H3C SecPath SSL VPN Administrator Manual Hangzhou H3C Technologies Co., Ltd. Manual Version: 5PW100-20090624
Copyright 2009, Hangzhou H3C Technologies Co., Ltd. and its licensors H3C Technologies Co., Ltd., a subsidiary of 3Com Corporation. All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks Notice H3C,, Aolynk,, H 3 Care,, TOP G,, IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V 2 G, V n G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
About This Manual Organization H3C SecPath SSL VPN Administrator Manual is organized as follows: Part 1 SSL VPN Overview Contents This part introduces SSL VPN functions, implementation, applications, hardware structure and installation procedures of the SSL VPN devices, as well as command line configuration needed before enabling the SSL VPN device, including applying for certificates, creating SSL server policy and Web server policy, and enabling Web service and SSL VPN service. It also introduces how to log in to the SSL VPN system through Web, and the functional areas of SSL VPN administrator management interfaces, including the navigation tree and information display and configuration area. This part consists of system information and system management. 2 Device Management System information provides you with the online user information, history information (maximum number of concurrent users and concurrent connections in the history), statistics, and system status information of the device, including the current system resource consumption, current SSL connection status, device startup time, SSL connection statistics, and other system related information. System management allows you to manage interfaces, configure a log host, customize login pages, save configuration, and reboot the device. 3 User Management 4 Resource Management 5 Domain Management 6 Configuration Examples This part describes the creation and configuration of users to be managed by the administrator. This part introduces resource management in the SSL VPN system, such as creating and configuring the Web proxy server, remote access service, desktop sharing service, mail service, TCP service, IP network service, as well as resource groups. This part describes the authentication policies of the SSL VPN system in detail, including configuring the authentication server, creating and configuring the security policy, buffering policy, and system bulletins. This part gives examples to create users and resources, assign resources to users, and introduce how to limit the access right of users with static and dynamic authorization. Conventions The manual uses the following conventions: Command conventions Boldface italic Convention Description The keywords of a command line are in Boldface. Command arguments are in italic.
Convention Description [ ] Items (keywords or arguments) in square brackets [ ] are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * &<1-n> Alternative items are grouped in braces and separated by vertical bars. One is selected. alternative items are grouped in square brackets and separated by vertical bars. One or none is selected. Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected. alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected. The argument(s) before the ampersand (&) sign can be entered 1 to n times. # A line starting with the # sign is comments. GUI conventions Boldface > Convention Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description. Related Documentation In addition to this manual, each H3C SecPath SSL VPN documentation set includes the following: Manual H3C SecPath SSL VPN User Manual H3C SecPath Series Security Products Operation Manual H3C SecPath Series Security Products Command Manual Description This manual describes the access modes of H3C SecPath SSL VPN system users to various resources. This manual describes the features, working principles, and configurations of the H3C SecPath series gateways/firewalls. This manual describes the configuration commands of the H3C SecPath series gateways/firewalls, including command names, full command lines, parameters, operation views, usage guidelines, and examples.
Obtaining Documentation and Technical Support To obtain up-to-date documentation and technical support, go to http://www.h3c.com and select your country or region. Depending on your selection, you will be redirected to either of the following websites: At http://www.h3c.com Documentation Go to the following columns for different categories of product documentation: [Products & Solutions]: Provides information about products and technologies, as well as solutions. [Technical Support & Document > Technical Documents]: Provides several categories of product documentation, such as installation, configuration, and maintenance. [Technical Support & Document > Software Download]: Provides the documentation released with the software version. Technical Support customer_service@h3c.com http://www.h3c.com At http://www.h3cnetworks.com Documentation Select Drivers & Downloads in the Support area. Select Documentation for Type of File and select Product Category. Technical Support Please see the appendix Obtaining Support for Your Product. Documentation Feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Table of Contents 1 SSL VPN Overview 1-1 2 SSL VPN Gateway Configuration 2-1 Gateway Configuration 2-1 Connecting to the SSL VPN Device 2-1 Obtaining Certificates 2-2 Configuring the Web Server 2-3 Enabling SSL VPN Service 2-5 Configuring the Gateway Reachable Function 2-5 3 Logging In to SSL VPN Management Interface 3-1 4 SSL VPN Management Platform 4-1 Navigation Tree 4-1 Information Display and Configuration Area 4-2 i
1 SSL VPN Overview As Virtual Private Network (VPN) is much cheaper and more flexible to use than leased lines, more and more companies are establishing VPNs over public networks such as the Internet, so as to allow employees working at home or traveling on business, employees of branch offices, and partners to access the internal networks. Security Socket Layer (SSL) VPN is an emerging VPN technology for granular access control of network resources. It supports three resource access methods: Web access, TCP access, and IP access. Using role-based right management, SSL VPN can restrict user access to resources according to user identity. In addition, it incorporates the user host security checking feature, implementing dynamic user access rights assignment. SSL VPN gateways support Web management. An administrator can configure and manage the SSL VPN system through a Web browser. Compared with conventional VPN, SSL VPN features high security and more granular control of security. Requiring no user configuration and no client installation, it is simple to deploy and very easy to use. H3C SecPath SSL VPN defines two roles: Domain administrator: Managers of SSL VPN domains. A domain administrator can create and delete local users, user groups, resources, resource groups, and security policies for the domain, controlling the access rights of users in the domain. SSL VPN user: Users accessing network resources through the SSL VPN system. An SSL VPN user must pass authentication to log in to the SSL VPN system. After passing authentication, an SSL VPN user can access the SSL VPN gateway, and the SSL VPN system will assign the user access rights based on the security status of the user and the user group to which the user belongs. H3C SecPath SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees to access corporate networks remotely in an easy and secure way. The H3C SecPath SSL VPN devices are a new generation of professional SSL VPN devices for enterprises. These devices can function as ingress gateways for small- to medium-sized enterprises, as well as proxy gateways of internal server clusters for medium-sized enterprises. 1-1
