H3C SSL VPN Configuration Examples

Size: px
Start display at page:

Download "H3C SSL VPN Configuration Examples"

Transcription

1 H3C SSL VPN Configuration Examples Keywords: SSL, VPN, HTTPS, Web, TCP, IP Abstract: This document describes characteristics of H3C SSL VPN, details the basic configuration and configuration procedure of H3C SSL VPN, and presents typical configuration examples. Acronyms: Acronym Full spelling SSL VPN HTTPS TCP IP Security Socket Layer Virtual Private Network Hypertext Transfer Protocol Secure Transfer Control Protocol Internet Protocol Hangzhou H3C Technologies Co., Ltd. 1/76

2 Table of Contents Introduction 4 Feature Overview 4 Benefits 4 Usage Guide 5 Application Scenarios 5 Role-Based Management Overview 5 Configuration Procedures 7 Basic Command Line Configuration for SSL VPN 7 Configuration Guidelines 8 Supporting Devices and Versions 8 Supporting Devices 8 SSL VPN Configuration Examples 8 Network Requirements 8 SSL VPN Network Diagrams 10 Basic Command Line Configurations 10 SecBlade SSL VPN Command Line Configurations 10 SecPath SSL VPN Command Line Configurations 12 Web Service Configuration Example 12 Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 12 Logging In to a Common Domain 15 Configuring Web Service Resources 16 Creating a Resource Group and Add Existing Resources to the Resource Group 17 Creating a User and User Group, and Associating the Resource Group and User Group 18 Verifying the Web Service Configuration 20 TCP Service Configuration Example 21 Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 21 Logging In to a Common Domain 21 Configuring TCP Service Resources 21 Creating a Resource Group and Add Existing Resources to the Resource Group 26 Creating a User and User Group, and Associating the Resource Group and User Group 27 Verifying the TCP Service Configuration 27 TCP Service Configuration Guidelines 31 IP Service Configuration Example 31 Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 31 Logging In to a Common Domain 31 Configuring IP Service Resources 32 Creating a Resource Group and Add Existing Resources to the Resource Group 36 Creating a User and User Group, and Associating the Resource Group and User Group 36 Verifying the IP Service Configuration 37 Hangzhou H3C Technologies Co., Ltd. 2/76

3 IP Service Troubleshooting 39 Authentication Policy Configuration Example 39 RADIUS Authentication (Shiva) 39 LDAP Authentication 44 AD Authentication 47 Combination Authentication 49 USB-Key Certificate Authentication 50 Binding the Certificate Serial Number and Username 50 Security Checking and Dynamic Authorization Configuration Example 52 Security Checking 52 Dynamic Authorization 54 Other Features 55 Importing User Accounts in Batches 55 User Interface Customization 56 External Network Access Control 58 Guest Account 60 Certificate Management 62 Auto Login Using Certificate 64 Auto Start of Resources (autostart) 65 Auto Login to Services (autohome) 66 Single Sign-On 68 Log Management 71 MPLS VPN (supported by only SecPath SSL VPN) 71 SSL Offload (supported by only SecBlade SSL VPN) 74 License (supported by only SecBlade SSL VPN) 75 References 76 Protocols and Standards 76 Related Documentation 76 Hangzhou H3C Technologies Co., Ltd. 3/76

4 Introduction H3C SSL VPN devices include H3C SecPath SSL VPN cards and H3C SecBlade SSL VPN cards. The configurations described in this document are supported by both types of devices unless otherwise noted. For example, parenthetic contents such as (supported by only SecPath SSL VPN) and (supported by only SecBlade SSL VPN), or different titles will be used to mark the configuration that is supported by only one type of devices. Feature Overview The SSL protocol is mainly used to ensure privacy and reliability between two communication application programs. The whole process is implemented through the cooperation of the SSL handshake protocol, record protocol, and alert protocol. Compared with leased lines, VPN networking is cheap and flexible. Therefore, more and more enterprises use VPN to interconnect the headquarters, mobile employees, branch offices, and partners over public networks such as the Internet. SSL VPN is an emerging VPN technology. It establishes VPN networks with connections encrypted by SSL. SSL VPN engages for the security of applications and works above the transport layer. It provides a secured connection between applications and is mainly applied to remote Web accesses. The SSL VPN system implements granular access control of network resources. It supports three resources access methods: Web access, TCP access, and IP access. The SSL VPN system uses role-based management of access rights, that is, it limits the resources that a login user can access based on the role of the user. Besides, it also uses security policies to check the security status of access PCs, assigning corresponding access rights to users dynamically according to the security checking results. The SSL VPN gateway supports Web based management. Administrators can configure and manage the SSL VPN system through Web browsers. H3C SSL VPN devices are new generation, professional, enterprise-level SSL VPN devices, which can provide secure and convenient remote access services for mobile users of enterprises. An H3C SSL VPN device can be used as the ingress gateway of an enterprise, or the proxy gateway of the internal server group. SecPath SSL VPN is designed for small and medium sized enterprises, and SecBlade SSL VPN is for medium and large sized enterprises. Benefits Compared with conventional VPN, SSL VPN features high security and more granular control of security. Requiring no user configuration and no client installation, it is simple to deploy and very easy to use. Hangzhou H3C Technologies Co., Ltd 4/76

5 Usage Guide Application Scenarios With the popularity of Internet, home office and mobile office is rising, promoting conversion of applications from C/S to B/S structure based on Web service. It is required that employees, customers, and partners of an enterprise can access the internal resources securely and conveniently from outside of the enterprise. SSL VPN realizes this. Role-Based Management Overview The H3C SSL VPN system limits the resources that a login user can access based on the role of the user. It defines three roles: Super administrator: Managers of the entire system. A super administrator can create domains, initialize the administrator passwords of domains, assign resource groups to domains, and specify whether a domain administrator can create new resources. (supported by only SecBlade SSL VPN) Domain administrator: Managers of SSL VPN domains. A domain administrator can create and delete local users, user groups, resources, resource groups, and security policies for the domain, controlling the access rights of users in the domain. SSL VPN user: Users accessing network resources through the SSL VPN system. An SSL VPN user must pass authentication to log in to the SSL VPN system. After passing the authentication, an SSL VPN user can access the SSL VPN gateway, and the SSL VPN system will assign the user access rights based on the security status of the user and the user group to which the user belongs. Before configuration, you need to understand the relationship of the roles, as well as the relationship of local users, user groups, resources, and resource groups, as shown below: Hangzhou H3C Technologies Co., Ltd 5/76

6 Figure 1 Relation diagram Super administrator Resources Resource a Resource b Resource groups Resource group a Resource group b Domain A Domain B administrator administrator Domain N administrator Resource groups Resource group 1 User groups User group 1 Resources Resource 1 Resource 2 Resource 3 Resource group 2 Resource group 3 Resource group N User group 2 User group 3 User group n Users User 1 User 2 User 3 Resource N User N By default, there is a root domain on the device. All users in the root domain are super administrators. A super administrator can create domains and resources, add resources to resource groups, assign resources to a domain, and specify whether a domain administrator can create new resources. (Supported by only SecBlade SSL VPN) Domain administrators create and maintain resources, resource groups, local users, and user groups of their own domains. A resource/user can belong to multiple resource groups/user groups, and a resource group/user group can hold multiple resources/users. By associating resource groups with user groups, you can specify which user groups can access which resource groups. One resource group can be assigned to multiple user groups and one user group can contain multiple resource groups. Hangzhou H3C Technologies Co., Ltd 6/76

7 Root domain and super administrator are supported by only SecBlade SSL VPN. SecPath SSL VPN supports only one domain. SecBlade SSL VPN supports multiple domains. Besides the default root domain, the maximum number of common domains allowed to be created depends on the device model. At present, SecBlade SSL VPN devices have two models, applicable to S7500E and S9500 switches. The difference is that the SSL VPN card for S7500E switches uses four GE interfaces to communicate with the S7500E backplane, while that for S9500 switches uses one 10-GE interface to communicate with the S9500 backplane. Software functions of the two models have no differences. The following SecBlade SSL VPN related sections all take the SSL VPN card for S7500E as an example. Configuration Procedures Perform following configurations to configure SSL VPN: Basic command line configuration Super administrator interface configuration (supported by only SecBlade SSL VPN) Domain administrator interface configuration Common user interface configuration The last three configurations are Web configurations, which are illustrated later by examples directly. Basic Command Line Configuration for SSL VPN You can perform basic SSL VPN configurations through command line interface (CLI), including enabling the Web server and SSL VPN service. By default, the system will enable the Web server and SSL VPN service, without the need of manual start through command lines. Perform the following configurations on the device: Enable the Web server Enable SSL VPN service Hangzhou H3C Technologies Co., Ltd 7/76

8 Configuration Guidelines Figure 2 Configuration management After performing configurations on the Web interface, you need to save the configuration file. Otherwise, the configurations will be lost after device reboot. You can save the current configuration to the configuration file and backup file. To replace the configuration file with the backup file, click Restore. To make the new configuration file take effect, click Restart. Supporting Devices and Versions Supporting Devices SecBlade: SecBlade for S7500E, SecBlade for S9500 SecPath: Devices with a built-in encryption card: SecPath V100-E Devices that need an external encryption card: SecPath F100-A, SecPath F100-A-SI, SecPath F100- E, SecPath F100-M, SecPath F1000-A, SecPath V1000-A, SecPath F1000-S SSL VPN Configuration Examples Network Requirements Two-arm mode: The SSL VPN acts as an ingress gateway between the internal network and external network, providing complete protection for the internal network. In this case, however, the gateway is at the key path of communication. Its performance and reliability greatly affects the data transfer between the internal network and external network. Hangzhou H3C Technologies Co., Ltd 8/76

9 Figure 3 Dual-arm networking of SSL VPN Mobile user IP network SSL VPN IP network Internet LAN Intranet Desktop PC user Authentication servers Log server CA server One-arm mode: The SSL VPN gateway acts as a proxy gateway for the communication between the remote host and the internal network. In this case, the SSL VPN gateway is not at the key path for communication, and therefore will not result in single point failures. Figure 4 One-arm networking of SSL VPN SSL VPN Mobile user IP network IP network Internet LAN Intranet Desktop PC user Authentication servers Log server CA server Hangzhou H3C Technologies Co., Ltd 9/76

