requirements are met:
· The corresponding resources are available on internal servers.
IP access implements secured IP communication between remote users and internal servers.
· An SSL VPN AC interface is added to a security zone. An SSL VPN AC interface is a virtual interface and must be added to a security zone.
· The address of the AC interface does not conflict with the addresses in the address pool. If the address of the VNIC conflicts with the address of the AC interface, packets cannot be forwarded correctly.
· An ACL or URI ACL is configured to permit access requests to IP access resources in the resource group. By default, if no ACL or URI ACL is configured, all clients are prohibited from accessing IP access resources.
· The server can reach the AC interface.
Q. How to configure SSL VPN when an outbound interface to the server is configured with multiple VPN instances?
A. When an outbound interface to the server is configured with multiple VPN instances, you need to specify the same VPN instances for the SSL VPN context and the AC interface.
Make sure the security policy permits the corresponding VPN instances.
Q. How to configure SSL VPN when the interface on the SSL VPN gateway connected to the client is configured with multiple VPN instances?
A. When multiple VPN instances are configured on the interface connected to the client, you must configure the corresponding VPN multiple instances on the SSL VPN gateway.
Make sure the security policy permits the corresponding VPN instances .
Q. What can I do when the client cannot access the SSL VPN gateway?
A. To resolve the issue:
· Verify that the gateway device is installed with a certificate.
· Verify that the IP address and port number of the SSL VPN gateway are different from the management IP address and port number of the gateway device.
· Verify that the client can reach the gateway device.
· Verify that the corresponding certificate is installed on the client if certificate authentication is enabled.
· Verify that the SSL VPN gateway is enabled.
Q. What can I do when I failed to access Web and TCP resources and the system prompted message connect server failed?
A. To resolve the issue:
· Verify that the server provides the resources to be accessed.
· Verify that the server is reachable;
· identify whether a TCP resource is a service like an FTP service with dual channels using different ports. At present, you cannot access such a TCP resource.
Q. What can I do when I failed to log in to the SSL VPN gateway after the SSL server policy changed?
A. To log in to the SSL VPN gateway after the SSL server policy changed, re-enable the SSL VPN gateway.
Q. What are the requirements of different access modes for the SSL VPN client?
A. In Web access mode, remote users use browsers to access Web resources
In TCP access mode, you can install the TCP access client software only after logging in to the SSL VPN gateway through the browser on the SSL VPN client (the terminal device that the user uses). Make sure Java 1.7 and higher is installed on the SSL VPN client.
In IP access mode, you must install a client(such as iNode clients). The client can be installed in advance or downloaded and installed after logging into the SSL VPN gateway through a browser.
Q. What are the restrictions on using certificate authentication for SSL VPN users?
A. If SSL VPN certificate authentication is enabled, you must also execute the client-verify { enable | optional } command to enable mandatory or optional SSL client authentication in SSL server policy view.
TCP access and mobile clients support only optional certificate authentication. Only Web access and PC iNode clients support mandatory certificate authentication.
If the client verify enable command is executed, the SSL client must provide its own digital certificate for the SSL server to authenticate the client based on the digital certificate. The SSL client can access the SSL server only after the SSL client passes authentication.
When the client verify optional command is executed, the following rules apply:
· If the SSL client does not provide a digital certificate to the SSL server, the SSL client can access the SSL server.
· If the SSL client provides a digital certificate to the SSL server, the SSL client can access the SSL server only after the SSL client passes authentication.