2 SSL VPN Gateway Configuration Gateway Configuration Before logging in to the Web interface of the device to perform SSL VPN system management, you need to perform some simple configurations on the device: Task Obtaining Certificates Connecting to the SSL VPN Device Configuring the Web Server Enabling SSL VPN Service Remarks Use a console cable to connect the terminal for configuration with the console port of the SSL VPN device. Perform PKI configurations. This document gives only the basic PKI configuration commands. For detailed information about PKI configuration commands, refer to the relevant sections in H3C SecPath Series Security Products Command Manual. To allow administrative access to the SSL VPN Web management interface, you must enable the Web server on the SSL VPN device. Enable the SSL VPN service through the command line. Connecting to the SSL VPN Device Introduction to the console port The H3C SecPath SSL VPN device has an RS-232 port, namely the console port, through which you can configure the device. Introduction to the console cable The console cable is an 8-wire shielded cable with an RJ-45 connector (B) at one end and a DB-9 receptacle at the other end (A), as shown in Figure 2-1. The RJ-45 connector is for connecting the console port of the SSL VPN device and the DB9 receptacle is for connecting the serial port of the configuration terminal. Figure 2-1 Console cable A X3 A Connecting the console cable Connect the console cable as follows: 2-1
1) Choose a terminal for configuration. The terminal can be a character terminal with a standard RS-232 port or a common PC. A PC is used in most cases. 2) Connect the cable. Making sure that the SSL VPN device and the terminal for configuration are powered off, connect one end of the console cable to the RS-232 port of the terminal and the other end to the console port of the SSL VPN device. Obtaining Certificates An SSL VPN gateway must have a local certificate and the CA certificate before providing services normally. Therefore, you need to request a local certificate from the CA and obtain the CA certificate for the SSL gateway at first. If you have already obtained the certificates, you can import the certificates into the device by following the guidelines in H3C SecPath Series Security Products Command Manual. If not, complete the following tasks: Generating an RSA key pair Configuring a PKI entity Configuring the PKI domain Retrieving certificates Generating an RSA key pair Follow these steps to generate an RSA key pair on the device: To do Use the command Remarks Enter system view system-view Generate an RSA key pair rsa local-key-pair create The length of the public key must be in the range from 512 to 2048. The default is 1024. Configuring a PKI entity Follow these steps to configure a PKI entity: To do Use the command Remarks Enter system view system-view Create an entity and enter its view Configure the common name Configure the name of the unit to which the entity belongs Configure the name of the organization to which the entity belongs pki entity name common-name name organization-unit name organization name An PKI entity contains the identity information of the device for applying a certificate. The name argument must be a string of 1 to 31 characters. optional The name argument must be a string of 1 to 31 characters. optional The name argument must be a string of 1 to 31 characters. 2-2
To do Use the command Remarks Configure the locality where the entity resides Configure the state or province Configure the country code locality name state name country name optional The name argument must be a string of 1 to 31 characters. optional The name argument must be a string of 1 to 31 characters. optional The name argument must be a string of 1 to 31 characters. Configuring the PKI domain Follow these steps to configure the PKI domain: To do Use the command Remarks Enter system view system-view Create a PKI domain and enter its view pki domain name Specify the trusted CA ca identifier name Specify the parameters for certificate request certificate request { entity from [ mode polling ] url } string entity: Specifies the entity. from: Specifies the authority, CA or RA. url: Specifies the URL of the server. mode: Specifies the request mode, auto or manual. polling: Interval for polling the status of the certificate request. Retrieving certificates In automatic certificate retrieval mode, the system automatically applies for a local certificate for itself and, before the certificate expires, automatically applies for another local certificate. You can also retrieve certificates manually. To retrieve certificates manually, follow these steps: To do Use the command Remarks Enter system view system-view Retrieve the CA certificate Retrieve the local certificate pki retrieval-certificate ca domain name pki request-certificate domain name challenge-code Configuring the Web Server Complete the following tasks to configure the Web server: 2-3
Configuring an SSL server policy Configuring a Web server policy Enabling the Web server Configuring an SSL server policy Follow these steps to configure an SSL server policy: To do Use the command Remarks Enter system view system-view Create an SSL server policy and enter its view Specify a PKI domain for the SSL server policy Specify the cipher suite(s) for the SSL server policy to support Configure the policy to use a hardware encryption card for SSL encryption and decryption Enable certificate-based SSL client authentication ssl server-policy name pki-domain name ciphersuite [ rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha ] use ssl-card ssl-card-number client-verify [ enable weakenable ] The name argument must be a string of 1 to 31 characters. optional By default, an SSL server policy supports all cipher suites. This command can be configured only when the SSL VPN device contains a high-performance SSL encryption card. weakenable is required for SSL VPN. Configuring a Web server policy Follow these steps to configure a Web server policy: To do Use the command Remarks Enter system view system-view Create a Web server policy and enter its view Specify an SSL server policy for the Web server policy web-server-policy name ssl-server-policy name The name argument must be a string of 1 to 31 characters. 2-4
Enabling the Web server Follow these steps to enable the Web server: To do Use the command Remarks Enter system view system-view Enable the Web server web server web-server-policy-name enable The web-server-policy-name argument must be a string of 1 to 31 characters. By default, the Web server is enabled. Enabling SSL VPN Service After completing the previous tasks, you can now enable the SSL VPN service. Follow these steps to enable the SSL VPN service: To do Use the command Remarks Enter system view system-view Enable the SSL VPN service svpn service enable Enabled by default Configuring the Gateway Reachable Function After enabling the SSL VPN service, you need to configure the gateway reachable function so that an SSL VPN client can ping the SSL VPN gateway. Follow these steps to configure the gateway reachable function: To do Use the command Remarks Enter system view system-view Configure the gateway reachable function svpn reached gateway Not configured by default. 2-5