10 SSL VPN Network Diagrams Figure 5 Network diagram for SecBlade SSL VPN in one-arm mode Figure 6 Network diagram for SecPath SSL VPN in two-arm mode Basic Command Line Configurations SecBlade SSL VPN Command Line Configurations Basic configuration on an S7500E switch [S7503E]vlan 100 //*Refer to the Figure 5 for port related configuration*// [S7503E-vlan100]port GigabitEthernet 3/0/1 [S7503E-vlan100]port GigabitEthernet 4/0/1 [S7503E-vlan100]quit Hangzhou H3C Technologies Co., Ltd 10/76

11 [S7503E]interface vlan 100 [S7503E-Vlan-interface100]ip address [S7503E-Vlan-interface100]quit [S7503E]vlan 200 [S7503E-vlan200]port GigabitEthernet 4/0/13 [S7503E-vlan200]quit [S7503E]inter vlan 200 [S7503E-Vlan-interface200]ip address [S7503E-Vlan-interface200]quit [S7503E]ip route-static //*Configure a static route to the virtual address segment, with the next hop being the SSL VPN card. This is for forwarding data coming from the internal network.*// [S7503E]ip route-static //*Configure a route to the public network*// [S7503E]ip route-static [S7503E]ip route-static [S7503E]interface g3/0/1 [S7503E-GigabitEthernet3/0/1]speed 1000 [S7503E-GigabitEthernet3/0/1]duplex full //*Configure the interface communicating with the backplane to work in forced mode, and make sure the port is up.*// [S7503E-GigabitEthernet3/0/1]quit Basic configuration on the SSL VPN card [H3C]interface GigabitEthernet 0/0/0 [H3C-GigabitEthernet0/0/0]ip address [H3C-GigabitEthernet0/0/0]quit [H3C]ip route-static [H3C]ntp-service unicast-server //*Specify the NTP server. The SSL VPN card does not support local clock and the device time defaults to year Without this configuration, the certificate will expire.*// Routing configuration on the NAT-IN node [H3C]ip route-static network segment.*// [H3C]ip route-static //*Configure a route to the virtual Service configuration on the SSL VPN card By default, the system will enable the Web server and SSL VPN service. In this case, you do not need to execute the following commands. [H3C] svpn service enable [H3C] Web server enable //*Enable the SSL VPN service*// //*Enable the Web server*// Hangzhou H3C Technologies Co., Ltd 11/76

12 At present, SecBlade SSL VPN cards are applicable to S7500E and S9500 switches, which are normally in the internal network. Therefore one-arm mode is used. In a practical network, if there is no NAT-IN node, you need to perform route configurations on each internal network node, ensuring the virtual network segment, /24 in the example, is reachable. As the above configuration uses only one GE interface of the SecBlade SSL VPN for S7500E, and the SecBlade SSL VPN for S9500 has only one 10-GE interface, the above configuration is applicable to the SecBlade SSL VPN for S9500. SecPath SSL VPN Command Line Configurations Basic configurations [H3C] interface Ethernet0/0 [H3C-Ethernet0/0] ip address [H3C-Ethernet0/0] quit [H3C] interface Ethernet0/1 [H3C-Ethernet0/1] ip address [H3C-Ethernet0/1] quit [H3C] ip route-static preference 60 SSL VPN related configurations By default, the system will enable the Web server and SSL VPN service. In this case, you do not need to execute the following commands. [H3C] svpn service enable //*Enable the SSL VPN service*// [H3C] Web server enable //*Enable the Web server*// Web Service Configuration Example Logging In as a Super Administrator (supported by only SecBlade SSL VPN) 1) In the address bar of a browser, enter the SSL VPN gateway port address for connecting the external network, that is, to enter the SSL VPN login page. The certificate authentication dialog box (Security Alert) will appear. Click Yes. Hangzhou H3C Technologies Co., Ltd 12/76

13 Figure 7 Security Alert dialog box (click Yes) Use the default super administrator account administrator to log in to the SSL VPN system with the local authentication method: type administrator as the username, type administrator as the password, select Super administrator as the identity, and then click Login, as shown in Figure 8. Figure 8 SSL VPN login page 2) Create domain h3c, and specify the initial password of the domain administrator. Select Domain from the navigation tree to enter the domain policy configuration page. To create a domain, click Add. To modify an existing domain, select the domain and click Configure. Hangzhou H3C Technologies Co., Ltd 13/76

14 Figure 9 Create a domain Create domain h3c. The domain administrator named administrator is generated by default. You need to specify the default administrator password, for example, You can also specify the timeout time and the maximum number of online users for domain h3c, 30 minutes and 100 respectively in this example. You can assign the existing resource groups to domain h3c, and specify to allow the administrator of domain h3c to add resources. 3) After you finish your configuration, you need save the configuration file. Otherwise, your configuration will be lost after the device reboots. Figure 10 Configuration management Hangzhou H3C Technologies Co., Ltd 14/76

15 Logging In to a Common Domain All following configurations in this configuration example are performed in a common domain. After you log in as the administrator of the domain and finish configurations, you need to save the configuration file. Otherwise, the configuration will be lost after the device reboots. Logging in to the common domain of SecBlade SSL VPN The same as the supper administrator login, use the default administrator account to log in to the SSL VPN domain h3c with the local authentication method. Type administrator as the username and (specified when the domain was created) as the password, select Administrator as the identity, and then click Login. Figure 11 Domain administrator login In a domain, users that belong to the administrators group are administrators of the domain. A domain administrator is also a common user. If you are a domain administrator but log in as a common user, you enter the common user interface. In the common user interface, the resources that you can access are confined to the resources that assigned for the administrators group. Logging in to the common domain of SecPath SSL VPN Enter in the address bar to open the login page. Type the default administrator account, with both the username and password being administrator, and then click Login. Hangzhou H3C Technologies Co., Ltd 15/76

16 Figure 12 Domain administrator login page Configuring Web Service Resources Web page is a service provided by a remote Web server. The Web proxy server function of SSL VPN provides a secure connection mode for users to access Web servers, and it can prevent illegal users from accessing the protected Web servers. Select Resource > Web Site from the navigation tree to enter the Web proxy management page. Click Add to create a new Web proxy server resource. Figure 13 Add a Web proxy server resource Hangzhou H3C Technologies Co., Ltd 16/76

17 You can specify an IP address or domain name for the website name. If you specify a domain name, you need to configure the DNS server correctly in CLI. The site matching supports fuzzy match. In this example, you can specify tech.* for fuzzy match, ensuring that all pages on a website are reachable. More specifically, to allow access to sports.sina.com.cn, news.sina.com.cn and other sina Web pages for example, you can specify *.sina.com.cn in the Site Matching Pattern field. You can specify multiple match keywords, separating them by vertical bars ( ). After you add the Web proxy server resources, the Web proxy server list appears. Figure 14 Web proxy server list Creating a Resource Group and Add Existing Resources to the Resource Group Select Resources > Resource Group from the navigation tree to enter the resource group management page. Click Add to create a new resource group. Type the resource group name as Web and add the existing resource tech to the resource group Web. Click Apply. Figure 15 Add a resource group Hangzhou H3C Technologies Co., Ltd 17/76

18 Creating a User and User Group, and Associating the Resource Group and User Group Select User > Local User from the navigation tree to enter the local user list page. Click Add to create a user Figure 16 Add a local user After you create the user successfully, the local user list page appears again, as shown in the following figure: Hangzhou H3C Technologies Co., Ltd 18/76

19 Figure 17 User list Select User > User Group from the navigation tree to enter the user group. Click Add to create a new user group. Type user group name usergroup. Add svpn to the user group. Assign resource group Web to user group usergroup. Click Apply. Figure 18 Create a user group Hangzhou H3C Technologies Co., Ltd 19/76

20 After the above configuration, user svpn in group usergoup can access all resources in resource group Web. Verifying the Web Service Configuration 1) Logging in as a common user Enter in the address bar to open the user login page. Type username spvn and the corresponding password. Click Login. Figure 19 Available Web resources 2) A remote user can access the Web proxy service successfully. For example, you can successfully access the tech resources by clicking the website link tech, and the URL is replaced as / /. Hangzhou H3C Technologies Co., Ltd 20/76

21 Figure 20 Access a web resource through Web proxy TCP Service Configuration Example Logging In as a Super Administrator (supported by only SecBlade SSL VPN) Refer to Logging In as a Super Administrator (supported by only SecBlade SSL VPN). Logging In to a Common Domain Refer to Logging In to a Common Domain. Configuring TCP Service Resources Telnet service Telnet service is transferred in plaintext over Internet. SSL VPN uses the SSL encryption technology to encrypt the Telnet service data, ensuring the security of data transfer. Select Resource > TCP Application from the navigation tree. The Telnet resource list page appears. Click Add to create a remote access service resource. Hangzhou H3C Technologies Co., Ltd 21/76

22 Figure 21 Add a Telnet service resource The format of the command line configuration is telnet local host, where local host must be the same with that in the Local Host text box. The local host specifies the local listening port. It can be a local loopback address in the range of to or a character string when the host file is configurable. After you create a TCP resource successfully, the Telnet resource list appears again. Figure 22 Telnet service resource list Windows desktop sharing Select Resource > TCP Application from the navigation tree. Click the Desktop Sharing tab to enter the desktop sharing resource list page. Click Add to create a desktop sharing resource. Hangzhou H3C Technologies Co., Ltd 22/76

23 Figure 23 Create a Windows desktop sharing resource After you create the resource successfully, the desktop sharing resource list page appears again. Figure 24 Windows desktop sharing resource list Outlook mail service Select Resource > TCP Application from the navigation tree. Click the Mail tab to enter the mail service resource list page. Click Add to create a new outlook mail service resource. Hangzhou H3C Technologies Co., Ltd 23/76

