H3C SSL VPN Configuration Examples

Transcription

1 H3C SSL VPN Configuration Examples Keywords: SSL, VPN, HTTPS, Web, TCP, IP Abstract: This document describes characteristics of H3C SSL VPN, details the basic configuration and configuration procedure of H3C SSL VPN, and presents typical configuration examples. Acronyms: Acronym Full spelling SSL VPN HTTPS TCP IP Security Socket Layer Virtual Private Network Hypertext Transfer Protocol Secure Transfer Control Protocol Internet Protocol Hangzhou H3C Technologies Co., Ltd. 1/76

2 Table of Contents Introduction 4 Feature Overview 4 Benefits 4 Usage Guide 5 Application Scenarios 5 Role-Based Management Overview 5 Configuration Procedures 7 Basic Command Line Configuration for SSL VPN 7 Configuration Guidelines 8 Supporting Devices and Versions 8 Supporting Devices 8 SSL VPN Configuration Examples 8 Network Requirements 8 SSL VPN Network Diagrams 10 Basic Command Line Configurations 10 SecBlade SSL VPN Command Line Configurations 10 SecPath SSL VPN Command Line Configurations 12 Web Service Configuration Example 12 Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 12 Logging In to a Common Domain 15 Configuring Web Service Resources 16 Creating a Resource Group and Add Existing Resources to the Resource Group 17 Creating a User and User Group, and Associating the Resource Group and User Group 18 Verifying the Web Service Configuration 20 TCP Service Configuration Example 21 Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 21 Logging In to a Common Domain 21 Configuring TCP Service Resources 21 Creating a Resource Group and Add Existing Resources to the Resource Group 26 Creating a User and User Group, and Associating the Resource Group and User Group 27 Verifying the TCP Service Configuration 27 TCP Service Configuration Guidelines 31 IP Service Configuration Example 31 Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 31 Logging In to a Common Domain 31 Configuring IP Service Resources 32 Creating a Resource Group and Add Existing Resources to the Resource Group 36 Creating a User and User Group, and Associating the Resource Group and User Group 36 Verifying the IP Service Configuration 37 Hangzhou H3C Technologies Co., Ltd. 2/76

3 IP Service Troubleshooting 39 Authentication Policy Configuration Example 39 RADIUS Authentication (Shiva) 39 LDAP Authentication 44 AD Authentication 47 Combination Authentication 49 USB-Key Certificate Authentication 50 Binding the Certificate Serial Number and Username 50 Security Checking and Dynamic Authorization Configuration Example 52 Security Checking 52 Dynamic Authorization 54 Other Features 55 Importing User Accounts in Batches 55 User Interface Customization 56 External Network Access Control 58 Guest Account 60 Certificate Management 62 Auto Login Using Certificate 64 Auto Start of Resources (autostart) 65 Auto Login to Services (autohome) 66 Single Sign-On 68 Log Management 71 MPLS VPN (supported by only SecPath SSL VPN) 71 SSL Offload (supported by only SecBlade SSL VPN) 74 License (supported by only SecBlade SSL VPN) 75 References 76 Protocols and Standards 76 Related Documentation 76 Hangzhou H3C Technologies Co., Ltd. 3/76

4 Introduction H3C SSL VPN devices include H3C SecPath SSL VPN cards and H3C SecBlade SSL VPN cards. The configurations described in this document are supported by both types of devices unless otherwise noted. For example, parenthetic contents such as (supported by only SecPath SSL VPN) and (supported by only SecBlade SSL VPN), or different titles will be used to mark the configuration that is supported by only one type of devices. Feature Overview The SSL protocol is mainly used to ensure privacy and reliability between two communication application programs. The whole process is implemented through the cooperation of the SSL handshake protocol, record protocol, and alert protocol. Compared with leased lines, VPN networking is cheap and flexible. Therefore, more and more enterprises use VPN to interconnect the headquarters, mobile employees, branch offices, and partners over public networks such as the Internet. SSL VPN is an emerging VPN technology. It establishes VPN networks with connections encrypted by SSL. SSL VPN engages for the security of applications and works above the transport layer. It provides a secured connection between applications and is mainly applied to remote Web accesses. The SSL VPN system implements granular access control of network resources. It supports three resources access methods: Web access, TCP access, and IP access. The SSL VPN system uses role-based management of access rights, that is, it limits the resources that a login user can access based on the role of the user. Besides, it also uses security policies to check the security status of access PCs, assigning corresponding access rights to users dynamically according to the security checking results. The SSL VPN gateway supports Web based management. Administrators can configure and manage the SSL VPN system through Web browsers. H3C SSL VPN devices are new generation, professional, enterprise-level SSL VPN devices, which can provide secure and convenient remote access services for mobile users of enterprises. An H3C SSL VPN device can be used as the ingress gateway of an enterprise, or the proxy gateway of the internal server group. SecPath SSL VPN is designed for small and medium sized enterprises, and SecBlade SSL VPN is for medium and large sized enterprises. Benefits Compared with conventional VPN, SSL VPN features high security and more granular control of security. Requiring no user configuration and no client installation, it is simple to deploy and very easy to use. Hangzhou H3C Technologies Co., Ltd 4/76

5 Usage Guide Application Scenarios With the popularity of Internet, home office and mobile office is rising, promoting conversion of applications from C/S to B/S structure based on Web service. It is required that employees, customers, and partners of an enterprise can access the internal resources securely and conveniently from outside of the enterprise. SSL VPN realizes this. Role-Based Management Overview The H3C SSL VPN system limits the resources that a login user can access based on the role of the user. It defines three roles: Super administrator: Managers of the entire system. A super administrator can create domains, initialize the administrator passwords of domains, assign resource groups to domains, and specify whether a domain administrator can create new resources. (supported by only SecBlade SSL VPN) Domain administrator: Managers of SSL VPN domains. A domain administrator can create and delete local users, user groups, resources, resource groups, and security policies for the domain, controlling the access rights of users in the domain. SSL VPN user: Users accessing network resources through the SSL VPN system. An SSL VPN user must pass authentication to log in to the SSL VPN system. After passing the authentication, an SSL VPN user can access the SSL VPN gateway, and the SSL VPN system will assign the user access rights based on the security status of the user and the user group to which the user belongs. Before configuration, you need to understand the relationship of the roles, as well as the relationship of local users, user groups, resources, and resource groups, as shown below: Hangzhou H3C Technologies Co., Ltd 5/76

6 Figure 1 Relation diagram Super administrator Resources Resource a Resource b Resource groups Resource group a Resource group b Domain A Domain B administrator administrator Domain N administrator Resource groups Resource group 1 User groups User group 1 Resources Resource 1 Resource 2 Resource 3 Resource group 2 Resource group 3 Resource group N User group 2 User group 3 User group n Users User 1 User 2 User 3 Resource N User N By default, there is a root domain on the device. All users in the root domain are super administrators. A super administrator can create domains and resources, add resources to resource groups, assign resources to a domain, and specify whether a domain administrator can create new resources. (Supported by only SecBlade SSL VPN) Domain administrators create and maintain resources, resource groups, local users, and user groups of their own domains. A resource/user can belong to multiple resource groups/user groups, and a resource group/user group can hold multiple resources/users. By associating resource groups with user groups, you can specify which user groups can access which resource groups. One resource group can be assigned to multiple user groups and one user group can contain multiple resource groups. Hangzhou H3C Technologies Co., Ltd 6/76