3 Logging In to SSL VPN Management Interface The default username and password for an administrator are both administrator. Follow these steps to log in to the SSL VPN management interface: 1) On your PC, launch the Web browser. It is recommended that you use IE 6.0, Firefox 1.5, Netscape 8.0 and later, and set the screen resolution to 1024 768. 2) Enter the address https://gateway/admin in the address bar to enter the login page. 3) Use the default administrator account to log in: Type administrator as the username and administrator as the password, and then click Login, as shown in Figure 3-1. If the authentication code feature is enabled, you also need to enter the authentication code, as shown in Figure 3-2. To switch to the Chinese version, click the link at the top right corner. Figure 3-1 SSL VPN administrator login page Figure 3-2 SSL VPN administrator login page (with authentication code) In the SSL VPN system, users belonging to the administrators group are the administrators of the domain. An administrator can also log in as a common user. After logging in as a common user, an administrator enters the interface for common users, but can access the resources for the administrators group. 3-1
4 SSL VPN Management Platform The SSL VPN management platform is very friendly. It allows you to perform SSL VPN configuration and management easily and quickly, as shown in Figure 4-1. Figure 4-1 SSL VPN management interface Navigation Tree The navigation tree is at the left side of the SSL VPN management interface and is a menu consisting of all the management functions that you can perform as an administrator, as shown in Figure 4-2. Figure 4-2 Navigation tree You can click a cross button to display the sub-menu, as shown in Figure 4-3. 4-1
Figure 4-3 Configuration menu Information Display and Configuration Area The right pane of the SSL VPN management interface is the configuration area, where you can view system information and configure users, resources, and policies. You can click a tab to display the corresponding page. Figure 4-4 shows the AD authentication policy configuration page. Figure 4-4 AD authentication policy configuration page 4-2
Table of Contents 1 System Information 1-1 Overview 1-1 Configuration Tasks 1-1 Configuration Procedures 1-1 Displaying Online User Information 1-1 Displaying History Information 1-2 Displaying Statistics 1-2 Displaying System Status 1-2 2 Device management 2-1 Overview 2-1 Configuration Tasks 2-1 Configuring Interfaces 2-1 Configuring a Log Host 2-2 Configuring Part Customization 2-3 Configuring Full Customization 2-3 Saving Configuration 2-4 Rebooting the Device 2-4 i
1 System Information Overview System information provides you with the online user information, history information, statistics, and system status of the device. You can view the online user information, maximum number of concurrent users and concurrent connections in the history, current system resource consumption, current SSL connection status, device startup time, SSL connection statistics, and other related system information. Configuration Tasks Select Device > Device Info from the navigation tree, and then select the tabs to perform different configuration tasks, as shown in Figure 1-1. Figure 1-1 System information Perform these tasks to display device information details Task Displaying Online User Information Displaying History Information Displaying Statistics Displaying System Status Remarks View and configure the online user information. View and configure the history information. View and configure the statistics information. View and configure the system status information. Configuration Procedures Displaying Online User Information Select the Online User tab to view and refresh online user information or log out online users. The following table describes the configuration items on the online user information page: 1-1
Item Refresh automatically Refresh Log Out Select Refresh automatically to refresh online user information at the interval specified in the domain policy. Click Refresh to refresh online user information immediately. Select an online user, and then click Log Out to log out online users. Displaying History Information Select the History Info tab to view and refresh the history information. The following table describes the history information configuration items: Item Refresh automatically Refresh Select Refresh automatically to refresh history information at the interval specified in the domain policy. Click Refresh to refresh history information immediately. Displaying Statistics Select the Statistics tab to enter the statistics page. You can view the system startup time, running time, CPU utilization, and SSL connection statistics information. The following table describes the statistics information configuration items: Item Refresh automatically Refresh Select Refresh automatically to refresh the statistics information every 10 seconds. Click Refresh to refresh the statistics information immediately. Displaying System Status Select the System Status tab to enter the system status page. You can view the system memory and flash utilization information. The following table describes the system status information configuration items: Item Refresh automatically Select Refresh automatically to refresh the system status information every 10 seconds. 1-2
Item Refresh Click Refresh to refresh the system status information immediately. 1-3
2 Device management Overview Device management provides you with the interface management, log host, page customization, configuration saving, and device reboot functions. You can configure an IP address for every physical Ethernet interface of the device, configure the log host of the device, customize the page title and logo to be displayed on the page that a common user will see after login, save the current system configuration, and reboot the whole device. Configuration Tasks Select Device > Device Management from the navigation tree, and then select the tabs to perform different configuration tasks, as shown in Figure 2-1. Figure 2-1 System management Perform the following tasks to mange the device: Task Configuring Interfaces Configuring a Log Host Configuring Part Customization Configuring Full Customization Saving Configuration Rebooting the Device Remarks View and configure interface IP addresses. View and configure the log host of the device. Customize the tile and logo of the user interface to be displayed after user login. Save the current system configuration of the device. Reboot the current device. Configuring Interfaces Select the Interface Management tab to enter the interface management page. Select an interface, and then click Configure to enter the interface configuration page. 2-1
The following table describes the interface configuration item: Item Configure IP address of interface Specify the address assign mode, IP address, and subnet mask for the selected interface. Interface management supports configuring only physical Ethernet interfaces. Logical interfaces are not supported. If you select None as the address assign mode, after you apply the configuration, the system will delete all IP address configurations or DHCP or BOOTP configurations of the current interface. Configuring a Log Host Select the Loghost tab to enter the log host configuration page. Click Add to configure a log host for the device. The following table describes the log host configuration items: Item Logging Host IP Address Logging Host Facility Language Environment Specify the IP address of the log host. System logs will be sent to this log host. Select the logging facility to be used. Select the language to be used to record logs. 2-2