24 Figure 25 Create an outlook mail service resource After you create the resource successfully, the outlook mail service resource list page appears again. Figure 26 Outlook mail service resource list Notes mail service Select Resource > TCP Application from the navigation tree. Click the Notes tab to enter the Notes mail service resource list page. Click Add to create a Notes mail service resource. You must specify the real IP address or domain name of the database for Local Address. Hangzhou H3C Technologies Co., Ltd 24/76

25 Figure 27 Add a notes mail service resource After you create the resource successfully, the Notes mail service resource list page appears again. Figure 28 Notes mail service resource list General application service Select Resource > TCP Application from the navigation tree. Click the TCP Service tab to enter the general application service resource list page. Click Add to create a general application service resource. Hangzhou H3C Technologies Co., Ltd 25/76

26 Figure 29 Create a general application service After the service is created successfully, the general service resource list appears again. Figure 30 General application service resource list Creating a Resource Group and Add Existing Resources to the Resource Group Refer to Creating a Resource Group and Add Existing Resources to the Resource Group. Hangzhou H3C Technologies Co., Ltd 26/76

27 Figure 31 Create a TCP resource group Creating a User and User Group, and Associating the Resource Group and User Group Refer to Creating a User and User Group, and Associating the Resource Group and User Group. Verifying the TCP Service Configuration 1) Log in as common user svpn. The TCP client is enabled by default. You can view the port listening information by clicking Information. Hangzhou H3C Technologies Co., Ltd 27/76

28 Figure 32 TCP access status Figure 33 TCP port listening 2) You can view all the available TCP application resources. Hangzhou H3C Technologies Co., Ltd 28/76

29 Figure 34 Available TCP application resources 3) Click TCP application resource telnet110 to telnet to the remote device. Figure 35 Telnet access 4) Click TCP application resource remote_desktop to log in to the remote host. Figure 36 Windows desktop sharing Hangzhou H3C Technologies Co., Ltd 29/76

30 5) To use TCP application resource POP3 or SMTP, you need to configure the right POP3 and SMTP server addresses (the local host names of the resources) on the Outlook client configuration interface. Then, you can log in by correctly entering the username and password to process mails. Figure 37 Outlook mail server configuration 6) You can access a general application resource by clicking its link. Hangzhou H3C Technologies Co., Ltd 30/76

31 Figure 38 HTTP access TCP Service Configuration Guidelines When configuring a TCP resource, you can specify no command line. If you specify a command, make sure that the command can be recognized the operating system. To access mails, a client needs to configure the Outlook properly. Besides, as mail services use ports SMTP and POP3, you need to create two corresponding resources. IP Service Configuration Example Logging In as a Super Administrator (supported by only SecBlade SSL VPN) Refer to Logging In as a Super Administrator (supported by only SecBlade SSL VPN). Logging In to a Common Domain Refer to Logging In to a Common Domain. Hangzhou H3C Technologies Co., Ltd 31/76

32 Configuring IP Service Resources The SSL VPN network service access allows users to access all applications above the IP layer. Users do not need to know the application types and configurations. After they log in to the SSL VPN system, the ActiveX SSL VPN client will be automatically downloaded and started, and then the users can access all services of certain hosts securely. The communication security between a user and a server is guaranteed by SSL VPN. Global configuration Select Resources > IP Network from the navigation tree. Select the Global Configuration tab to enter the global configuration page. SecBlade SSL VPN: Figure 39 Global configuration for IP service resources The start IP and end IP together specifies the virtual address segment from which the device will assign an address to a user after the user logs in. The gateway IP address is the default gateway for the client to access specified network resources. Configuration items in Configure IP Address Pool area are required, while those in Configure Basic Parameters area are optional. Hangzhou H3C Technologies Co., Ltd 32/76

33 Heartbeat Interval: Interval at which the IP client send heartbeat packets to the gateway. Client Reachable: Specifies whether different login users can communicate with each other through IP access. WINS Server/DNS Server: WINS server address and DNS server address to be assigned by the gateway to user network adapters. Access VPN only: Specifies whether a login user can access the Internet besides the VPN. IP Networks Display Mode: Selects to display whether the description information or IP addresses of the IP resources for login users. SecPath SSL VPN: Figure 40 Global configuration for IP service resources The start IP and end IP together specifies the virtual address segment from which the device will assign an address to a user after the user logs in. The gateway IP address is the default gateway for the client to access specified network resources. Hangzhou H3C Technologies Co., Ltd 33/76

34 Internal interfaces are interfaces on the gateway that are connecting with the internal networks. After you specify an internal interface and enable NAT, the system automatically configure NAT on the internal interface and no return routes need to be configured on other devices in the internal network. Configuration items in Configure IP Address Pool area and Configure Internal Interface area are required, while those in Configure Basic Parameters area are optional. Heartbeat Interval: Interval at which the IP client send heartbeat packets to the gateway. Client Reachable: Specifies whether different login users can communicate with each other through IP access. WINS Server/DNS Server: WINS server address and DNS server address to be assigned by the gateway to user network adapters. Access VPN only: Specifies whether a login user can access the Internet besides the VPN. IP Networks Display Mode: Selects to display whether the description information or IP addresses of the IP resources for login users. User-IP Binding Select Resources > IP Network from the navigation tree. Select the IP Binding tab to enter the user-ip binding configuration page. Figure 41 User-IP binding configuration (SecBlade) Figure 42 User-IP binding configuration (SecPath) Hangzhou H3C Technologies Co., Ltd 34/76

35 After you bind a fix IP address for a user, the system will directly assign the bound IP address to the user after the user logs in, instead of assigning an IP address from the address pool to the virtual network card of the user. Host Configuration Select Resources > IP Network from the navigation tree. Select the Host Configuration tab to enter the host configuration page. Click Add, type the resource name, configure the accessible network service and shortcut, and then click Apply to add a host resource. Figure 43 Networks allowed to be accessed Hangzhou H3C Technologies Co., Ltd 35/76

36 Figure 44 Shortcut configuration After configuring the Accessible Network Service and Shortcut in the editing area, you need click Add. In IP networks, you can configure shortcut accesses for various services, such as ping, ftp, and file sharing. Creating a Resource Group and Add Existing Resources to the Resource Group Figure 45 Add IP resources to a resource group Creating a User and User Group, and Associating the Resource Group and User Group Refer to Creating a User and User Group, and Associating the Resource Group and User Group. Hangzhou H3C Technologies Co., Ltd 36/76

37 Verifying the IP Service Configuration 1) Log in as common user svpn. The IP client is enabled by default. You can view the client data to check the IP service start information. Figure 46 IP client status 2) You can view all the available IP network resources. Figure 47 Available IP network resources Hangzhou H3C Technologies Co., Ltd 37/76

38 3) Click shortcut command ping h3c-security to ping the remote end network. Figure 48 Shortcut for ping access H3C SSL VPN Configuration Examples 4) Click shortcut command ftp h3c-security to access the FTP service on the remote network. Figure 49 Shortcut for FTP access 5) View whether the network adapter has obtained an IP address and whether a route to the resource is added on the PC. Figure 50 IP address assigned to the network adapter Hangzhou H3C Technologies Co., Ltd 38/76

39 Figure 51 Routing information on the PC IP Service Troubleshooting 1) Using shortcut commands has the same effect as typing commands in the Windows CLI. 2) Note that as character \ will be escaped by the Windows system, characters \\ just means character \ in the CLI. For example, file sharing shortcut explorer \\\\ equals to explorer \\ in the CLI. explorer means that the system uses the default browser of the client to access the internal resource. For example, explorer ftp:// means opening FTP services through the default browser. 3) After the client obtains an IP address for the virtual network adapter and a route to the resource, you also need to configure NAT on the internal interface or configure a route on the remote resource server to be accessed, with the route s destination address being the virtual network segment /24. Authentication Policy Configuration Example RADIUS Authentication (Shiva) Feature overview Use the RADIUS system to perform authentication and accounting for remote users of SSL VPN. Configuration procedure 1) Configuration prerequisites: This configuration example only introduces the SSL configurations related with RADIUS authentication. Before performing these configurations, make sure the basic configurations of SSL VPN, such as CLI configuration, domain configuration, resources, and resources are configured successfully. 2) Log in as the domain administrator. Select Domain > Authentication Policy from the navigation tree, and then select the RADIUS Authentication tab. Hangzhou H3C Technologies Co., Ltd 39/76

40 Figure 52 RADIUS authentication configuration page Note that: The values of primary and secondary server addresses, authentication ports, and shard key must be consistent with those configured on the authentication servers. Select Enable Authentication, and select active for authentication server status. The certificate policy is optional. You can select Password or Password + Certificate. If you select the latter, the system will authenticate both the user password and certificate. The accounting function is optional. The accounting server address is the same with the authentication server address. The accounting key is the same with the authentication key. The accounting port configuration must be consistent with port configuration on the accounting server. Select active for the accounting server status. Server configuration In this configuration, use shiva access manager (trial version in this example) as the RADIUS server. 1) Install the shiva access manager. 2) In the installation directory c:\radtac\, find file AVDICT.DAT and add an SSL-VPN-GROUP attribute to the file, that is, (ATTRIBUTE SSL-VPN-GROUP 140 string AVDICT[1].TXT Huawei), or use file 3) Configure the shiva access manager. to overwrite the existing file. Hangzhou H3C Technologies Co., Ltd 40/76

41 Open shiva access manager and type username supermanager. No password is needed. Configure the NAS address as the SSL VPN gateway address , and the encryption key as Set the authentication port to 1645 and accounting port to Hangzhou H3C Technologies Co., Ltd 41/76

42 Add a user, with the username usera and password Hangzhou H3C Technologies Co., Ltd 42/76

43 Configure RADIUS attributes for the user. Primary configurations: Select user usera. Insert a row in the Attribute configured for user column. Select attribute SSL-VPN-GROUP from the attribute list. Specify usergroup as the attribute value, which must be consistent with the user group configured on the SSL VPN gateway. To specify multiple user groups, use semicolons to separate them. Click Commit Change. Verifying the RADIUS authentication configuration After logging in, remote user usera can view and access various resources. Hangzhou H3C Technologies Co., Ltd 43/76