7 Root domain and super administrator are supported by only SecBlade SSL VPN. SecPath SSL VPN supports only one domain. SecBlade SSL VPN supports multiple domains. Besides the default root domain, the maximum number of common domains allowed to be created depends on the device model. At present, SecBlade SSL VPN devices have three models, applicable to S7500E/S9500 switches and SR6600 routers. The difference is that the SSL VPN card for S7500E switches uses four GE interfaces to communicate with the S7500E backplane, while that for S9500/SR6600 uses one 10-GE interface to communicate with the S9500/SR6600 backplane. Software functions of the two models have no differences. The following SecBlade SSL VPN related sections all take the SSL VPN card for S7500E as an example. Configuration Procedures Perform following configurations to configure SSL VPN: Basic command line configuration Super administrator interface configuration (supported by only SecBlade SSL VPN) Domain administrator interface configuration Common user interface configuration The last three configurations are Web configurations, which are illustrated later by examples directly. Basic Command Line Configuration for SSL VPN You can perform basic SSL VPN configurations through command line interface (CLI), including enabling the Web server and SSL VPN service. By default, the system will enable the Web server and SSL VPN service, without the need of manual start through command lines. Perform the following configurations on the device: Enable the Web server Enable SSL VPN service Hangzhou H3C Technologies Co., Ltd 7/76

8 Configuration Guidelines Figure 2 Configuration management After performing configurations on the Web interface, you need to save the configuration file. Otherwise, the configurations will be lost after device reboot. You can save the current configuration to the configuration file and backup file. To replace the configuration file with the backup file, click Restore. To make the new configuration file take effect, click Restart. Supporting Devices and Versions Supporting Devices SecBlade: SecBlade for S7500E, SecBlade for S9500, SecBlade for SR6600 SecPath: Devices with a built-in encryption card: SecPath V100-E Devices that need an external encryption card: SecPath F100-A, SecPath F100-A-SI, SecPath F100- E, SecPath F100-M, SecPath F1000-A, SecPath V1000-A, SecPath F1000-S SSL VPN Configuration Examples Network Requirements Two-arm mode: The SSL VPN acts as an ingress gateway between the internal network and external network, providing complete protection for the internal network. In this case, however, the gateway is at the key path of communication. Its performance and reliability greatly affects the data transfer between the internal network and external network. Hangzhou H3C Technologies Co., Ltd 8/76

9 Figure 3 Dual-arm networking of SSL VPN Mobile user IP network SSL VPN IP network Internet LAN Intranet Desktop PC user Authentication servers Log server CA server One-arm mode: The SSL VPN gateway acts as a proxy gateway for the communication between the remote host and the internal network. In this case, the SSL VPN gateway is not at the key path for communication, and therefore will not result in single point failures. Figure 4 One-arm networking of SSL VPN SSL VPN Mobile user IP network IP network Internet LAN Intranet Desktop PC user Authentication servers Log server CA server Hangzhou H3C Technologies Co., Ltd 9/76

10 SSL VPN Network Diagrams Figure 5 Network diagram for SecBlade SSL VPN in one-arm mode Figure 6 Network diagram for SecPath SSL VPN in two-arm mode Basic Command Line Configurations SecBlade SSL VPN Command Line Configurations Basic configuration on an S7500E switch [S7503E]vlan 100 //*Refer to the Figure 5 for port related configuration*// [S7503E-vlan100]port GigabitEthernet 3/0/1 [S7503E-vlan100]port GigabitEthernet 4/0/1 [S7503E-vlan100]quit Hangzhou H3C Technologies Co., Ltd 10/76

11 [S7503E]interface vlan 100 [S7503E-Vlan-interface100]ip address [S7503E-Vlan-interface100]quit [S7503E]vlan 200 [S7503E-vlan200]port GigabitEthernet 4/0/13 [S7503E-vlan200]quit [S7503E]inter vlan 200 [S7503E-Vlan-interface200]ip address [S7503E-Vlan-interface200]quit [S7503E]ip route-static //*Configure a static route to the virtual address segment, with the next hop being the SSL VPN card. This is for forwarding data coming from the internal network.*// [S7503E]ip route-static //*Configure a route to the public network*// [S7503E]ip route-static [S7503E]ip route-static [S7503E]interface g3/0/1 [S7503E-GigabitEthernet3/0/1]speed 1000 [S7503E-GigabitEthernet3/0/1]duplex full //*Configure the interface communicating with the backplane to work in forced mode, and make sure the port is up.*// [S7503E-GigabitEthernet3/0/1]quit Basic configuration on the SSL VPN card [H3C]interface GigabitEthernet 0/0/0 [H3C-GigabitEthernet0/0/0]ip address [H3C-GigabitEthernet0/0/0]quit [H3C]ip route-static [H3C]ntp-service unicast-server //*Specify the NTP server. The SSL VPN card does not support local clock and the device time defaults to year Without this configuration, the certificate will expire.*// Routing configuration on the NAT-IN node [H3C]ip route-static network segment.*// [H3C]ip route-static //*Configure a route to the virtual Service configuration on the SSL VPN card By default, the system will enable the Web server and SSL VPN service. In this case, you do not need to execute the following commands. [H3C] svpn service enable [H3C] Web server enable //*Enable the SSL VPN service*// //*Enable the Web server*// Hangzhou H3C Technologies Co., Ltd 11/76

12 At present, SecBlade SSL VPN cards are applicable to S7500E/S9500 switches and SR6600 routers, which are normally in the internal network. Therefore one-arm mode is used. In a practical network, if there is no NAT-IN node, you need to perform route configurations on each internal network node, ensuring the virtual network segment, /24 in the example, is reachable. As the above configuration uses only one GE interface of the SecBlade SSL VPN for S7500E, and the SecBlade SSL VPN for S9500/SR6600 has only one 10-GE interface, the above configuration is applicable to the SecBlade SSL VPN for S9500/SR6600. SecPath SSL VPN Command Line Configurations Basic configurations [H3C] interface Ethernet0/0 [H3C-Ethernet0/0] ip address [H3C-Ethernet0/0] quit [H3C] interface Ethernet0/1 [H3C-Ethernet0/1] ip address [H3C-Ethernet0/1] quit [H3C] ip route-static preference 60 SSL VPN related configurations By default, the system will enable the Web server and SSL VPN service. In this case, you do not need to execute the following commands. [H3C] svpn service enable //*Enable the SSL VPN service*// [H3C] Web server enable //*Enable the Web server*// Web Service Configuration Example Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 1) In the address bar of a browser, enter the SSL VPN gateway port address for connecting the external network, that is, to enter the SSL VPN login page. The certificate authentication dialog box (Security Alert) will appear. Click Yes. Hangzhou H3C Technologies Co., Ltd 12/76

13 Figure 7 Security Alert dialog box (click Yes) Use the default super administrator account administrator to log in to the SSL VPN system with the local authentication method: type administrator as the username, type administrator as the password, select Super administrator as the identity, and then click Login, as shown in Figure 8. Figure 8 SSL VPN login page 2) Create domain h3c, and specify the initial password of the domain administrator. Select Domain from the navigation tree to enter the domain policy configuration page. To create a domain, click Add. To modify an existing domain, select the domain and click Configure. Hangzhou H3C Technologies Co., Ltd 13/76