Configuring Part Customization Select the UI Customizing tab and then click Partial customization to customize part of the UI pages. The following table describes the part customization configuration items: Item Login Page Title The login page title appears on the title bar of the login page. Type the title in the text box and then click Apply. User Page Title Login Page Welcome Title Service Page Tile The welcome title appears at the top of the login box on the login page. Type the welcome information in the text box and then click Apply. The service page title appears next to the logo at the banner area of the configuration page for common users. Type the title in the text box and click Apply. Service Page Picture Login Page Picture Customize the logo that appears leftmost in the banner area of the configuration page for common users. Click Browse to select a picture file, and then click Update to update the logo with the picture in the file. Customize the background picture of the configuration page for common users. This picture is displayed as the background of the banner area of the configuration page. Click Browse to select a picture file, and then click Update to update the background picture with the picture in the file. Customize the logo that appears at the lower left corner of the login box. Click Browse to select a picture file, and then click Update to update the logo with the picture in the file. The file to be uploaded must be a figure suffixed with jpg, bmp, or gif. There are requirements on the width and height of a figure. Refer to the information on the configuration page for details. Configuring Full Customization Select the UI Customizing tab and then click Full customization to customize UI pages fully. The following table describes the full customization configuration items: 2-3
Item Common User Login Page Page Directory Page Name Specify whether to fully customize the login page for common users. Specify the directory where the custom page is saved on the device. Specify the name of the custom page. Full customization only applies to the login page for common users. To implement full customization, you need to upload all files of the custom page to a user-defined directory under flash:/domain1 and specify the directory in the text box of Page Directory. For example, if you save the custom page files in flash:/domain1/www/login, you need to specify flash:/domain1/www/login for Page Directory on the configuration page. Saving Configuration This function allows you to save the current system configuration, such as the interface IP configuration and log host configuration. Rebooting the Device This function allows you to reboot the current device. After the device is rebooted, you need to re-log in to the device as the administrator to proceed managing the SSL VPN device. 2-4
Table of Contents 1 Local User 1-1 Overview 1-1 Configuration Tasks 1-1 Configuration Procedures 1-2 Creating a Local User 1-2 Modifying a Local User 1-3 Querying Local Users 1-4 2 Batch Import of Local Users 2-1 Overview 2-1 Importing Local Users 2-1 3 User Group 3-1 Overview 3-1 Configuring a User Group 3-1 i
1 Local User Overview Through user management, you can configure SSL VPN users that will be authenticated by the device locally, and perform group management based on the user identities. Configuration Tasks Select User > Local User from the navigation tree to enter the local user list page, as shown in Figure 1-1. Figure 1-1 Local user list page As shown in Figure 1-1, local users include administrators and common users of the domain. Perform these tasks to perform local user management: Task Creating a Local User Modifying a Local User Querying Local Users Remarks Create a local user account. Edit the configuration of a local user account. Specify the conditions to search the matching users. 1-1
Configuration Procedures Creating a Local User On the local user list page, click Add to create a local user. The following table describes the local user configuration items: Item Account Account Description Password Confirm Password User Groups for the User Certificate Seq. No. Public account Status Expire After MAC Address MAC Autolearn Specify a user account. Describe the account information. Type a password for the account. Type the password again for confirmation. Select the groups to which the user belongs. Specify the sequence number of the certificate to be bound to the username. Specify whether the account is a public account. If yes, you also need to specify the maximum number of users that are allowed to use the account to log in at the same time. Enable the account permanently or in a specified period, or disable the account. when Permitted in valid period is selected for status. Specify the valid period after which the account will be expired. Specify the MAC address to be bound to the user. Specify whether to enable autolearning of the user's MAC address. 1-2
The username is case-insensitive. Refer to the product specifications for the number of groups that a user can join. The user group named Administrators is created while the root domain is created. This user group is the default administrator group and all the members of the group are domain administrators. The user named guest and user group named Guests are created while a domain is created. No password is required for a login using the guest account. A public account can be used by multiple users to log in to the SSL VPN system at the same time, while a non-public account can be used by only one user to log in to the SSL VPN system at a time. Modifying a Local User Select a user in the administrator list page and then click Configure to modify the user settings. The following table describes the local user configuration items: Item Account Description Password Confirm Password User Groups for the User Certificate Seq No. Public account Status Expire After MAC Address MAC Autolearn Describe the local user account information. Type a password for the local user account. Type the password again for confirmation. Select the groups to which the user belongs. Specify the sequence number of the certificate to be bound to the username. Specify whether the account is a public account. If yes, you also need to specify the maximum number of users that are allowed to use the account to log in at the same time. Enable the account permanently or in a specified period, or disable the account. when Permitted in valid period is selected for status. Specify the date after which the account will be expired. Specify the MAC address to be bound to the user. Specify whether to enable autolearning of the user's MAC address. 1-3
The password of account guest is maintained by the system, so you cannot configure it. Querying Local Users You can type the filtering conditions and click Set. The page lists the local users that matching the conditions. The system supports fuzzy match. 1-4