44 When the default authentication policy of the domain is RADIUS, users can use account usera to log in, without the need of providing full username such as (SecBlade SSL VPN) or selecting RADIUS from the type drop-down list (SecPath SSL VPN). This is true for all authentication types described below. LDAP Authentication Feature overview Use the LDAP system to authenticate remote users of SSL VPN. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page. 2) Select the LDAP Authentication tab to enter the LDAP authentication policy configuration page. 3) Configure the LDAP server address, service port, user group LDAP attribute, version, and certificate policy. Select the check box behind Enable Authentication. 4) Use template to query user DN. Configure the user DN template as cn=%logon%,dc=vpndomain,dc=com. Figure 53 LDAP authentication configuration with the query mode as template 5) Check user DN by querying Specify Administrator DN as cn=manager,dc=vpn-domain,dc=com. Type as the password. Hangzhou H3C Technologies Co., Ltd 44/76

45 Specify the query base DN as dc=vpn-domain,dc=com. Specify the query template as cn=%logon%. Figure 54 LDAP authentication configuration with the query mode as query Check user DN by querying and Query for user DN using template settings are mutually exclusive. Server configuration In this configuration example, the LDAP server used is openldap on the Linux server. When installing the Linux system, choose to install all components. After the installation, enable the LDAP server openldap directly. openldap server uses process slapd. Follow these steps to configure openldap: 1) File slapd.conf in directory /etc/openldap/ is the LDAP server startup configuration file. Open the file and locate the following contents: Hangzhou H3C Technologies Co., Ltd 45/76

46 The contents in the red box are the LDAP server root directory. You can modify this directory as your own directory, such as dc=vpn-domain,dc=com. The contents in the blue box are the default administrator DN and password. You can modify them, for example, to cn=vpn-manager,dc=vpn-domain,dc=com. Mask switch # before rootpw can be used to specify whether to use clear text or cipher text to save the administrator password, which is also changeable. 2) Add users. Users in LDAP are saved in a directory tree. You can create different levels of directories to store users. There are several ways to add LDAP records. It is recommended to use a file, that is, create a *.ldif, with its contents being the records to be added. In this way, you can add users in a batch. First, you need to create a root directory, that is, dc=vpb-domain,dc=com. Create file root.ldif, with its contents in the format of: dn: dc=vpn-domain,dc=com objectclass: dcobject objectclass: organization dc:vpn-domain o:corporation description: Corporation Then, use ldapadd -x D cn=manager,dc=vpn-domain,dc=com w secret f root.ldif command. If the following output is displayed, the root directory is added successfully. Proceed to add a user. Create file user.ldif, with its contents being: dn: cn=usera,dc=vpn-domain,dc=com objectclass: person cn:usera sn:usera description: usergroup Then, use ldapadd -x D cn=manager,dc=vpn-domain,dc=com w secret f user.ldif command. If the following output is displayed, the user is added successfully. Use the ldapsearch x b dc=vpn-domain,dc=com command to display related information on the LDAP server. Hangzhou H3C Technologies Co., Ltd 46/76

47 In this example, an LDAP attribute description is used as the user group attribute. In actual application, you can add a self-defined user group attribute depending on customer requirements. Verifying the LDAP authentication configuration After logging in, remote user usera@ldap.h3c can view and access various resources. If the default authentication type is LDAP, users can directly use usera to log in. AD Authentication Feature overview Use the AD domain system to authenticate remote users of SSL VPN. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page. 2) Select the AD Authentication tab to enter the AD authentication policy configuration page. Configure the AD domain name and AD server address list. You can specify multiple AD server addresses, separating them by (;). This configuration allows the system to switch to another AD server for user authentication when the current AD server is down. Configure the administrator account and password. The administrator account can be any user in directory Users in the AD domain who has the right to access the directory. Select the username format. You can just use the default username format. Select Enable Authentication. Hangzhou H3C Technologies Co., Ltd 47/76

48 Configure the server failure restoration time. When the system detects that the AD server used for authentication is down, the system will automatically switch to another AD server. Before processing a new authentication request, the system will check whether the failure time of the failed AD server has exceeded the failure restoration time. If yes, the system considers that the AD server is resumed and switches to the AD server. If no, the system sends the authentication request to another AD server. Figure 55 AD authentication policy configuration Server configuration At present, the directory service of Windows 2000 Server or a later version is used. 1) Log in to the AD domain management platform. Log in to the Windows system. Click Start and select Programs > Administrative Tools > Active Directory Users and Computers. 2) Add a user. Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree. Right click the directory and select New > User. 3) Configure information for the user. Type usera for both the username and login name. Click Next and type password , select Password never expires for the user, use the default settings of other items, and then click OK. 4) Add a group. Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree. Right click the directory and select New > Group. 5) Configure information for the group. Specify the group name as usergroup, which must also exist on the SSL VPN gateway. Use the default settings of other items. 6) Add the user to the group. Select group usergroup. Right click the group and select Properties. Click the Members tab and then the Add button. Enter usera in the Enter the object names to select field and click Check Names. The system will check and supplement the username. Click OK. Hangzhou H3C Technologies Co., Ltd 48/76

49 Verifying the AD authentication configuration After logging in, remote user usera can access various resources. If the default authentication type is AD, users can directly use usera to log in. Combination Authentication Feature overview A combination authentication policy can combine any two of the four authentication policies (local authentication, RADIUS authentication, LDAP authentication, and AD authentication). You can configure a combination authentication policy, so that the system authenticates a user twice using the two specified authentication policies. Suppose the application is "username and password + authentication code". A user first enters the username and password for authentication. After the user passes the authentication, the system sends an authentication code through a short message to the cell phone of the user and provides the login page for the user again. The user enters the authentication code for authentication again. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree. Select the Combination Authentication tab to enter the combination authentication policy configuration page. 2) Select Enable Authentication to enable combination authentication, and configure the authentication policies to be used in the first and second authentications. In this example, configure them as local authentication and RADIUS authentication respectively. 3) Password Input Needed allows you to select whether password is required to input for the second authentication. If you select this option, the system will push the login page to the user again after the user passes the first authentication, and the user needs to input the password for the second authentication. At present, if customized authentication pages are not configured, this option does not take effect. Figure 56 Combination authentication policy configuration Hangzhou H3C Technologies Co., Ltd 49/76

50 Verifying the combination authentication configuration Log in as a common user and the system will authenticate you twice, first the local authentication and then RADIUS authentication. The first authentication result determines the resources that you can access after login. USB-Key Certificate Authentication Feature overview Remote users save the certificate in a USB-Key smart card, which is used to pass the certification authentication of login. Configuration procedure 1) Select Domain > Authentication Policy from the navigation tree to enter the authentication policy management page. 2) Select the Local Authentication tab to enter the local authentication policy configuration page. 3) For Authentication Method, that is, the certificate policy, select Password + Certificate or Certificate. 4) Make sure that the smart card drive is installed on the client PC and the valid client certificate is imported into the smart card. Valid certificate means that the certificate is valid and is assigned by the CA server that issues the SSL VPN gateway certificate. Verifying the USB-Key certificate authentication On the remote client PC, insert the USB-Key smart card, the smart card drive installed on the PC will import the certificate saved in the key to the IE browser, and then the certificate will be used for authentication during SSL connection establishment. Note that, the value of the Issued To filed in the client certificate must be the actual, valid login username. Binding the Certificate Serial Number and Username Feature overview The function of binding a certificate serial number and a username ensures the matches between certificates and usernames, providing a more secure access method. Configuration procedure 1) Make sure that certificate policy for local authentication is password plus certificate. (Select Domain > Authentication Policy from the navigation tree. Select the Local Authentication tab to enter the local authentication policy configuration page. Select Password + Certificate for Authentication Method.) 2) Select User > Local User from the navigation tree to enter the local user list page. Click Add to enter the local user configuration page. 3) Create local user svpn, set the password to , certificate serial number to e , select Permitted for Status, and add the user to a group. Log in as user svpn, using e for certificate authentication. You will see result 1). Hangzhou H3C Technologies Co., Ltd 50/76

51 Figure 57 Bind a local user with a certificate serial number 4) On the local user configuration page, change the certificate serial number to e Log in as user svpn and still use e for certificate authentication. You will see result 2). 5) On the local user configuration page, change the certificate serial number back to e and change the status to Denied. Use user svpn and certificate serial number e to log in. You will see result 3). Results of Certificate Serial Number-to-Username binding configurations 1) User svpn logs in successfully. 2) User svpn cannot log in. The system displays that the client certificate is not the one bound with the username. 3) User svpn cannot log in. The domain user can control user accesses in this way. Configuration guidelines The binding function can take effect only when Password + Certificate is configured in the authentication policy. Currently, this function is applicable to only local authentication. The resources that can be accessed by a user bound with a certificate serial number are still determined by the user group that the user belongs to. This serial number bound must be that of the certificate used when the user log in. Hangzhou H3C Technologies Co., Ltd 51/76

52 Security Checking and Dynamic Authorization Configuration Example Security Checking Feature overview The SSL VPN system performs a complete security checking on user hosts. Configuration procedure 1) Select Domain > Security Policy from the navigation tree to enter the security policy management page. Click Add. 2) Add a security policy named sec1, select level 1, and specify the check categories, such as operating system, browser, anti-virus software, firewall, and other security related items. For example, specify the operating system as Windows XP Professional and browser as IE 6.0 or later in this policy. 3) Add a proper description for this policy, for example, the base level. Hangzhou H3C Technologies Co., Ltd 52/76

53 Figure 58 Configure a browser rule Add another policy: 1) Add a security policy named sec10, select level 10, and specify the operating system and browser, for example, as Windows XP Professional and IE 7.0 or later respectively in this policy. 2) Add a proper description for this policy, for example, the top level. Figure 59 Configure an operating system rule Hangzhou H3C Technologies Co., Ltd 53/76