14 Figure 9 Create a domain Create domain h3c. The domain administrator named administrator is generated by default. You need to specify the default administrator password, for example, You can also specify the timeout time and the maximum number of online users for domain h3c, 30 minutes and 100 respectively in this example. You can assign the existing resource groups to domain h3c, and specify to allow the administrator of domain h3c to add resources. 3) After you finish your configuration, you need save the configuration file. Otherwise, your configuration will be lost after the device reboots. Figure 10 Configuration management Hangzhou H3C Technologies Co., Ltd 14/76

15 Logging In to a Common Domain All following configurations in this configuration example are performed in a common domain. After you log in as the administrator of the domain and finish configurations, you need to save the configuration file. Otherwise, the configuration will be lost after the device reboots. Logging in to the common domain of SecBlade SSL VPN The same as the supper administrator login, use the default administrator account to log in to the SSL VPN domain h3c with the local authentication method. Type administrator as the username and (specified when the domain was created) as the password, select Administrator as the identity, and then click Login. Figure 11 Domain administrator login In a domain, users that belong to the administrators group are administrators of the domain. A domain administrator is also a common user. If you are a domain administrator but log in as a common user, you enter the common user interface. In the common user interface, the resources that you can access are confined to the resources that assigned for the administrators group. Logging in to the common domain of SecPath SSL VPN Enter in the address bar to open the login page. Type the default administrator account, with both the username and password being administrator, and then click Login. Hangzhou H3C Technologies Co., Ltd 15/76

16 Figure 12 Domain administrator login page Configuring Web Service Resources Web page is a service provided by a remote Web server. The Web proxy server function of SSL VPN provides a secure connection mode for users to access Web servers, and it can prevent illegal users from accessing the protected Web servers. Select Resource > Web Site from the navigation tree to enter the Web proxy management page. Click Add to create a new Web proxy server resource. Figure 13 Add a Web proxy server resource Hangzhou H3C Technologies Co., Ltd 16/76

17 You can specify an IP address or domain name for the website name. If you specify a domain name, you need to configure the DNS server correctly in CLI. The site matching supports fuzzy match. In this example, you can specify tech.* for fuzzy match, ensuring that all pages on a website are reachable. More specifically, to allow access to sports.sina.com.cn, news.sina.com.cn and other sina Web pages for example, you can specify *.sina.com.cn in the Site Matching Pattern field. You can specify multiple match keywords, separating them by vertical bars ( ). After you add the Web proxy server resources, the Web proxy server list appears. Figure 14 Web proxy server list Creating a Resource Group and Add Existing Resources to the Resource Group Select Resources > Resource Group from the navigation tree to enter the resource group management page. Click Add to create a new resource group. Type the resource group name as Web and add the existing resource tech to the resource group Web. Click Apply. Figure 15 Add a resource group Hangzhou H3C Technologies Co., Ltd 17/76

18 Creating a User and User Group, and Associating the Resource Group and User Group Select User > Local User from the navigation tree to enter the local user list page. Click Add to create a user Figure 16 Add a local user After you create the user successfully, the local user list page appears again, as shown in the following figure: Hangzhou H3C Technologies Co., Ltd 18/76

19 Figure 17 User list Select User > User Group from the navigation tree to enter the user group. Click Add to create a new user group. Type user group name usergroup. Add svpn to the user group. Assign resource group Web to user group usergroup. Click Apply. Figure 18 Create a user group Hangzhou H3C Technologies Co., Ltd 19/76

20 After the above configuration, user svpn in group usergoup can access all resources in resource group Web. Verifying the Web Service Configuration 1) Logging in as a common user Enter in the address bar to open the user login page. Type username spvn and the corresponding password. Click Login. Figure 19 Available Web resources 2) A remote user can access the Web proxy service successfully. For example, you can successfully access the tech resources by clicking the website link tech, and the URL is replaced as / /. Hangzhou H3C Technologies Co., Ltd 20/76

21 Figure 20 Access a web resource through Web proxy TCP Service Configuration Example Logging In as a Super Administrator (supported by only SecBlade SSL VPN) Refer to Logging In as a Super Administrator (supported by only SecBlade SSL VPN). Logging In to a Common Domain Refer to Logging In to a Common Domain. Configuring TCP Service Resources Telnet service Telnet service is transferred in plaintext over Internet. SSL VPN uses the SSL encryption technology to encrypt the Telnet service data, ensuring the security of data transfer. Select Resource > TCP Application from the navigation tree. The Telnet resource list page appears. Click Add to create a remote access service resource. Hangzhou H3C Technologies Co., Ltd 21/76

22 Figure 21 Add a Telnet service resource The format of the command line configuration is telnet local host, where local host must be the same with that in the Local Host text box. The local host specifies the local listening port. It can be a local loopback address in the range of to or a character string when the host file is configurable. After you create a TCP resource successfully, the Telnet resource list appears again. Figure 22 Telnet service resource list Windows desktop sharing Select Resource > TCP Application from the navigation tree. Click the Desktop Sharing tab to enter the desktop sharing resource list page. Click Add to create a desktop sharing resource. Hangzhou H3C Technologies Co., Ltd 22/76

23 Figure 23 Create a Windows desktop sharing resource After you create the resource successfully, the desktop sharing resource list page appears again. Figure 24 Windows desktop sharing resource list Outlook mail service Select Resource > TCP Application from the navigation tree. Click the Mail tab to enter the mail service resource list page. Click Add to create a new outlook mail service resource. Hangzhou H3C Technologies Co., Ltd 23/76

24 Figure 25 Create an outlook mail service resource After you create the resource successfully, the outlook mail service resource list page appears again. Figure 26 Outlook mail service resource list Notes mail service Select Resource > TCP Application from the navigation tree. Click the Notes tab to enter the Notes mail service resource list page. Click Add to create a Notes mail service resource. You must specify the real IP address or domain name of the database for Local Address. Hangzhou H3C Technologies Co., Ltd 24/76

25 Figure 27 Add a notes mail service resource After you create the resource successfully, the Notes mail service resource list page appears again. Figure 28 Notes mail service resource list General application service Select Resource > TCP Application from the navigation tree. Click the TCP Service tab to enter the general application service resource list page. Click Add to create a general application service resource. Hangzhou H3C Technologies Co., Ltd 25/76

26 Figure 29 Create a general application service After the service is created successfully, the general service resource list appears again. Figure 30 General application service resource list Creating a Resource Group and Add Existing Resources to the Resource Group Refer to Creating a Resource Group and Add Existing Resources to the Resource Group. Hangzhou H3C Technologies Co., Ltd 26/76

27 Figure 31 Create a TCP resource group Creating a User and User Group, and Associating the Resource Group and User Group Refer to Creating a User and User Group, and Associating the Resource Group and User Group. Verifying the TCP Service Configuration 1) Log in as common user svpn. The TCP client is enabled by default. You can view the port listening information by clicking Information. Hangzhou H3C Technologies Co., Ltd 27/76

28 Figure 32 TCP access status Figure 33 TCP port listening 2) You can view all the available TCP application resources. Hangzhou H3C Technologies Co., Ltd 28/76