2 Batch Import of Local Users Overview You can import local users in a bulk by importing a text file. In the text file, you need to configure SSL VPN users using local authentication, with a username-password pair separated by a space on each line. Importing Local Users Select User > Batch Import from the navigation tree to enter the local user batch import configuration page, as shown in Figure 2-1. Figure 2-1 9 Import local users in batches The following table describes the batch import configuration items: Item Browse Import Click Browse to select a file. Click Import to upload the file and import the local users in the file to the system. The system will create an account for each imported local user. 2-1
3 User Group Overview You can organize users into user groups so that you can manage the users by managing the user groups. You can add users into a user group, remove a user from a user group, and configure resources for a user group. Configuring a User Group Select User > User Group from the navigation tree to enter the user group configuration page, as shown in Figure 3-1. Click Add to create a user group, or select a user group and then click Configure to modify the user group. Figure 3-1 User group configuration The following table describes the user group configuration items: Item Group Name Added Resource Groups Added Users Binding VPN Instance Specify the user group name. Select the resource groups for the user group. Select the users for the user group. Select the VPN interface to be bound to the user group. This option is available on device supporting MPLS. 3-1
The user group name is case-sensitive. If remote authentication (RADIUS, LDAP or AD) is enabled and the authentication server does not distinguish between upper and lower cases of the user group name, it is not recommended to create user groups whose names would be the same if the names were case-insensitive, such as usergroup and USERGROUP. Refer to the product specification list for the number of resource groups that can be specified for a user group and the number of users that can be included in a user group. The VPN interface binding is supported on the devices supporting MPLS. Refer to product specification list for the device models that support MPLS. 3-2
Table of Contents 1 Web Proxy Server 1-1 Overview 1-1 Configuration Tasks 1-1 Configuration Procedures 1-1 Creating a Web Proxy Server Resource 1-1 Modifying a Web Proxy Server Resource 1-2 2 Remote Access Service 2-1 Overview 2-1 Configuration Tasks 2-1 Configuration Procedures 2-1 Creating/Modifying a Remote Access Service 2-1 3 Desktop Sharing Service 3-1 Overview 3-1 Configuration Tasks 3-1 Configuration Procedures 3-1 Configuring a Desktop Sharing Resource 3-1 4 E-mail Service 4-1 Overview 4-1 Configuration Tasks 4-1 Configuration Procedures 4-1 Configuring an E-mail Service Resource 4-1 Configuring a Notes Mail Service Resource 4-2 5 TCP Service 5-1 Overview 5-1 Configuration Tasks 5-1 Configuration Procedures 5-1 Configuring a TCP Service Resource 5-1 6 IP Network Service 6-1 Overview 6-1 Configuration Tasks 6-1 Configuration Procedures 6-2 Configuring the IP Network Service Globally 6-2 Configuring a Host Resource 6-3 Configuring IP Binding 6-3 Configuring a Static DNS Resource 6-4 7 IP Network Service on Devices Supporting MPLS 7-1 Overview 7-1 Configuration Tasks 7-1 Configuration Procedures 7-1 Configuring the IP Network Service Globally 7-1 Configuring a Host Resource 7-2 i
Configuring a Static DNS Resource 7-3 Configuring a VPN Instance Resource 7-4 8 Resource Group 8-1 Overview 8-1 Configuration Tasks 8-1 Configuration Procedures 8-1 Configuring a Resource Group 8-1 ii
1 Web Proxy Server Overview A remote Web server provides services through Web pages. Through Web pages, you can not only obtain information, but also interact with the server to, for example download and upload files. On a Web page, you can click hyperlinks to jump to other Web pages of interest. For this type of client-server interaction, the HTTP packets are transmitted in plain text on the Internet and thus are easy to be intercepted. To solve this problem, SSL VPN provides secure links between users and the Web servers. In addition, it can block accesses from unauthorized users. Configuration Tasks Select Resource > Web Site from the navigation tree and then the Web Proxy tab to enter the Web proxy page, as shown in Figure 1-1. Figure 1-1 Web proxy configuration page Perform these tasks to manage Web proxy server resources: Task Creating a Web Proxy Server Resource Modifying a Web Proxy Server Resource Deleting Web Proxy Server Resources Remarks Create a Web proxy server resource. Edit the configuration of a Web proxy server resource. Delete a Web proxy server resource. Configuration Procedures Creating a Web Proxy Server Resource Click Add on the Web proxy page to create a Web proxy server resource. The following table describes the Web proxy server resource configuration items: 1-1
Item Resource Name Website Name Default Page Site Matching Pattern Enable web protect SSO Submit Path Username Parameter Password Parameter Parameter Name Parameter Value Specify a unique name for the Web proxy server resource. Specify the website address. Specify the home page of the website. Type the website address matching pattern. The asterisk sign (*) indicates fuzzy match. Use vertical bars ( ) to separate different address patterns, for example: www.h3c.com www.sina.*. The total number of characters in this field cannot exceed 512. Enable or disable page protection. When page protection is enabled, you can only display a page but cannot copy, save, or print it. Permit or deny Single Sign-On (SSO) for the resource. Select the check box and specify the path automatically submitted by the system when SSO is enabled. If a path is specified, the resource is accessed through IP network service. Otherwise, the resource is accessed through a Web proxy server. when SSO is enabled Specify the username submitted during an automatic system login. when SSO is enabled Specify the password submitted during an automatic system login. Specify other parameters submitted during an automatic system login. Specify the values of other parameters submitted during an automatic system login. If a path is specified, a resource is accessed through IP network service in the system. In this case, the corresponding IP resource should be created and authorized to the user requesting access to the resource. Modifying a Web Proxy Server Resource On the Web proxy page, select a resource name and then click Configure on the Web proxy page to modify the specified Web proxy server resource. The following table describes the Web proxy server resource configuration items that you can modify: 1-2
Item Resource Name Website Name Default Page Site Matching Pattern Enable web protect SSO Submit Path Username Parameter Password Parameter Parameter Name Parameter Value Specify a unique name for the Web proxy server resource. Specify the website address. Specify the home page of the website. Type the website address matching pattern. The asterisk sign (*) indicates fuzzy match. Use vertical bars ( ) to separate different address patterns, for example: www.h3c.com www.sina.*. The total number of characters in this field cannot exceed 512. Enable or disable page protection. When page protection is enabled, you can only display a page but cannot copy, save, or print it. Permit or deny SSO for the resource. Select the check box and specify the path automatically submitted by the system when SSO is enabled. If a path is selected, the resource is accessed through IP network service. Otherwise, the resource is accessed through a Web proxy server. when SSO is enabled Specify the username submitted during an automatic system login. when SSO is enabled Specify the password submitted during an automatic system login. Specify other parameters submitted during an automatic system login. Specify the values of other parameters submitted during an automatic system login. 1-3