54 Security checking verification The security policies are configured successfully. Configuration guidelines For security policy levels, the bigger the level number, the higher the priority. A security policy includes several check categories, and the relationship between them is logical AND, that is, a host passes the security policy only after it passes all check categories. Each check category includes several check rules, and the relationship between them is logical OR, that is, a host only needs to satisfy the requirement of one check rule in the check category. For example, you can configure two check rules Windows XP Professional and Window Me in check category Operating System. Then, a host can pass the operating system checking when its operating system is either Windows XP Professional or Window Me. If you define multiple security policies, the security checking starts from the one with the highest priority, and stops until a security policy is passed or no security policy is passed. The security policy that a user passes will assign resources to the user. Dynamic Authorization Feature overview SSL VPN assigns different resources to different users according to the security checking results of the user hosts. This is referred to as dynamic authorization of resources. Configuration procedure 1) After configuring the security policies, click Apply to return to the security policy list page. 2) Select a security policy, and click Configure Resource to enter the page for assigning resources to the policy. The resources include Web resources, TCP resources, and IP resources. 3) Assign only Web resources to policy sec1, and all resources to policy sec10. Figure 60 Assign Web resources to sec1 4) Select Domain > Basic Configuration from the navigation tree. The domain policy configuration page appears. Select Enable security policy and then click Apply. Hangzhou H3C Technologies Co., Ltd 54/76

55 Figure 61 Enable security checking Dynamic authorization verification A remote host whose operating system is Windows XP Professional and IE version is 6.0 or later satisfies security policy sec1 and the host can access only Web resources. A remote host whose operating system is Windows XP Professional and IE version is 7.0 or later satisfies security policy sec10 and the host can access all resources. Configuration guidelines As the security checking starts from the security policy with the highest priority and stops immediately when a security policy is passed, it is recommended to assign more resources to security policies with higher priority. Other Features Importing User Accounts in Batches Feature overview The SSL VPN system allows you to import local user accounts in batches. Configuration procedure 1) First, create a file named Batch Import.txt, containing the user accounts to be imported. Then, select User > Batch Import from the navigation tree to enter the batch import page. 2) Click Browse to find file Batch Import.txt, and then click Import. Batch import result A message appears, telling you that batch configuration of users completed successfully. Hangzhou H3C Technologies Co., Ltd 55/76

56 Select User > Local User from the navigation tree, you can see all users in the file are imported to the SSL VPN system successfully. Configuration guidelines The content of the batch import file: user user user user At present, only usernames and passwords can be imported. A username and its password are separated by a space or tab. Users imported in batches will not overwrite existing local users. User Interface Customization Feature overview User interface customization includes partial customization and full customization. Partial customization: Customize login page logo and title, welcome title, service page logo, title, and background picture. Full customization: Customize the login page for common users. Partial customization configuration procedure 1) Select Device > Device Management from the navigation tree. Select the UI Customizing tab and then click Partial customization to customize part of the UI pages. 2) Configure the login page title, login page welcome title, and service page title. Figure 62 illustrates these titles. 3) Customize the service page logo and login page logo. Click Browse to select a picture file, and then click Update to update the logo with the picture in the file. Figure 62 illustrates these pictures. Hangzhou H3C Technologies Co., Ltd 56/76

57 Figure 62 Custom titles and pictures Partial customization configuration result The system prompts that the configuration or update succeeds. Open the login page, you can see that the login page title, welcome title, and logo are updated. Log in as user svpn, and you can see that the service page title and logo are updated Configuration guidelines There are requirements on the width and height of a figure. Refer to the information on the configuration page for details. Full customization configuration procedure 1) Define a custom page, which usually includes one or more htm, js, css, and picture files. 2) Telnet to the device and then create directory www/login under directory flash:/domain1, that is, the storage directory of the custom page is flash:/domain1/www/login. Then, upload all files of the custom page to this directory through TFTP or FTP, as shown in Figure 63, where user.htm is the login page file. (SecBlade SSL VPN has two types of storage devices CF card and Flash card. SecPath SSL VPN provides Flash only. Flash is used in this example.) Hangzhou H3C Technologies Co., Ltd 57/76

58 Figure 63 Upload the custom page 3) Log in to the SSL VPN system as an administrator. Select Device > Device Management from the navigation tree. Select the UI Customizing tab and then click Full customization to customize the common user login page fully. In this example, the page storage directory is flash:/domain1/www/login and the login page file is user.htm, as shown in Figure 64. (For SecBlade SSL VPN, as it provides two storage devices, you need to input the directory without specifying the storage device, for example, /domain1/www/login.) Figure 64 Full page customization for SecPath SSL VPN 4) Save the domain configuration file and then reboot the domain or reboot the SVPN service. Full customization configuration result The login page customized for common users takes effect. External Network Access Control Feature overview The domain administrator can specify whether a login user can access the Internet besides the VPN. Configuration procedure 1) Select Resource > IP Network from the navigation tree, and then select the Global Configuration tab. 2) Configure the IP address pool, setting the start IP to , end IP to , subnet mask to , gateway IP to Hangzhou H3C Technologies Co., Ltd 58/76

59 3) Select the Host Configuration tab to configure the IP host resource. Configure the accessible host as /32. 4) Select the Global Configuration tab. In the Configure Basic Parameters area, select Access VPN Only. Log in a as a common user. You will see result 1). Figure 65 Specify that login users can access the VPN only (SecPath SSL VPN) 5) Select the Global Configuration tab. In the Configure Basic Parameters area, deselect Access VPN Only. Log in a as a common user. You will see result 2). Verification 1) After you log in, you can see that the default gateway of the virtual network adapter is , and the default gateway of the PC is In this case, you can access only the SSL VPN. You cannot access the Internet. Hangzhou H3C Technologies Co., Ltd 59/76

60 Figure 66 Virtual network adapter configuration information Figure 67 Routing information on the PC 2) After logging in, you can see that the default gateway of the virtual adapter is null. View the routes and you can see that the default gateway of the PC is not changed. In this case, you can access both the VPN and the Internet. See Verifying the IP Service Configuration. Guest Account Feature overview The SSL VPN system provides a default account guest, which allows remote users to log in without password. Multiple users can use the guest account to log in simultaneously. The administrator can define the maximum number of login users allowed. Hangzhou H3C Technologies Co., Ltd 60/76

61 Configuration procedure 1) Log in as the administrator, select User > Local User from the navigation tree to enter the local user list page. Select account guest and click Configure to enter the local user configuration page. Figure 68 guest user configuration page 2) Select User > User Group from the navigation tree. Select group Guests and click Configure to configure the group. Add resource groups and user guest to the group. User guest will be able to access the resources added to group Guests. Hangzhou H3C Technologies Co., Ltd 61/76

62 Figure 69 guest user group configuration page Verification User guest logs in successfully. Ten users can log in using the guest account at the same time. Figure 70 User guest logs in successfully. Certificate Management Feature overview You can replace the system default CA certificates with your certificates and manage them, so as to define your own CA authentication system as needed. Hangzhou H3C Technologies Co., Ltd 62/76

63 Configuration procedure 1) Log in as the administrator. Select Domain > Basic Configuration from the navigation tree, and then select the Certificate Management tab. 2) In the Import CA Certificate area, click Browse to locate the CA certificate file, and then click Update to import the CA certificate. 3) In the Import Local Certificate area, specify the password of the local certificate, click Browse to locate the local certificate file, and then click Update to import the local certificate. 4) In the Configure CRL area, select the check box before Enable CRL Checking to enable CRL checking, type the URL for obtaining the CRL, and specify the CRL update interval. Click Apply to submit the requests. 5) After the above configuration, click Reboot web service to restart SSL VPN Web service to bring the certificates into effect. (For SecBlade SSL VPN, you need to reboot the Web service in CLI.) Figure 71 Certificate management page Certificate management configuration result "Imported the CA certificate successfully." is displayed. "Imported the domain certificate successfully." is displayed. Hangzhou H3C Technologies Co., Ltd 63/76

64 "Configured the CRL parameters successfully." is displayed. Open the SSL VPN homepage, the certificate provided on the server side is the local certificate imported last time. Configuration guidelines Read carefully about the contents in the Note area and comply with these notes. Auto Login Using Certificate Feature overview After an enterprise builds up its own CA authentication system, the client certificate assigned to a common user actually identifies the user uniquely. Assume that the user of the client certificate is legal and the client certificate is valid, the SSL VPN login authentication can be simplified to client certificate authentication without the need of username and password. This is implemented usually by importing the client certificate to a specific certificate storage device, such as USB-key. As the certificate in the USB-Key cannot be exported and a PIN code is required to access the certificate in the USB-Key, the certificate is hard to be revealed. At the same time, it is easy to control the validity of the certificate through the certificate revocation list mechanism. Local authentication is used in this example. Configuration procedure 1) Import the CA and local certificates. See Certificate Management. 2) Create a local user. See Creating a User and User Group, and Associating the Resource Group and User Group. 3) Assign a client certificate issued by the CA system to the local user and the import the client certificate into the USB-Key or IE. 4) Log in as the administrator. Select Domain > Authentication Policy from the navigation tree, and then select the Local Authentication tab. Select Certificate as the certificate policy, as shown in the following figure. Figure 72 Configure the local authentication policy as certificate authentication 5) Select Domain > Basic Configuration from the navigation tree. The domain policy configuration page appears. Select Enable Auto Login and specify the default authentication method as Local. Hangzhou H3C Technologies Co., Ltd 64/76

65 Figure 73 Basic configuration of domain policy Verification On the client PC, enter in the address bar of the browser, and the client certificate selection dialog box will appear. Select the client certificate and click OK. The system will use the account in the certificate to log in to the SSL VPN. Configuration guidelines 1) The client certificate must be the one issued to the login user, that is, the value of the Issued To field in the certificate must be the actual, valid login username; otherwise, the user cannot log in. 2) The RADIUS authentication policy does not support the certificate auto login feature. Auto Start of Resources (autostart) Feature overview After the feature is configured, when a common user logs in, the system will automatically start the Web, TCP, and IP resources predefined by the administrator, facilitating user operations. For TCP and IP resources, the system will automatically start their shortcuts, if any. Configuration procedure 1) Log in as the administrator and create resources available to common users. 2) Select Resource > Resource Group from the navigation tree. Select the resource group autostart and click Configure to enter the autostart configuration page. In this example, add the Web resource to the group. Hangzhou H3C Technologies Co., Ltd 65/76