29 Figure 34 Available TCP application resources 3) Click TCP application resource telnet110 to telnet to the remote device. Figure 35 Telnet access 4) Click TCP application resource remote_desktop to log in to the remote host. Figure 36 Windows desktop sharing Hangzhou H3C Technologies Co., Ltd 29/76

30 5) To use TCP application resource POP3 or SMTP, you need to configure the right POP3 and SMTP server addresses (the local host names of the resources) on the Outlook client configuration interface. Then, you can log in by correctly entering the username and password to process mails. Figure 37 Outlook mail server configuration 6) You can access a general application resource by clicking its link. Hangzhou H3C Technologies Co., Ltd 30/76

31 Figure 38 HTTP access TCP Service Configuration Guidelines When configuring a TCP resource, you can specify no command line. If you specify a command, make sure that the command can be recognized the operating system. To access mails, a client needs to configure the Outlook properly. Besides, as mail services use ports SMTP and POP3, you need to create two corresponding resources. IP Service Configuration Example Logging In as a Super Administrator (supported by only SecBlade SSL VPN) Refer to Logging In as a Super Administrator (supported by only SecBlade SSL VPN). Logging In to a Common Domain Refer to Logging In to a Common Domain. Hangzhou H3C Technologies Co., Ltd 31/76

32 Configuring IP Service Resources The SSL VPN network service access allows users to access all applications above the IP layer. Users do not need to know the application types and configurations. After they log in to the SSL VPN system, the ActiveX SSL VPN client will be automatically downloaded and started, and then the users can access all services of certain hosts securely. The communication security between a user and a server is guaranteed by SSL VPN. Global configuration Select Resources > IP Network from the navigation tree. Select the Global Configuration tab to enter the global configuration page. SecBlade SSL VPN: Figure 39 Global configuration for IP service resources The start IP and end IP together specifies the virtual address segment from which the device will assign an address to a user after the user logs in. The gateway IP address is the default gateway for the client to access specified network resources. Configuration items in Configure IP Address Pool area are required, while those in Configure Basic Parameters area are optional. Hangzhou H3C Technologies Co., Ltd 32/76

33 Heartbeat Interval: Interval at which the IP client send heartbeat packets to the gateway. Client Reachable: Specifies whether different login users can communicate with each other through IP access. WINS Server/DNS Server: WINS server address and DNS server address to be assigned by the gateway to user network adapters. Access VPN only: Specifies whether a login user can access the Internet besides the VPN. IP Networks Display Mode: Selects to display whether the description information or IP addresses of the IP resources for login users. SecPath SSL VPN: Figure 40 Global configuration for IP service resources The start IP and end IP together specifies the virtual address segment from which the device will assign an address to a user after the user logs in. The gateway IP address is the default gateway for the client to access specified network resources. Hangzhou H3C Technologies Co., Ltd 33/76

34 Internal interfaces are interfaces on the gateway that are connecting with the internal networks. After you specify an internal interface and enable NAT, the system automatically configure NAT on the internal interface and no return routes need to be configured on other devices in the internal network. Configuration items in Configure IP Address Pool area and Configure Internal Interface area are required, while those in Configure Basic Parameters area are optional. Heartbeat Interval: Interval at which the IP client send heartbeat packets to the gateway. Client Reachable: Specifies whether different login users can communicate with each other through IP access. WINS Server/DNS Server: WINS server address and DNS server address to be assigned by the gateway to user network adapters. Access VPN only: Specifies whether a login user can access the Internet besides the VPN. IP Networks Display Mode: Selects to display whether the description information or IP addresses of the IP resources for login users. User-IP Binding Select Resources > IP Network from the navigation tree. Select the IP Binding tab to enter the user-ip binding configuration page. Figure 41 User-IP binding configuration (SecBlade) Figure 42 User-IP binding configuration (SecPath) Hangzhou H3C Technologies Co., Ltd 34/76

35 After you bind a fix IP address for a user, the system will directly assign the bound IP address to the user after the user logs in, instead of assigning an IP address from the address pool to the virtual network card of the user. Host Configuration Select Resources > IP Network from the navigation tree. Select the Host Configuration tab to enter the host configuration page. Click Add, type the resource name, configure the accessible network service and shortcut, and then click Apply to add a host resource. Figure 43 Networks allowed to be accessed Hangzhou H3C Technologies Co., Ltd 35/76

36 Figure 44 Shortcut configuration After configuring the Accessible Network Service and Shortcut in the editing area, you need click Add. In IP networks, you can configure shortcut accesses for various services, such as ping, ftp, and file sharing. Creating a Resource Group and Add Existing Resources to the Resource Group Figure 45 Add IP resources to a resource group Creating a User and User Group, and Associating the Resource Group and User Group Refer to Creating a User and User Group, and Associating the Resource Group and User Group. Hangzhou H3C Technologies Co., Ltd 36/76

37 Verifying the IP Service Configuration 1) Log in as common user svpn. The IP client is enabled by default. You can view the client data to check the IP service start information. Figure 46 IP client status 2) You can view all the available IP network resources. Figure 47 Available IP network resources Hangzhou H3C Technologies Co., Ltd 37/76

38 3) Click shortcut command ping h3c-security to ping the remote end network. Figure 48 Shortcut for ping access H3C SSL VPN Configuration Examples 4) Click shortcut command ftp h3c-security to access the FTP service on the remote network. Figure 49 Shortcut for FTP access 5) View whether the network adapter has obtained an IP address and whether a route to the resource is added on the PC. Figure 50 IP address assigned to the network adapter Hangzhou H3C Technologies Co., Ltd 38/76

39 Figure 51 Routing information on the PC IP Service Troubleshooting 1) Using shortcut commands has the same effect as typing commands in the Windows CLI. 2) Note that as character \ will be escaped by the Windows system, characters \\ just means character \ in the CLI. For example, file sharing shortcut explorer \\\\ equals to explorer \\ in the CLI. explorer means that the system uses the default browser of the client to access the internal resource. For example, explorer ftp:// means opening FTP services through the default browser. 3) After the client obtains an IP address for the virtual network adapter and a route to the resource, you also need to configure NAT on the internal interface or configure a route on the remote resource server to be accessed, with the route s destination address being the virtual network segment /24. Authentication Policy Configuration Example RADIUS Authentication (Shiva) Feature overview Use the RADIUS system to perform authentication and accounting for remote users of SSL VPN. Configuration procedure 1) Configuration prerequisites: This configuration example only introduces the SSL configurations related with RADIUS authentication. Before performing these configurations, make sure the basic configurations of SSL VPN, such as CLI configuration, domain configuration, resources, and resources are configured successfully. 2) Log in as the domain administrator. Select Domain > Authentication Policy from the navigation tree, and then select the RADIUS Authentication tab. Hangzhou H3C Technologies Co., Ltd 39/76

40 Figure 52 RADIUS authentication configuration page Note that: The values of primary and secondary server addresses, authentication ports, and shard key must be consistent with those configured on the authentication servers. Select Enable Authentication, and select active for authentication server status. The certificate policy is optional. You can select Password or Password + Certificate. If you select the latter, the system will authenticate both the user password and certificate. The accounting function is optional. The accounting server address is the same with the authentication server address. The accounting key is the same with the authentication key. The accounting port configuration must be consistent with port configuration on the accounting server. Select active for the accounting server status. Server configuration In this configuration, use shiva access manager (trial version in this example) as the RADIUS server. 1) Install the shiva access manager. 2) In the installation directory c:\radtac\, find file AVDICT.DAT and add an SSL-VPN-GROUP attribute to the file, that is, (ATTRIBUTE SSL-VPN-GROUP 140 string AVDICT[1].TXT Huawei), or use file 3) Configure the shiva access manager. to overwrite the existing file. Hangzhou H3C Technologies Co., Ltd 40/76