2 Remote Access Service Overview Remote access services include remote character terminal services (such as telnet and SSH) and traditional terminal services (such as IBM3270). Using these services, you can manage a remote host through a simulated terminal window on your local host. To ensure the security of data transmission, SSL VPN uses the SSL encryption technology to encrypt data that are formerly transmitted on the Internet in plain text. Configuration Tasks Select Resource > TCP Application from the navigation tree and then select the Telnet tab to enter the remote access service page, as shown in Figure 2-1. Figure 2-1 Remote access service page Perform this task to configure remote access services: Task Creating/Modifying a Remote Access Service Remarks Create and modify a remote service resource. Configuration Procedures Creating/Modifying a Remote Access Service Click Add on the remote access service page to create a remote access service resource, or select a resource and then click Configure to modify the resource. The following table describes the remote access service configuration items: Item Resource Name Remote Host Specify a unique name for the remote access service resource. Specify the name or IP address of the remote host. 2-1
Item Remote Port Local Host Local Port Command Line Specify the port number of the remote host. It defaults to 23. Specify a loopback address or a random character string. Specify the port number of the local host. It defaults to 23. Configure a command line for the resource. Then, a normal user can click a resource link to launch the corresponding application and access the remote server. Format: telnet character string of the local host The port number of the remote host must be consistent with the one specified on the server. You can specify any valid port number for the local host. If the port is not the default port of an application, you need to add the port information in the command line. For example, if the local port number of Telnet is 56 and the local host name is telnet_server, you need to type telnet telnet_server 56 in the command line. 2-2
3 Desktop Sharing Service Overview Desktop sharing (also called remote desktop) allows a user to access the sessions on a remote host from the local host. With desktop sharing, you can stay at home and connect to a computer in your office, and access all the application programs, files, and network resources on the computer, as if you were sitting before the computer. Common desktop sharing services include Windows remote desktop, Virtual Network Computing (VNC) desktop sharing, and Citrix desktop sharing. For some desktop sharing applications, data are transmitted in plain text and thus can be easily intercepted. To solve the problem, you can use SSL VPN encryption to ensure the security of data transmission. Configuration Tasks Perform this task to configure desktop sharing services: Task Configuring a Desktop Sharing Resource Remarks Add or modify a desktop sharing resource. Configuration Procedures Configuring a Desktop Sharing Resource Select Resource > TCP Application from the navigation tree and then select the Desktop Sharing tab to enter the desktop sharing configuration page. Then, click Add to create desktop sharing resources, or select a resource and then click Configure to modify the resource. The following table describes the desktop sharing resource configuration items: Item Resource Name Remote Host Remote Port Local Host Local Port Specify a unique name for the desktop sharing resource. Specify the name or IP address of the desktop sharing connection. Port number of the remote host. The default port number for Windows desktop sharing is 3389. Specify a loopback address or a random character string. Port number of the local host. The default port number for Windows desktop sharing is 3389. 3-1
Item Command Line Format: mstsc -v character string of the local host If you configure the local port as 3389 for desktop sharing after starting remote desktop, the port binding may fail when a user logs in. In that case, you only need to configure a port number other than that of the remote desktop as the local port number. For example, if the local port number is 6500 and the local host name is remote_desktop, you need to type mstsc -v remote_desktop:6500 in the command line. 3-2
4 E-mail Service Overview The E-mail service is commonly used in our daily life and work. It is used to exchange words and graphics through E-mails over the network. Generally, E-mails are transmitted in plain text on the network. You can encrypt E-mails to protect E-mail contents and use SSL VPN to enhance the transmission security. Configuration Tasks Perform these tasks to configure E-mail service resources: Task Configuring an E-mail Service Resource Configuring a Notes Mail Service Resource Remarks Add or modify an E-mail service resource. Add or modify a Notes mail service resource. Configuration Procedures Configuring an E-mail Service Resource Select the Mail tab on the title bar to enter the E-mail service resource configuration page. Then, click Add to create an E-mail service resource, or select a resource and then click Configure to modify the resource. The following table describes the E-mail service resource configuration items: Item Resource Name Server Type Server Address Service Port Local Address Local Port Specify a unique name for the E-mail service resource. Specify the E-mail service type, which can be POP3, SMTP and IMAP. Specify the address of the E-mail server. Specify the port number of the server. Specify a loopback address or a random character string. Specify the local port number. 4-1
Item Command Line For the E-mail service to function normally, you need to configure at least two resources, one with the service type of receiving server and the other with the service type of sending server. Configuring a Notes Mail Service Resource Select the Notes tab on the title bar to enter the Notes mail service resource configuration page. Then, click Add to create a Notes mail service resource, or select a resource and then click Configure to modify the resource. The following table describes the Notes mail service resource configuration items: Item Resource Name Notes Server Service Port Local Address Local Port Command Line Specify a unique name for the Notes mail service resource. Specify the Notes mail server address. Specify the port number of the Notes mail server. Specify a loopback address or a random character string. Specify the port number of the local host. The character string specified for Local Address must be consistent with the mail server name of the Notes mail program. 4-2
5 TCP Service Overview SSL VPN provides TCP services for various C/S applications. To enable a TCP service correctly, you need to configure the port number and IP address of the remote host, and name/ip address and port number of the local host. Configuration Tasks Select Resource > TCP Application from the navigation tree and then select the TCP Service tab to enter the TCP service page, as shown in Figure 5-1. Click Add to create a TCP service resource, or select a resource and then click Configure to modify the resource. Figure 5-1 TCP service page Perform this task to configure TCP service: Task Configuring a TCP Service Resource Remarks Add or modify a TCP service resource. Configuration Procedures Configuring a TCP Service Resource Select the TCP Service tab on the title bar to configure TCP service resources. The following table describes the TCP service resource configuration items: Item Resource Name Service Type Remote Host Specify a unique name for the TCP service resource. Specify the TCP service type. Specify the name or IP address of the remote host. 5-1