66 Figure 74 Configure resource group autostart 3) Assign resource group autostart to common users. See Creating a User and User Group, and Associating the Resource Group and User Group. Verification After a user logs in, the system automatically start the Web resource for the user. Auto Login to Services (autohome) Feature overview With this feature enabled, after a common user log in to the SSL VPN system, the system does not push the user resource access page to the user. Instead, it directly provides the service page that the user can access to the user. At the same time, it provides an SSL VPN control window for the user to exit the VPN. Configuration procedure 1) The administrator needs to create the service page for the service auto login feature. 2) Log in as administrator. Select Resource > Resource Group from the navigation tree. Select resource group autohome and click Configure. Add the auto login resource to this group. Hangzhou H3C Technologies Co., Ltd 66/76

67 Figure 75 Configure resource group autohome 3) Assign this resource group to common users. See Creating a User and User Group, and Associating the Resource Group and User Group. Verification After a common user logs in, the system pushes the following pages for the user. Hangzhou H3C Technologies Co., Ltd 67/76

68 Figure 76 Related pages of the autohome feature Single Sign-On Feature overview After a user logs in to the SSL VPN system, if the user clicks a resource link configured with the single sign-on (SSO) function, the SSL VPN system will directly log the user in to the resource instead of pushing the login page of the resource to the user. This feature releases users from the fatigue of remembering different username and password combinations for different application systems, greatly facilitating user accesses to resources. Configuration procedure 1) Log in as the administrator. Create a Web resource and configure SSO for the resource. Obtain the path and parameters submitted during login through HTTP watch or ethereal software. Then, type the path and parameters in the related fields on the Web proxy configuration page. The SSL VPN login page is used in this example. Hangzhou H3C Technologies Co., Ltd 68/76

69 Figure 77 Web proxy configuration page Hangzhou H3C Technologies Co., Ltd 69/76

70 Figure 78 Obtain login parameters through http watch software Note: The Submit Path field determines whether to use Web proxy or IP mode to access the resource. Select this field to use IP access, and deselect this field to use Web proxy. 2) Create the corresponding IP resource. This step is valid when the SSO resource uses IP access mode. Figure 79 Configure the SSO IP resource 3) Assign the added Web resource and IP resource to common users. See Creating a User and User Group, and Associating the Resource Group and User Group. Hangzhou H3C Technologies Co., Ltd 70/76

71 Verification After common user svpn logs in to the SSL VPN system, when the user click resource tech_sso, the SSL VPN system will automatically use svpn as the username and the SSL VPN login password as the password to log in to the application system of the tech website. Log Management Feature overview This feature is used to record SSL VPN logs, including the administrator operation logs, such as adding and deleting users and resources, and common user access logs, such as logging in/out the SSL VPN system and accessing resources. Configuration procedure 1) In the CLI of the device, configure the log source and log host. info-center channel 9 name SVPN info-center source SVPN channel 9 log level debugging /*Specify the information center to record SVPN logs*/ info-center logbuffer channel 9 size 1024 /*specify the log buffer to record SVPN logs*/ info-center loghost /*specify the log host*/ 2) Log in as the administrator and perform operations. 3) Log in as a common user and access resources. Verification Use the display logbuffer command on the device or view the log host, and you can see the SVPN logs in the following format: %Jun 5 14:54:44: H3C SVPN/6/SVLOG: Administrator : administrator@domain1[0x ] Operation : create local user account Parameters : user name=user1, description=test, status=active,public account=no, simuuser=0 %May 20 16:25:08: PE1 SVPN/6/SVLOG: User(vpn1@domain1) logoff! %May 20 16:25:16: PE1 SVPN/6/SVLOG: User(vpn1@domain1) logon from IP: %May 20 16:25:32: PE1 SVPN/6/SVLOG: User(vpn1@domain1) visits site: MPLS VPN (supported by only SecPath SSL VPN) Feature overview This feature allows the SSL VPN gateway to act as a PE, so as to support remote users to access the MPLS VPN through SSL VPN. Hangzhou H3C Technologies Co., Ltd 71/76

72 Configuration procedure 1) In the CLI of the device, create VPN instances, configure the RD and RT of the VPN instances, and configure BGP and other MPLS related configurations. These configurations are the same with common MPLS VPN configurations, except that you do not need to bind a VPN instance to PE(SSL VPN).txt an interface in the CLI. Refer to configurations in this file:. 2) Log in as the administrator, select Resource > IP Network from the navigation tree. Select the Global Configuration tab. Create an address pool and bind corresponding VPN instance. Figure 80 Create an address pool and bind a VPN instance 3) Create resources corresponding to different VPNs. Refer to Host Configuration. 4) Create different VPN users. 5) Log in as the administrator. Select User > User Group from the navigation tree. Create different user groups for different VPN instances, and add corresponding users and resources to the user groups. As each virtual interface is bound with a different VPN instance, a user group is bound to a VPN instance by binding to a virtual interface. Hangzhou H3C Technologies Co., Ltd 72/76

73 Figure 81 Create the user group that can access VPN 1 resources H3C SSL VPN Configuration Examples Verification Different VPN users can access resources of their own VPNs. Users can access MPLS VPN resources through TCP, Web, and IP. Configuration guidelines Only V1000 version of SecPath SSL VPN supports MPLS VPN. The VPN that a login user can access is determined by the user group to which the user belongs. The VPN attribute of a user group is determined by the VPN to which the user group s bound interface belongs. If no VPN is bound to the virtual interface that is bound with a user group, users in the user group use public routes to access resources after logging in. If no virtual interface is bound with a user group, users of the user group cannot obtain an IP address after login. Therefore, the IP network service will be failed to start. A VPN user must belong to only one user group. Hangzhou H3C Technologies Co., Ltd 73/76

74 SSL Offload (supported by only SecBlade SSL VPN) Feature overview SSL offload means that SecBlade SSL VPN provides SSL encryption and decryption services for the internal Web server to provide secure (SSL encrypted) access to the Web server for outsiders, while the internal Web server only processes services and does not spend CPU resources to perform SSL encryption and decryption, thus improving the service processing capability of the Web server. Configuration procedure 1) Log in as the administrator. Select Device > Device Management from the navigation tree, and then select the Work Mode tab. Specify work mode as SSL offload mode for the SSL VPN gateway. Figure 82 Configure the work mode of the SSL VPN gateway 2) Create the SSL offload resource. Log in as the supper administrator. Select Resource > SSL Offload from the navigation tree and then configure the SSL offload policy and create the SSL offload resource. Figure 83 Configure the SSL offload policy and create the SSL offload resource 3) Configure a route, so that when the client PC accesses IP address , packets will be routed to the SSL VPN gateway. Hangzhou H3C Technologies Co., Ltd 74/76

75 Verification On the client PC, enter in the address bar of the browser to open the tech website. License (supported by only SecBlade SSL VPN) Feature overview The SecBlade SSL VPN system controls the maximum number of online users allowed through license. Configuration procedure 1) Log in as the super administrator. Select Domain > Domain Management from the navigation tree, and then select the License tab to enter the license management page. 2) Use the number in the Device Serial Number field to apply for a license file, which is usually suffixed with.lic, such as 1000user.lic. 3) Click Browse to select the obtained license file and click Apply. Figure 84 License management page Verification Log in as the super administrator and create a domain. During the operation, you can see that the maximum number of online users is updated to the value specified in the applied license. Hangzhou H3C Technologies Co., Ltd 75/76

H3C SecPath SSL VPN. Administrator Manual. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5PW

H3C SecPath SSL VPN. Administrator Manual. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5PW H3C SecPath SSL VPN Administrator Manual Hangzhou H3C Technologies Co., Ltd. Manual Version: 5PW100-20090624 Copyright 2009, Hangzhou H3C Technologies Co., Ltd. and its licensors H3C Technologies Co.,

More information

SecBlade Firewall Cards NAT Configuration Examples

SecBlade Firewall Cards NAT Configuration Examples SecBlade Firewall Cards NAT Configuration Examples Keywords: NAT, PAT, private IP address, public IP address, IP address pool Abstract: This document describes the characteristics, applications scenarios,

More information

H3C SecBlade SSL VPN Card

H3C SecBlade SSL VPN Card H3C SecBlade SSL VPN Card Super Administrator Web Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW105-20130801 Copyright 2003-2013, Hangzhou H3C Technologies

More information

VII. Corente Services SSL Client

VII. Corente Services SSL Client VII. Corente Services SSL Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 Chapter 1. Requirements...

More information

SecBlade Firewall Cards ARP Attack Protection Configuration Examples

SecBlade Firewall Cards ARP Attack Protection Configuration Examples SecBlade Firewall Cards ARP Attack Protection Configuration Examples Keywords: ARP Abstract: ARP provides no security mechanism and can be easily utilized by attackers to launch attacks. The device provides

More information

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd.  Manual Version: 5W H3C SecPath UTM Series Configuration Examples Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 5W101-20100520 Copyright 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors

More information

Step-by-Step Configuration

Step-by-Step Configuration Step-by-Step Configuration Kerio Technologies C 2001-2004 Kerio Technologies. All Rights Reserved. Printing Date: April 25, 2004 This guide provides detailed description on configuration of the local network

More information

Step-by-Step Configuration

Step-by-Step Configuration Step-by-Step Configuration Kerio Technologies C 2001-2006 Kerio Technologies. All Rights Reserved. Printing Date: May 3, 2006 This guide provides detailed description on configuration of the local network

More information

VI. Corente Services Client

VI. Corente Services Client VI. Corente Services Client Corente Release 9.1 Manual 9.1.1 Copyright 2014, Oracle and/or its affiliates. All rights reserved. Table of Contents Preface... 5 I. Introduction... 6 II. Corente Client Configuration...