41 Open shiva access manager and type username supermanager. No password is needed. Configure the NAS address as the SSL VPN gateway address , and the encryption key as Set the authentication port to 1645 and accounting port to Hangzhou H3C Technologies Co., Ltd 41/76

42 Add a user, with the username usera and password Hangzhou H3C Technologies Co., Ltd 42/76

43 Configure RADIUS attributes for the user. Primary configurations: Select user usera. Insert a row in the Attribute configured for user column. Select attribute SSL-VPN-GROUP from the attribute list. Specify usergroup as the attribute value, which must be consistent with the user group configured on the SSL VPN gateway. To specify multiple user groups, use semicolons to separate them. Click Commit Change. Verifying the RADIUS authentication configuration After logging in, remote user usera can view and access various resources. Hangzhou H3C Technologies Co., Ltd 43/76

44 When the default authentication policy of the domain is RADIUS, users can use account usera to log in, without the need of providing full username such as (SecBlade SSL VPN) or selecting RADIUS from the type drop-down list (SecPath SSL VPN). This is true for all authentication types described below. LDAP Authentication Feature overview Use the LDAP system to authenticate remote users of SSL VPN. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page. 2) Select the LDAP Authentication tab to enter the LDAP authentication policy configuration page. 3) Configure the LDAP server address, service port, user group LDAP attribute, version, and certificate policy. Select the check box behind Enable Authentication. 4) Use template to query user DN. Configure the user DN template as cn=%logon%,dc=vpndomain,dc=com. Figure 53 LDAP authentication configuration with the query mode as template 5) Check user DN by querying Specify Administrator DN as cn=manager,dc=vpn-domain,dc=com. Type as the password. Hangzhou H3C Technologies Co., Ltd 44/76

45 Specify the query base DN as dc=vpn-domain,dc=com. Specify the query template as cn=%logon%. Figure 54 LDAP authentication configuration with the query mode as query Check user DN by querying and Query for user DN using template settings are mutually exclusive. Server configuration In this configuration example, the LDAP server used is openldap on the Linux server. When installing the Linux system, choose to install all components. After the installation, enable the LDAP server openldap directly. openldap server uses process slapd. Follow these steps to configure openldap: 1) File slapd.conf in directory /etc/openldap/ is the LDAP server startup configuration file. Open the file and locate the following contents: Hangzhou H3C Technologies Co., Ltd 45/76

46 The contents in the red box are the LDAP server root directory. You can modify this directory as your own directory, such as dc=vpn-domain,dc=com. The contents in the blue box are the default administrator DN and password. You can modify them, for example, to cn=vpn-manager,dc=vpn-domain,dc=com. Mask switch # before rootpw can be used to specify whether to use clear text or cipher text to save the administrator password, which is also changeable. 2) Add users. Users in LDAP are saved in a directory tree. You can create different levels of directories to store users. There are several ways to add LDAP records. It is recommended to use a file, that is, create a *.ldif, with its contents being the records to be added. In this way, you can add users in a batch. First, you need to create a root directory, that is, dc=vpb-domain,dc=com. Create file root.ldif, with its contents in the format of: dn: dc=vpn-domain,dc=com objectclass: dcobject objectclass: organization dc:vpn-domain o:corporation description: Corporation Then, use ldapadd -x D cn=manager,dc=vpn-domain,dc=com w secret f root.ldif command. If the following output is displayed, the root directory is added successfully. Proceed to add a user. Create file user.ldif, with its contents being: dn: cn=usera,dc=vpn-domain,dc=com objectclass: person cn:usera sn:usera description: usergroup Then, use ldapadd -x D cn=manager,dc=vpn-domain,dc=com w secret f user.ldif command. If the following output is displayed, the user is added successfully. Use the ldapsearch x b dc=vpn-domain,dc=com command to display related information on the LDAP server. Hangzhou H3C Technologies Co., Ltd 46/76

47 In this example, an LDAP attribute description is used as the user group attribute. In actual application, you can add a self-defined user group attribute depending on customer requirements. Verifying the LDAP authentication configuration After logging in, remote user [email protected] can view and access various resources. If the default authentication type is LDAP, users can directly use usera to log in. AD Authentication Feature overview Use the AD domain system to authenticate remote users of SSL VPN. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page. 2) Select the AD Authentication tab to enter the AD authentication policy configuration page. Configure the AD domain name and AD server address list. You can specify multiple AD server addresses, separating them by (;). This configuration allows the system to switch to another AD server for user authentication when the current AD server is down. Configure the administrator account and password. The administrator account can be any user in directory Users in the AD domain who has the right to access the directory. Select the username format. You can just use the default username format. Select Enable Authentication. Hangzhou H3C Technologies Co., Ltd 47/76

48 Configure the server failure restoration time. When the system detects that the AD server used for authentication is down, the system will automatically switch to another AD server. Before processing a new authentication request, the system will check whether the failure time of the failed AD server has exceeded the failure restoration time. If yes, the system considers that the AD server is resumed and switches to the AD server. If no, the system sends the authentication request to another AD server. Figure 55 AD authentication policy configuration Server configuration At present, the directory service of Windows 2000 Server or a later version is used. 1) Log in to the AD domain management platform. Log in to the Windows system. Click Start and select Programs > Administrative Tools > Active Directory Users and Computers. 2) Add a user. Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree. Right click the directory and select New > User. 3) Configure information for the user. Type usera for both the username and login name. Click Next and type password , select Password never expires for the user, use the default settings of other items, and then click OK. 4) Add a group. Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree. Right click the directory and select New > Group. 5) Configure information for the group. Specify the group name as usergroup, which must also exist on the SSL VPN gateway. Use the default settings of other items. 6) Add the user to the group. Select group usergroup. Right click the group and select Properties. Click the Members tab and then the Add button. Enter usera in the Enter the object names to select field and click Check Names. The system will check and supplement the username. Click OK. Hangzhou H3C Technologies Co., Ltd 48/76

49 Verifying the AD authentication configuration After logging in, remote user usera can access various resources. If the default authentication type is AD, users can directly use usera to log in. Combination Authentication Feature overview A combination authentication policy can combine any two of the four authentication policies (local authentication, RADIUS authentication, LDAP authentication, and AD authentication). You can configure a combination authentication policy, so that the system authenticates a user twice using the two specified authentication policies. Suppose the application is "username and password + authentication code". A user first enters the username and password for authentication. After the user passes the authentication, the system sends an authentication code through a short message to the cell phone of the user and provides the login page for the user again. The user enters the authentication code for authentication again. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree. Select the Combination Authentication tab to enter the combination authentication policy configuration page. 2) Select Enable Authentication to enable combination authentication, and configure the authentication policies to be used in the first and second authentications. In this example, configure them as local authentication and RADIUS authentication respectively. 3) Password Input Needed allows you to select whether password is required to input for the second authentication. If you select this option, the system will push the login page to the user again after the user passes the first authentication, and the user needs to input the password for the second authentication. At present, if customized authentication pages are not configured, this option does not take effect. Figure 56 Combination authentication policy configuration Hangzhou H3C Technologies Co., Ltd 49/76