Item Service Port Local Host Local Port Command Line Specify the port number of the remote host. Specify a loopback address or a random character string. Specify the port number of the local host. Not required if no command line exists. 5-2
6 IP Network Service Overview SSL VPN supports accessing all applications above the IP layer. After you assign specific resources to a user, the user can simply log into SSL VPN to access the resources, without considering the type and configuration of the application. The ActiveX SSL VPN client program will be automatically downloaded and started up. SSL VPN ensures the client-server communication security. Configuration Tasks Select Resource > IP Network from the navigation tree to enter the IP network configuration page, as shown in Figure 6-1. Figure 6-1 IP network configuration page Perform these tasks to configure IP network resources: Task Configuring the IP Network Service Globally Configuring a Host Resource Remarks Configure the IP network service globally. Add or modify a host resource. 6-1
Configuring IP Binding Task Configuring a Static DNS Resource Remarks Add or modify an IP binding entry. Add or modify a static DNS entry. Configuration Procedures Configuring the IP Network Service Globally Select the Global Configuration tab to enter the global configuration page. The following table describes the global configuration items: Item Start IP End IP Subnet Mask Gateway IP Heartbeat Interval Client Reachable WINS Server DNS Server Access VPN Only Auto NAT IP Networks Display Mode Specify the start IP address of the network segment that can be assigned to the client s virtual network card. Specify the end IP address of the network segment that can be assigned to the client s virtual network card. Specify the subnet mask of the virtual network cards IP address. IP address of the virtual gateway. Set the interval for sending heartbeat packets to the gateway. Failing to send a heartbeat packet indicates that the network is disconnected. The interval defaults to 60 seconds. Enable/disable the communication between different clients. Type the WINS server address of the internal server cluster for domain name resolution. Type the DNS server address for domain name resolution. After selecting to enable the IP network access service, select whether to allow the user to access only the VPN. Enable or disable automatic NAT on the internal network interface. Display the user network service as description information or an IP address. 6-2
Configuring a Host Resource Select the Host Configuration tab, click Add to create a host or select a host and then click Configure to modify the host settings. You can create multiple network services and shortcuts. For configuration limits, refer to the device specifications. The following table describes the host configuration items: Item Resource Name Destination Address Subnet Mask Protocol Description Shortcut Name Command Specify a unique name for the resource. Specify the destination address of the network service. Specify the subnet mask of the destination address. Specify the service type of the network service, which can be IP, TCP, or UDP. Specify a description for the network service Specify the name of the shortcut. Specify the shortcut command. For example, if you want to set up an FTP connection to the remote host at 192.168.111.120, the shortcut command is ftp 192.168.111.120. If the destination address of the network service is a host address (for example, 192.168.111.120/24), users can access only the host through the network; if the destination is a network segment (for example, 192.168.111.0/24), users can access all hosts on the network segment. A shortcut command equals a Windows command line. As Windows uses the backward slash (\) as the escape character, entering \\ equals entering \ in the command line. For example, entering explorer \\\\10.154.2.100 as the shortcut of a shared file equals entering explorer \\10.154.2.100 in the command line. explorer indicates the system uses the default browser of the client to access the resources of the internal network. For example, you can use explorer ftp://10.154.2.100 to initiate an FTP connection through the browser. Configuring IP Binding Select the IP Binding tab, and then click Add to create an IP binding entry, or select a binding entry and then click Configure to modify the binding entry. The following table describes the IP binding configuration items: 6-3
Item Username IP Address to be Bound Username of the client that is to be bound, in the format of username@authentication mode, for example, user@local. IP address of the client. Configuring a Static DNS Resource Select the Static DNS tab, and then click Add to create a static DNS entry, or select an existing static DNS entry and then click Configure to modify the static DNS entry. The following table describes the static DNS configuration items: Item Domain Name IP IP Method Domain name delivered for users IP address of the domain name. This field must not be null when the IP address is assigned statically. IP address assignment mode for the domain name: dynamic or static. After a user logs in the IP network, the system randomly assigns an IP address from the address pool to the virtual network card of the user by default. To make the system assign a fixed IP address to the virtual network card, you can use the IP binding function. The IP address to be bound must be in the same segment as the global address pool but cannot be an address in the global address pool. This chapter describes the IP network service configuration on the devices not supporting Multi-Protocol Label Switching (MPLS). For the IP network service configuration on the devices supporting MPLS, refer to Resource Group. For the device models supporting MPLS, refer to the product specifications. 6-4
7 IP Network Service on Devices Supporting MPLS Overview Multi-VPN-instance can be implemented after virtual interfaces are created on the SSL VPN. Each virtual interface can be bound with a VPN instance or with no VPN instance. After a user group is associated with a virtual interface, the users belonging to the group automatically become VPN users bound with the user group. Configuration Tasks Perform these tasks to configure IP network resources on devices supporting MPLS: Task Configuring the IP Network Service Globally Configuring a Host Resource Configuring a Static DNS Resource Configuring a VPN Instance Resource Remarks Configure the IP network service globally Add or modify a host resource Add or modify a static DNS resource Add or modify a VPN instance resource Configuration Procedures Configuring the IP Network Service Globally Select the Global Configuration tab, click Add to create an address pool on the address pool list page, or select an address pool entry and then click Configure to modify the address pool. For the number of address pools allowed, refer to the product specifications. The following table describes the global configuration items: Item Start IP End IP Subnet Mask Gateway IP Specify the start IP address of the network segment that can be assigned to the client s virtual network card. Specify the end IP address of the network segment that can be assigned to the client s virtual network card. Specify the subnet mask of the virtual network cards IP address. IP address of the virtual gateway. 7-1