More information

Step-by-Step Configuration

Step-by-Step Configuration Step-by-Step Configuration Kerio Technologies Kerio Technologies. All Rights Reserved. Release Date: March 16, 2007 This guide provides detailed description on configuration of the local network which

More information

Managing External Identity Sources

Managing External Identity Sources CHAPTER 5 The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other

More information

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents Table of Contents Table of Contents... 1-1 1.1 AAA/RADIUS/HWTACACS Over... 1-1 1.1.1 Introduction to AAA... 1-1 1.1.2 Introduction to RADIUS... 1-3 1.1.3 Introduction to HWTACACS... 1-9 1.1.4 Protocols

More information

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0 DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help, please contact Hangzhou

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide Probe Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,

More information

Wireless LAN Controller Web Authentication Configuration Example

Wireless LAN Controller Web Authentication Configuration Example Wireless LAN Controller Web Authentication Configuration Example Document ID: 69340 Contents Introduction Prerequisites Requirements Components Used Conventions Web Authentication Web Authentication Process

More information

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5) H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5) Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced

More information

HPE IMC UAM BYOD Quick Deployment on Mobile Device Configuration Examples

HPE IMC UAM BYOD Quick Deployment on Mobile Device Configuration Examples HPE IMC UAM BYOD Quick Deployment on Mobile Device Configuration Examples Part Number: 5200-1387 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to

More information

HPE IMC BYOD WLAN MAC Authentication Configuration Examples

HPE IMC BYOD WLAN MAC Authentication Configuration Examples HPE IMC BYOD WLAN MAC Authentication Configuration Examples Part Number: 5200-1389 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document is subject to change without

More information

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER Table of Contents Table of Contents Introducing the F5 and Oracle Access Manager configuration Prerequisites and configuration notes... 1 Configuration

More information

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default. Week 1 Lab Lab 1: Connect to the Barracuda network. 1. Download the Barracuda NG Firewall Admin 5.4 2. Launch NG Admin 3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings

More information

Identity Firewall. About the Identity Firewall

Identity Firewall. About the Identity Firewall This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History

More information

SecBlade Firewall Cards Stateful Failover Configuration Examples

SecBlade Firewall Cards Stateful Failover Configuration Examples SecBlade Firewall Cards Stateful Failover Configuration Examples Keywords: Stateful failover, active/standby mode, active/active mode, data synchronization, traffic switchover Abstract: A network that

More information

SecPath Series Firewalls Virtual Firewall Configuration Examples

SecPath Series Firewalls Virtual Firewall Configuration Examples SecPath Series Firewalls Virtual Firewall Configuration Examples Keywords: VPN instance, VRF, private address, public address, address pool Abstract: This document describes the virtual firewall implementation

More information

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e Chapter 8 Networking Essentials Objectives Learn about the protocols and standards Windows uses for networking Learn how to connect

More information

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application Table of Contents L2TP Configuration 1 L2TP Overview 1 Introduction 1 Typical L2TP Networking Application 1 Basic Concepts of L2TP 2 L2TP Tunneling Modes and Tunnel Establishment Process 4 L2TP Features

More information

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418 This chapter describes how to maintain the configuration and firmware, reboot or reset the security appliance, manage the security license and digital certificates, and configure other features to help

More information

H3C imc. Branch Intelligent Management System. User Manual. Hangzhou H3C Technologies Co., Ltd.

H3C imc. Branch Intelligent Management System. User Manual. Hangzhou H3C Technologies Co., Ltd. H3C imc Branch Intelligent Management System User Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: imc BIMS 5.0 (E0102) Document version: 5PW103-20150427 Copyright 2011-2015,

More information

PKI Configuration Examples

PKI Configuration Examples PKI Configuration Examples Keywords: PKI, CA, RA, IKE, IPsec, SSL Abstract: The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key

More information

SecBlade Firewall Cards Attack Protection Configuration Example

SecBlade Firewall Cards Attack Protection Configuration Example SecBlade Firewall Cards Attack Protection Configuration Example Keywords: Attack protection, scanning, blacklist Abstract: This document describes the attack protection functions of the SecBlade firewall

More information

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server Document ID: 112175 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Network Diagram Windows

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any help,

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATHF1000SAI&F1000AEI&F1000ESI-CMW520-R3721 SECPATH5000FA-CMW520-F3210

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206

More information

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues... SonicOS SonicOS Contents Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues... 5 Release Purpose SonicOS 6.1.1.5 is a general

More information

How to Configure a Remote Management Tunnel for an F-Series Firewall

How to Configure a Remote Management Tunnel for an F-Series Firewall How to Configure a Remote Management Tunnel for an F-Series Firewall If the managed NextGen Firewall F-Series cannot directly reach the NextGen Control Center, it must connect via a remote management tunnel.

More information

Wired Dot1x Version 1.05 Configuration Guide

Wired Dot1x Version 1.05 Configuration Guide Wired Dot1x Version 1.05 Configuration Guide Document ID: 64068 Introduction Prerequisites Requirements Components Used Conventions Microsoft Certificate Services Installation Install the Microsoft Certificate

More information

HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples

HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples HPE IMC BYOD WLAN 802.1X Authentication and Security Check Using inode Configuration Examples Part Number: 5200-1385 Software version: IMC UAM 7.2 (E0403) Document version: 2 The information in this document

More information

H3C Intelligent Management Center

H3C Intelligent Management Center H3C Intelligent Management Center TACACS+ Authentication Manager Administrator Guide New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: IMC TAM 7.3 (E0501) Document version: 5PW105-20170515

More information

H3C SecBlade NetStream Card Configuration Examples

H3C SecBlade NetStream Card Configuration Examples H3C SecBlade NetStream Card Configuration Examples Copyright 2012 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any

More information

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights

More information

Table of Contents 1 AAA Overview AAA Configuration 2-1

Table of Contents 1 AAA Overview AAA Configuration 2-1 Table of Contents 1 AAA Overview 1-1 Introduction to AAA 1-1 Authentication 1-1 Authorization 1-1 Accounting 1-2 Introduction to ISP Domain 1-2 Introduction to AAA Services 1-2 Introduction to RADIUS 1-2

More information

NetExtender for SSL-VPN

NetExtender for SSL-VPN NetExtender for SSL-VPN Document Scope This document describes how to plan, design, implement, and manage the NetExtender feature in a SonicWALL SSL-VPN Environment. This document contains the following

More information

D-Link (Europe) Ltd. 4 th Floor Merit House Edgware Road London HA7 1DP U.K. Tel: Fax:

D-Link (Europe) Ltd. 4 th Floor Merit House Edgware Road London HA7 1DP U.K. Tel: Fax: Product: DFL-500 Internet Firewall Index Setup Introduction...2 Set Up Using Web Configurator...3 Setting Up Internal IP Address using CLI...4 Setting UP External IP Address Manually Using CLI...4 How

More information

HikCentral V.1.1.x for Windows Hardening Guide

HikCentral V.1.1.x for Windows Hardening Guide HikCentral V.1.1.x for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1 Strict Password Policy... 2 1.2 Turn Off Windows Remote

More information

GSS Administration and Troubleshooting

GSS Administration and Troubleshooting CHAPTER 9 GSS Administration and Troubleshooting This chapter covers the procedures necessary to properly manage and maintain your GSSM and GSS devices, including login security, software upgrades, GSSM

More information

HPE IMC UAM LDAP Authentication Configuration Examples

HPE IMC UAM LDAP Authentication Configuration Examples HPE IMC UAM LDAP Authentication Configuration Examples Part Number: 5200-1373 Software Version: IMC UAM 7.2 (E0402) Document Version: 2 The information in this document is subject to change without notice.

More information

How to Configure Authentication and Access Control (AAA)

How to Configure Authentication and Access Control (AAA) How to Configure Authentication and Access Control (AAA) Overview The Barracuda Web Application Firewall provides features to implement user authentication and access control. You can create a virtual

More information

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model Table of Contents RADIUS Configuration 1 Overview 1 Introduction to RADIUS 1 Client/Server Model 1 Security and Authentication Mechanisms 2 Basic Message Exchange Process of RADIUS 2 RADIUS Packet Format

More information

Realms and Identity Policies

Realms and Identity Policies The following topics describe realms and identity policies: Introduction:, page 1 Creating a Realm, page 5 Creating an Identity Policy, page 11 Creating an Identity Rule, page 15 Managing Realms, page

More information

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN

Remote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers

More information

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT Table of Contents TABLE OF CONTENTS 1 BACKGROUND 2 WINDOWS SERVER CONFIGURATION STEPS 2 CONFIGURING USER AUTHENTICATION 3 ACTIVE DIRECTORY

More information

Deploying F5 with Microsoft Active Directory Federation Services

Deploying F5 with Microsoft Active Directory Federation Services F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services

More information

vcloud Director User's Guide

vcloud Director User's Guide vcloud Director 8.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 802.1x Configuration... 1-1 1.1 802.1x Overview... 1-1 1.1.1 802.1x Standard Overview... 1-1 1.1.2 802.1x System Architecture... 1-1 1.1.3 802.1x Authentication

More information

Deploying F5 with Microsoft Active Directory Federation Services

Deploying F5 with Microsoft Active Directory Federation Services F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services

More information

HikCentral V1.3 for Windows Hardening Guide

HikCentral V1.3 for Windows Hardening Guide HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote

More information

Cisco CTL Client setup

Cisco CTL Client setup Cisco CTL Client setup This chapter provides information about Cisco CTL client setup. About Cisco CTL Client setup, page 2 Remove etoken Run Time Environment 3.00 for CTL Client 5.0 plug-in, page 2 Cisco