50 Verifying the combination authentication configuration Log in as a common user and the system will authenticate you twice, first the local authentication and then RADIUS authentication. The first authentication result determines the resources that you can access after login. USB-Key Certificate Authentication Feature overview Remote users save the certificate in a USB-Key smart card, which is used to pass the certification authentication of login. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page. 2) Select the Local Authentication tab to enter the local authentication policy configuration page. 3) For Authentication Method, that is, the certificate policy, select Password + Certificate or Certificate. 4) Make sure that the smart card drive is installed on the client PC and the valid client certificate is imported into the smart card. Valid certificate means that the certificate is valid and is assigned by the CA server that issues the SSL VPN gateway certificate. Verifying the USB-Key certificate authentication On the remote client PC, insert the USB-Key smart card, the smart card drive installed on the PC will import the certificate saved in the key to the IE browser, and then the certificate will be used for authentication during SSL connection establishment. Note that, the value of the Issued To filed in the client certificate must be the actual, valid login username. Binding the Certificate Serial Number and Username Feature overview The function of binding a certificate serial number and a username ensures the matches between certificates and usernames, providing a more secure access method. Configuration procedure 1) Make sure that certificate policy for local authentication is password plus certificate. (Select Domain > Authentication Policy from the navigation tree. Select the Local Authentication tab to enter the local authentication policy configuration page. Select Password + Certificate for Authentication Method.) 2) Select User > Local User from the navigation tree to enter the local user list page. Click Add to enter the local user configuration page. 3) Create local user svpn, set the password to , certificate serial number to e , select Permitted for Status, and add the user to a group. Log in as user svpn, using e for certificate authentication. You will see result 1). Hangzhou H3C Technologies Co., Ltd 50/76

51 Figure 57 Bind a local user with a certificate serial number 4) On the local user configuration page, change the certificate serial number to e Log in as user svpn and still use e for certificate authentication. You will see result 2). 5) On the local user configuration page, change the certificate serial number back to e and change the status to Denied. Use user svpn and certificate serial number e to log in. You will see result 3). Results of Certificate Serial Number-to-Username binding configurations 1) User svpn logs in successfully. 2) User svpn cannot log in. The system displays that the client certificate is not the one bound with the username. 3) User svpn cannot log in. The domain user can control user accesses in this way. Configuration guidelines The binding function can take effect only when Password + Certificate is configured in the authentication policy. Currently, this function is applicable to only local authentication. The resources that can be accessed by a user bound with a certificate serial number are still determined by the user group that the user belongs to. This serial number bound must be that of the certificate used when the user log in. Hangzhou H3C Technologies Co., Ltd 51/76

52 Security Checking and Dynamic Authorization Configuration Example Security Checking Feature overview The SSL VPN system performs a complete security checking on user hosts. Configuration procedure 1) Select Domain > Security Policy from the navigation tree to enter the security policy management page. Click Add. 2) Add a security policy named sec1, select level 1, and specify the check categories, such as operating system, browser, anti-virus software, firewall, and other security related items. For example, specify the operating system as Windows XP Professional and browser as IE 6.0 or later in this policy. 3) Add a proper description for this policy, for example, the base level. Hangzhou H3C Technologies Co., Ltd 52/76

53 Figure 58 Configure a browser rule Add another policy: 1) Add a security policy named sec10, select level 10, and specify the operating system and browser, for example, as Windows XP Professional and IE 7.0 or later respectively in this policy. 2) Add a proper description for this policy, for example, the top level. Figure 59 Configure an operating system rule Hangzhou H3C Technologies Co., Ltd 53/76

54 Security checking verification The security policies are configured successfully. Configuration guidelines For security policy levels, the bigger the level number, the higher the priority. A security policy includes several check categories, and the relationship between them is logical AND, that is, a host passes the security policy only after it passes all check categories. Each check category includes several check rules, and the relationship between them is logical OR, that is, a host only needs to satisfy the requirement of one check rule in the check category. For example, you can configure two check rules Windows XP Professional and Window Me in check category Operating System. Then, a host can pass the operating system checking when its operating system is either Windows XP Professional or Window Me. If you define multiple security policies, the security checking starts from the one with the highest priority, and stops until a security policy is passed or no security policy is passed. The security policy that a user passes will assign resources to the user. Dynamic Authorization Feature overview SSL VPN assigns different resources to different users according to the security checking results of the user hosts. This is referred to as dynamic authorization of resources. Configuration procedure 1) After configuring the security policies, click Apply to return to the security policy list page. 2) Select a security policy, and click Configure Resource to enter the page for assigning resources to the policy. The resources include Web resources, TCP resources, and IP resources. 3) Assign only Web resources to policy sec1, and all resources to policy sec10. Figure 60 Assign Web resources to sec1 4) Select Domain > Basic Configuration from the navigation tree. The domain policy configuration page appears. Select Enable security policy and then click Apply. Hangzhou H3C Technologies Co., Ltd 54/76

55 Figure 61 Enable security checking Dynamic authorization verification A remote host whose operating system is Windows XP Professional and IE version is 6.0 or later satisfies security policy sec1 and the host can access only Web resources. A remote host whose operating system is Windows XP Professional and IE version is 7.0 or later satisfies security policy sec10 and the host can access all resources. Configuration guidelines As the security checking starts from the security policy with the highest priority and stops immediately when a security policy is passed, it is recommended to assign more resources to security policies with higher priority. Other Features Importing User Accounts in Batches Feature overview The SSL VPN system allows you to import local user accounts in batches. Configuration procedure 1) First, create a file named Batch Import.txt, containing the user accounts to be imported. Then, select User > Batch Import from the navigation tree to enter the batch import page. 2) Click Browse to find file Batch Import.txt, and then click Import. Batch import result A message appears, telling you that batch configuration of users completed successfully. Hangzhou H3C Technologies Co., Ltd 55/76

56 Select User > Local User from the navigation tree, you can see all users in the file are imported to the SSL VPN system successfully. Configuration guidelines The content of the batch import file: user user user user At present, only usernames and passwords can be imported. A username and its password are separated by a space or tab. Users imported in batches will not overwrite existing local users. User Interface Customization Feature overview User interface customization includes partial customization and full customization. Partial customization: Customize login page logo and title, welcome title, service page logo, title, and background picture. Full customization: Customize the login page for common users. Partial customization configuration procedure 1) Select Device > Device Management from the navigation tree. Select the UI Customizing tab and then click Partial customization to customize part of the UI pages. 2) Configure the login page title, login page welcome title, and service page title. Figure 62 illustrates these titles. 3) Customize the service page logo and login page logo. Click Browse to select a picture file, and then click Update to update the logo with the picture in the file. Figure 62 illustrates these pictures. Hangzhou H3C Technologies Co., Ltd 56/76

57 Figure 62 Custom titles and pictures Partial customization configuration result The system prompts that the configuration or update succeeds. Open the login page, you can see that the login page title, welcome title, and logo are updated. Log in as user svpn, and you can see that the service page title and logo are updated Configuration guidelines There are requirements on the width and height of a figure. Refer to the information on the configuration page for details. Full customization configuration procedure 1) Define a custom page, which usually includes one or more htm, js, css, and picture files. 2) Telnet to the device and then create directory www/login under directory flash:/domain1, that is, the storage directory of the custom page is flash:/domain1/www/login. Then, upload all files of the custom page to this directory through TFTP or FTP, as shown in Figure 63, where user.htm is the login page file. (SecBlade SSL VPN has two types of storage devices CF card and Flash card. SecPath SSL VPN provides Flash only. Flash is used in this example.) Hangzhou H3C Technologies Co., Ltd 57/76

58 Figure 63 Upload the custom page 3) Log in to the SSL VPN system as an administrator. Select Device > Device Management from the navigation tree. Select the UI Customizing tab and then click Full customization to customize the common user login page fully. In this example, the page storage directory is flash:/domain1/www/login and the login page file is user.htm, as shown in Figure 64. (For SecBlade SSL VPN, as it provides two storage devices, you need to input the directory without specifying the storage device, for example, /domain1/www/login.) Figure 64 Full page customization for SecPath SSL VPN 4) Save the domain configuration file and then reboot the domain or reboot the SVPN service. Full customization configuration result The login page customized for common users takes effect. External Network Access Control Feature overview The domain administrator can specify whether a login user can access the Internet besides the VPN. Configuration procedure 1) Select Resource > IP Network from the navigation tree, and then select the Global Configuration tab. 2) Configure the IP address pool, setting the start IP to , end IP to , subnet mask to , gateway IP to Hangzhou H3C Technologies Co., Ltd 58/76

59 3) Select the Host Configuration tab to configure the IP host resource. Configure the accessible host as /32. 4) Select the Global Configuration tab. In the Configure Basic Parameters area, select Access VPN Only. Log in a as a common user. You will see result 1). Figure 65 Specify that login users can access the VPN only (SecPath SSL VPN) 5) Select the Global Configuration tab. In the Configure Basic Parameters area, deselect Access VPN Only. Log in a as a common user. You will see result 2). Verification 1) After you log in, you can see that the default gateway of the virtual network adapter is , and the default gateway of the PC is In this case, you can access only the SSL VPN. You cannot access the Internet. Hangzhou H3C Technologies Co., Ltd 59/76

60 Figure 66 Virtual network adapter configuration information Figure 67 Routing information on the PC 2) After logging in, you can see that the default gateway of the virtual adapter is null. View the routes and you can see that the default gateway of the PC is not changed. In this case, you can access both the VPN and the Internet. See Verifying the IP Service Configuration. Guest Account Feature overview The SSL VPN system provides a default account guest, which allows remote users to log in without password. Multiple users can use the guest account to log in simultaneously. The administrator can define the maximum number of login users allowed. Hangzhou H3C Technologies Co., Ltd 60/76

61 Configuration procedure 1) Log in as the administrator, select User > Local User from the navigation tree to enter the local user list page. Select account guest and click Configure to enter the local user configuration page. Figure 68 guest user configuration page 2) Select User > User Group from the navigation tree. Select group Guests and click Configure to configure the group. Add resource groups and user guest to the group. User guest will be able to access the resources added to group Guests. Hangzhou H3C Technologies Co., Ltd 61/76

62 Figure 69 guest user group configuration page Verification User guest logs in successfully. Ten users can log in using the guest account at the same time. Figure 70 User guest logs in successfully. Certificate Management Feature overview You can replace the system default CA certificates with your certificates and manage them, so as to define your own CA authentication system as needed. Hangzhou H3C Technologies Co., Ltd 62/76

63 Configuration procedure 1) Log in as the administrator. Select Domain > Basic Configuration from the navigation tree, and then select the Certificate Management tab. 2) In the Import CA Certificate area, click Browse to locate the CA certificate file, and then click Update to import the CA certificate. 3) In the Import Local Certificate area, specify the password of the local certificate, click Browse to locate the local certificate file, and then click Update to import the local certificate. 4) In the Configure CRL area, select the check box before Enable CRL Checking to enable CRL checking, type the URL for obtaining the CRL, and specify the CRL update interval. Click Apply to submit the requests. 5) After the above configuration, click Reboot web service to restart SSL VPN Web service to bring the certificates into effect. (For SecBlade SSL VPN, you need to reboot the Web service in CLI.) Figure 71 Certificate management page Certificate management configuration result "Imported the CA certificate successfully." is displayed. "Imported the domain certificate successfully." is displayed. Hangzhou H3C Technologies Co., Ltd 63/76

64 "Configured the CRL parameters successfully." is displayed. Open the SSL VPN homepage, the certificate provided on the server side is the local certificate imported last time. Configuration guidelines Read carefully about the contents in the Note area and comply with these notes. Auto Login Using Certificate Feature overview After an enterprise builds up its own CA authentication system, the client certificate assigned to a common user actually identifies the user uniquely. Assume that the user of the client certificate is legal and the client certificate is valid, the SSL VPN login authentication can be simplified to client certificate authentication without the need of username and password. This is implemented usually by importing the client certificate to a specific certificate storage device, such as USB-key. As the certificate in the USB-Key cannot be exported and a PIN code is required to access the certificate in the USB-Key, the certificate is hard to be revealed. At the same time, it is easy to control the validity of the certificate through the certificate revocation list mechanism. Local authentication is used in this example. Configuration procedure 1) Import the CA and local certificates. See Certificate Management. 2) Create a local user. See Creating a User and User Group, and Associating the Resource Group and User Group. 3) Assign a client certificate issued by the CA system to the local user and the import the client certificate into the USB-Key or IE. 4) Log in as the administrator. Select Domain > Authentication Policy from the navigation tree, and then select the Local Authentication tab. Select Certificate as the certificate policy, as shown in the following figure. Figure 72 Configure the local authentication policy as certificate authentication 5) Select Domain > Basic Configuration from the navigation tree. The domain policy configuration page appears. Select Enable Auto Login and specify the default authentication method as Local. Hangzhou H3C Technologies Co., Ltd 64/76

65 Figure 73 Basic configuration of domain policy Verification On the client PC, enter in the address bar of the browser, and the client certificate selection dialog box will appear. Select the client certificate and click OK. The system will use the account in the certificate to log in to the SSL VPN. Configuration guidelines 1) The client certificate must be the one issued to the login user, that is, the value of the Issued To field in the certificate must be the actual, valid login username; otherwise, the user cannot log in. 2) The RADIUS authentication policy does not support the certificate auto login feature. Auto Start of Resources (autostart) Feature overview After the feature is configured, when a common user logs in, the system will automatically start the Web, TCP, and IP resources predefined by the administrator, facilitating user operations. For TCP and IP resources, the system will automatically start their shortcuts, if any. Configuration procedure 1) Log in as the administrator and create resources available to common users. 2) Select Resource > Resource Group from the navigation tree. Select the resource group autostart and click Configure to enter the autostart configuration page. In this example, add the Web resource to the group. Hangzhou H3C Technologies Co., Ltd 65/76

66 Figure 74 Configure resource group autostart 3) Assign resource group autostart to common users. See Creating a User and User Group, and Associating the Resource Group and User Group. Verification After a user logs in, the system automatically start the Web resource for the user. Auto Login to Services (autohome) Feature overview With this feature enabled, after a common user log in to the SSL VPN system, the system does not push the user resource access page to the user. Instead, it directly provides the service page that the user can access to the user. At the same time, it provides an SSL VPN control window for the user to exit the VPN. Configuration procedure 1) The administrator needs to create the service page for the service auto login feature. 2) Log in as administrator. Select Resource > Resource Group from the navigation tree. Select resource group autohome and click Configure. Add the auto login resource to this group. Hangzhou H3C Technologies Co., Ltd 66/76