More information

User Manual. SSV Remote Access Gateway. Web ConfigTool

User Manual. SSV Remote Access Gateway. Web ConfigTool SSV Remote Access Gateway Web ConfigTool User Manual SSV Software Systems GmbH Dünenweg 5 D-30419 Hannover Phone: +49 (0)511/40 000-0 Fax: +49 (0)511/40 000-40 E-mail: sales@ssv-embedded.de Document Revision:

More information

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls How to Configure a Remote Management Tunnel for Barracuda NG Firewalls If the managed NG Firewall can not directly reach the NG Control Center it must connect via a remote management tunnel. The remote

More information

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810 Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

More information

Configuring the CSS for Device Management

Configuring the CSS for Device Management CHAPTER 2 Configuring the CSS for Device Management Before you can use the WebNS Device Management user interface software, you need to perform the tasks described in the following sections: WebNS Device

More information

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or

More information

H3C SecPath Series High-End Firewalls

H3C SecPath Series High-End Firewalls H3C SecPath Series High-End Firewalls NAT and ALG Command Reference Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Software version: SECPATH1000FE&SECBLADEII-CMW520-R3166 SECPATH5000FA-CMW520-R3206

More information

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide SonicWALL Security Appliances SonicWALL SSL-VPN 200 Getting Started Guide SonicWALL SSL-VPN 200 Appliance Getting Started Guide This Getting Started Guide contains installation procedures and configuration

More information

Controlled/uncontrolled port and port authorization status

Controlled/uncontrolled port and port authorization status Contents 802.1X fundamentals 1 802.1X architecture 1 Controlled/uncontrolled port and port authorization status 1 802.1X-related protocols 2 Packet formats 2 EAP over RADIUS 4 Initiating 802.1X authentication

More information

vcloud Director User's Guide

vcloud Director User's Guide vcloud Director 5.6 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of

More information

EMC Secure Remote Support Device Client for Symmetrix Release 2.00

EMC Secure Remote Support Device Client for Symmetrix Release 2.00 EMC Secure Remote Support Device Client for Symmetrix Release 2.00 Support Document P/N 300-012-112 REV A01 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103 1-508-435-1000 www.emc.com Copyright

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

What s New in Fireware v WatchGuard Training

What s New in Fireware v WatchGuard Training What s New in Fireware v12.2.1 What s New in Fireware v12.2.1 2 DNS enhancements for mobile VPN WAN interface monitors Loopback IP address support Certificate management enhancements DF bit setting for

More information

Cisco CTL Client Setup

Cisco CTL Client Setup This chapter provides information about Cisco CTL client setup. About, page 2 Addition of Second SAST Role in the CTL File for Recovery, page 2 Cluster Encryption Configuration Through CLI, page 3 Remove

More information

AT&T Cloud Web Security Service

AT&T Cloud Web Security Service AT&T Cloud Web Security Service Troubleshooting Guide Table of Contents 1 Summary... 3 2 Explicit Proxy Access Method... 4 2.1 Explicit Proxy Flow Diagram... 4 3 Proxy Forwarding Access Method... 6 3.1

More information

Fundamentals of Network Security v1.1 Scope and Sequence

Fundamentals of Network Security v1.1 Scope and Sequence Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document

More information

Using the Terminal Services Gateway Lesson 10

Using the Terminal Services Gateway Lesson 10 Using the Terminal Services Gateway Lesson 10 Skills Matrix Technology Skill Objective Domain Objective # Deploying a TS Gateway Server Configure Terminal Services Gateway 2.2 Terminal Services (TS) Web

More information

H3C S10500 OpenFlow Configuration Examples

H3C S10500 OpenFlow Configuration Examples H3C S10500 OpenFlow Configuration Examples Copyright 2015 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without

More information

Microsoft Microsoft TS: MS Internet Security & Acceleration Server 2006, Configuring. Practice Test. Version:

Microsoft Microsoft TS: MS Internet Security & Acceleration Server 2006, Configuring. Practice Test. Version: Microsoft 70-351 Microsoft 70-351 TS: MS Internet Security & Acceleration Server 2006, Configuring Practice Test Version: 2.2 QUESTION NO: 1 Your network consists of a single Active Directory domain named

More information

Connecting CoovaAP 1.x with RADIUSdesk - Basic

Connecting CoovaAP 1.x with RADIUSdesk - Basic 2017/05/17 21:58 1/13 Connecting CoovaAP 1.x with RADIUSdesk - Basic Connecting CoovaAP 1.x with RADIUSdesk - Basic Introduction CoovaAP is a sub-project of Coova.org. It is custom firmware which can be

More information

RX3041. User's Manual

RX3041. User's Manual RX3041 User's Manual Table of Contents 1 Introduction... 2 1.1 Features and Benefits... 3 1.2 Package Contents... 3 1.3 Finding Your Way Around... 4 1.4 System Requirements... 6 1.5 Installation Instruction...

More information

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Fireware-Essentials.  Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7. Fireware-Essentials Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.0 http://www.gratisexam.com/ Fireware Essentials Fireware Essentials Exam Exam A QUESTION 1 Which

More information

Stateful Failover Technology White Paper

Stateful Failover Technology White Paper Stateful Failover Technology White Paper Keywords: Stateful failover, master/backup mode, load balancing mode, data synchronization, link switching Abstract: A firewall device is usually the access point

More information

Administrator's Guide

Administrator's Guide Administrator's Guide Contents Administrator's Guide... 7 Using Web Config Network Configuration Software... 8 About Web Config... 8 Accessing Web Config... 8 Restricting Features Available for Users...

More information

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee HC-711 Q&As HCNA-CBSN (Constructing Basic Security Network) - CHS Pass Huawei HC-711 Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing Guarantee 100% Money

More information

Platform Compatibility... 1 Enhancements... 2 Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 3 Related Technical Documentation...

Platform Compatibility... 1 Enhancements... 2 Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 3 Related Technical Documentation... SonicOS Contents Platform Compatibility... 1 Enhancements... 2 Known Issues... 3 Upgrading SonicOS Enhanced Image Procedures... 3 Related Technical Documentation...7 Platform Compatibility The SonicOS

More information

Portal configuration commands

Portal configuration commands Contents Portal configuration commands 1 display portal acl 1 display portal connection statistics 5 display portal free-rule 7 display portal interface 9 display portal-roaming 11 display portal server

More information

Barracuda Link Balancer

Barracuda Link Balancer Barracuda Networks Technical Documentation Barracuda Link Balancer Administrator s Guide Version 2.3 RECLAIM YOUR NETWORK Copyright Notice Copyright 2004-2011, Barracuda Networks www.barracuda.com v2.3-111215-01-1215

More information

Troubleshooting DHCP server configuration 28

Troubleshooting DHCP server configuration 28 Contents DHCP overview 1 Introduction to DHCP 1 DHCP address allocation 1 Allocation mechanisms 1 Dynamic IP address allocation process 2 IP address lease extension 2 DHCP message format 3 DHCP options

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.5.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Operation Manual DHCP H3C S3600 Series Ethernet Switches-Release Table of Contents

Operation Manual DHCP H3C S3600 Series Ethernet Switches-Release Table of Contents Table of Contents Table of Contents Chapter 1 DHCP Overview... 1-1 1.1 Introduction to DHCP... 1-1 1.2 DHCP IP Address Assignment... 1-1 1.2.1 IP Address Assignment Policy... 1-1 1.2.2 Obtaining IP Addresses

More information

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.

More information

Cisco VPN Software Client Installation Guide for RTP2 Beta-Test

Cisco VPN Software Client Installation Guide for RTP2 Beta-Test DOC Cisco VPN Software Client Installation Guide for RTP2 Beta-, This guide provides firewall and network considerations and step-by-step instructions on how to install a Cisco VPN Software Client and

More information

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0 i Hangzhou DPtech Technologies Co., Ltd. provides full- range technical support. If you need any

More information

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Question Number (ID) : 1 (jaamsp_mngnwi-088) You are the administrator for medium-sized network with many users who connect remotely. You have configured a server running Microsoft Windows Server 2003,

More information

H3C SecBlade SSL VPN Card

H3C SecBlade SSL VPN Card H3C SecBlade SSL VPN Card License Registration and Activation Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW100-20101220 Copyright 2010, Hangzhou H3C Technologies Co.,

More information

Installation guide for Choic Multi User Edition

Installation guide for Choic Multi User Edition Installation guide for ChoiceMail Multi User Edition March, 2004 Version 2.1 Copyright DigiPortal Software Inc., 2002 2004 All rights reserved ChoiceMail Multi User Installation Guide 1. Go to the URL

More information

HP Intelligent Management Center v7.1 Branch Intelligent Management System Administrator Guide

HP Intelligent Management Center v7.1 Branch Intelligent Management System Administrator Guide HP Intelligent Management Center v7.1 Branch Intelligent Management System Administrator Guide Abstract This document describes how to administer the HP IMC Branch Intelligent Management System. HP Part

More information

KYOCERA Net Admin User Guide

KYOCERA Net Admin User Guide KYOCERA Net Admin User Guide Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable

More information

VMware Horizon View Deployment

VMware Horizon View Deployment VMware Horizon View provides end users with access to their machines and applications through a unified workspace across multiple devices, locations, and connections. The Horizon View Connection Server

More information

A5500 Configuration Guide

A5500 Configuration Guide A5500 Configuration Guide Sri Ram Kishore February 2012 Table of contents Gateway Configuration... 3 Accessing your gateway configuration tool... 3 Configuring your broadband Internet access... 3 Configuring

More information

Message Networking 5.2 Administration print guide

Message Networking 5.2 Administration print guide Page 1 of 421 Administration print guide This print guide is a collection of system topics provided in an easy-to-print format for your convenience. Please note that the links shown in this document do

More information

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide BlackBerry Enterprise Server for Microsoft Office 365 Version: 1.0 Administration Guide Published: 2013-01-29 SWD-20130131125552322 Contents 1 Related resources... 18 2 About BlackBerry Enterprise Server

More information

Managing NCS User Accounts

Managing NCS User Accounts 7 CHAPTER The Administration enables you to schedule tasks, administer accounts, and configure local and external authentication and authorization. Also, set logging options, configure mail servers, and

More information