67 Figure 75 Configure resource group autohome 3) Assign this resource group to common users. See Creating a User and User Group, and Associating the Resource Group and User Group. Verification After a common user logs in, the system pushes the following pages for the user. Hangzhou H3C Technologies Co., Ltd 67/76

68 Figure 76 Related pages of the autohome feature Single Sign-On Feature overview After a user logs in to the SSL VPN system, if the user clicks a resource link configured with the single sign-on (SSO) function, the SSL VPN system will directly log the user in to the resource instead of pushing the login page of the resource to the user. This feature releases users from the fatigue of remembering different username and password combinations for different application systems, greatly facilitating user accesses to resources. Configuration procedure 1) Log in as the administrator. Create a Web resource and configure SSO for the resource. Obtain the path and parameters submitted during login through HTTP watch or ethereal software. Then, type the path and parameters in the related fields on the Web proxy configuration page. The SSL VPN login page is used in this example. Hangzhou H3C Technologies Co., Ltd 68/76

69 Figure 77 Web proxy configuration page Hangzhou H3C Technologies Co., Ltd 69/76

70 Figure 78 Obtain login parameters through http watch software Note: The Submit Path field determines whether to use Web proxy or IP mode to access the resource. Select this field to use IP access, and deselect this field to use Web proxy. 2) Create the corresponding IP resource. This step is valid when the SSO resource uses IP access mode. Figure 79 Configure the SSO IP resource 3) Assign the added Web resource and IP resource to common users. See Creating a User and User Group, and Associating the Resource Group and User Group. Hangzhou H3C Technologies Co., Ltd 70/76

71 Verification After common user svpn logs in to the SSL VPN system, when the user click resource tech_sso, the SSL VPN system will automatically use svpn as the username and the SSL VPN login password as the password to log in to the application system of the tech website. Log Management Feature overview This feature is used to record SSL VPN logs, including the administrator operation logs, such as adding and deleting users and resources, and common user access logs, such as logging in/out the SSL VPN system and accessing resources. Configuration procedure 1) In the CLI of the device, configure the log source and log host. info-center channel 9 name SVPN info-center source SVPN channel 9 log level debugging /*Specify the information center to record SVPN logs*/ info-center logbuffer channel 9 size 1024 /*specify the log buffer to record SVPN logs*/ info-center loghost /*specify the log host*/ 2) Log in as the administrator and perform operations. 3) Log in as a common user and access resources. Verification Use the display logbuffer command on the device or view the log host, and you can see the SVPN logs in the following format: %Jun 5 14:54:44: H3C SVPN/6/SVLOG: Administrator : administrator@domain1[0x ] Operation : create local user account Parameters : user name=user1, description=test, status=active,public account=no, simuuser=0 %May 20 16:25:08: PE1 SVPN/6/SVLOG: User(vpn1@domain1) logoff! %May 20 16:25:16: PE1 SVPN/6/SVLOG: User(vpn1@domain1) logon from IP: %May 20 16:25:32: PE1 SVPN/6/SVLOG: User(vpn1@domain1) visits site: MPLS VPN (supported by only SecPath SSL VPN) Feature overview This feature allows the SSL VPN gateway to act as a PE, so as to support remote users to access the MPLS VPN through SSL VPN. Hangzhou H3C Technologies Co., Ltd 71/76

72 Configuration procedure 1) In the CLI of the device, create VPN instances, configure the RD and RT of the VPN instances, and configure BGP and other MPLS related configurations. These configurations are the same with common MPLS VPN configurations, except that you do not need to bind a VPN instance to PE(SSL VPN).txt an interface in the CLI. Refer to configurations in this file:. 2) Log in as the administrator, select Resource > IP Network from the navigation tree. Select the Global Configuration tab. Create an address pool and bind corresponding VPN instance. Figure 80 Create an address pool and bind a VPN instance 3) Create resources corresponding to different VPNs. Refer to Host Configuration. 4) Create different VPN users. 5) Log in as the administrator. Select User > User Group from the navigation tree. Create different user groups for different VPN instances, and add corresponding users and resources to the user groups. As each virtual interface is bound with a different VPN instance, a user group is bound to a VPN instance by binding to a virtual interface. Hangzhou H3C Technologies Co., Ltd 72/76

73 Figure 81 Create the user group that can access VPN 1 resources H3C SSL VPN Configuration Examples Verification Different VPN users can access resources of their own VPNs. Users can access MPLS VPN resources through TCP, Web, and IP. Configuration guidelines Only V1000 version of SecPath SSL VPN supports MPLS VPN. The VPN that a login user can access is determined by the user group to which the user belongs. The VPN attribute of a user group is determined by the VPN to which the user group s bound interface belongs. If no VPN is bound to the virtual interface that is bound with a user group, users in the user group use public routes to access resources after logging in. If no virtual interface is bound with a user group, users of the user group cannot obtain an IP address after login. Therefore, the IP network service will be failed to start. A VPN user must belong to only one user group. Hangzhou H3C Technologies Co., Ltd 73/76

74 SSL Offload (supported by only SecBlade SSL VPN) Feature overview SSL offload means that SecBlade SSL VPN provides SSL encryption and decryption services for the internal Web server to provide secure (SSL encrypted) access to the Web server for outsiders, while the internal Web server only processes services and does not spend CPU resources to perform SSL encryption and decryption, thus improving the service processing capability of the Web server. Configuration procedure 1) Log in as the administrator. Select Device > Device Management from the navigation tree, and then select the Work Mode tab. Specify work mode as SSL offload mode for the SSL VPN gateway. Figure 82 Configure the work mode of the SSL VPN gateway 2) Create the SSL offload resource. Log in as the supper administrator. Select Resource > SSL Offload from the navigation tree and then configure the SSL offload policy and create the SSL offload resource. Figure 83 Configure the SSL offload policy and create the SSL offload resource 3) Configure a route, so that when the client PC accesses IP address , packets will be routed to the SSL VPN gateway. Hangzhou H3C Technologies Co., Ltd 74/76

75 Verification On the client PC, enter in the address bar of the browser to open the tech website. License (supported by only SecBlade SSL VPN) Feature overview The SecBlade SSL VPN system controls the maximum number of online users allowed through license. Configuration procedure 1) Log in as the super administrator. Select Domain > Domain Management from the navigation tree, and then select the License tab to enter the license management page. 2) Use the number in the Device Serial Number field to apply for a license file, which is usually suffixed with.lic, such as 1000user.lic. 3) Click Browse to select the obtained license file and click Apply. Figure 84 License management page Verification Log in as the super administrator and create a domain. During the operation, you can see that the maximum number of online users is updated to the value specified in the applied license. Hangzhou H3C Technologies Co., Ltd 75/76

76 References Protocols and Standards Related Documentation SecPath SSL VPN Administrator Manual SecPath SSL VPN User Manual Super Administrator Manual, Administrator Manual, and User Manual in H3C SecBlade SSL VPN Card User Manual Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd 76/76