Item Heartbeat Interval Client Reachable WINS Server DNS Server Internal Interfaces Access VPN Only Auto NAT VPN Instance Binding Set the interval for sending heartbeat packets to the gateway. Failing to send a heartbeat packet indicates that the network is disconnected. The interval defaults to 60 seconds. Enable or disable the communication between different clients. Type the WINS server address of the internal server cluster for domain name resolution. Type the DNS server address for domain name resolution. Select an internal interface and configure nat outbound on the interface. After enabling the IP network access service, select this checkbox to allow users to access the VPN only. Enable or disable automatic NAT on the internal network interface. VPN instance to be bound with the virtual interface. After a virtual interface is bound with a VPN instance, automatic NAT cannot be enabled. A virtual interface can be bound with only one VPN instance. Multiple virtual interfaces can be bound with the same VPN instance. For the maximum number of address pools allowed in the system, refer to product specifications. Configuring a Host Resource Select the Host Configuration tab, click Add to create a host or select a host and then click Configure to modify the host settings. You can create multiple network services and shortcuts. For configuration limits, refer to the device specifications. The following table describes the host configuration items: Item Resource Name Destination Address Specify a unique name for the resource. Specify the destination address of the network service. 7-2
Item Subnet Mask Protocol Shortcut Name Command Specify the subnet mask of the destination address. Specify the service type of the network service, which can be IP, TCP, or UDP. Specify the name of the shortcut. Specify the shortcut command. For example, if you want to set up an FTP connection to the remote host at 192.168.111.120, the shortcut command is ftp 192.168.111.120. If the destination address of the network service is a host address (for example, 192.168.111.120/24), users can access only the host through the network; if the destination is a network segment (for example, 192.168.111.0/24), users can access all hosts on the network segment. A shortcut command equals a Windows command line. As Windows uses the backward slash (\) as the escape character, entering \\ equals entering \ in the command line. For example, entering explorer \\\\10.154.2.100 as the shortcut of a shared file equals entering explorer \\10.154.2.100 in the command line. explorer indicates the system uses the default browser of the client to access the resources of the internal network. For example, you can use explorer ftp://10.154.2.100 to initiate an FTP connection through the browser. Configuring a Static DNS Resource Select the Static DNS tab, click Add to create a static DNS entry, or select an existing static DNS entry and then click Configure to modify the static DNS entry. The following table describes the static DNS configuration items: Item Domain Name IP IP Method Domain name delivered for users IP address of the domain name. This field must not be null when the IP address is assigned statically. IP address assignment mode for the domain name: dynamic or static. 7-3
Configuring a VPN Instance Resource Select the VPN Instance tab, and then click Add to create a VPN instance entry, or select a VPN instance entry and then click Configure to modify the VPN instance entry. The following table describes the VPN instance configuration items: Item Instance Name RD RT Name of the VPN instance RD of the VPN instance, used to differentiate VPN routes. RT of the VPN instance, used to redistribute or advertise VPN routes. For the device modes that support MPLS, refer to the product specifications. For the maximum number of VPN instances allowed in the system, refer to product specifications. 7-4
8 Resource Group Overview The resource group management organizes resources into various groups. You can assign a resource group to a specific user group. Then, all the users belonging to the group gain the right to access the resource group. Configuration Tasks Select Resource > Resource Group from the navigation tree to enter the resource group configuration page, as shown in Figure 8-1. Figure 8-1 Resource group configuration page Perform this task to configure a resource group: Task Configuring a Resource Group Remarks Add or modify a resource group Configuration Procedures Configuring a Resource Group In the Resource Group configuration page, click Add to create a resource group or select a resource group and then click Configure to modify the resource group. The following table describes the resource group configuration items: Group Name Item Specify a name for the resource group. The resource group name must be unique in the whole system. 8-1
Item Added Resources The list on the left side displays all the resources in the domain, and the list on the right side displays all the resources in the resource group. Select a resource from the list on the left side and then click Add to add the resource to the resource group. Select a resource from the list on the right side and then click Remove to remove the resource from the resource group. Resource group autostart is generated by the system by default. After being assigned to a user, the resources of the group are automatically opened when the user logs in to the system. Resource group autohome is generated by the system by default. After the resources of this group are assigned to a user, the service page automatically jumps to the resource page when the user logs in to the system, with only a small SSL VPN control window still open. 8-2
Table of Contents 1 Basic Configuration 1-1 Overview 1-1 Configuration Tasks 1-1 Configuration Procedures 1-2 Configuring the Domain Policy 1-2 Performing Certificate Management 1-4 Configuring the Caching Policy 1-5 Performing Bulletin Management 1-5 2 Authentication Policy 2-1 Overview 2-1 Configuration Tasks 2-1 Configuration Procedures 2-1 Configuring the Local Authentication Policy 2-1 Configuring the RADIUS Authentication Policy 2-2 Configuring the LDAP Authentication Policy 2-4 Configuring the AD Authentication Policy 2-5 Configuring the Combination Authentication Policy 2-6 Authentication Server Configuration 2-7 Configuring the RADIUS Servers 2-7 Configuring the LDAP Server 2-7 Configuring the AD Server 2-7 3 Security Policy Management 3-1 Overview 3-1 Configuration Tasks 3-1 Configuration Procedures 3-1 Configuring a Security Policy 3-1 Configuring Security Policy Resources 3-3 i
1 Basic Configuration Overview The basic configuration includes domain policy configuration, certificate management, caching policy configuration, and bulletin management. The domain policy applies to all users in the domain. It includes whether to use security policies, whether to enable authentication code verification, whether to enable MAC address binding, whether to enable auto login, whether to enable HTTP compression, the default authentication method, and the authentication code timeout time. Certificate management allows you to define your own CA system as needed. The caching policy defines the downloaded items to be cleared after a user logs out. Bulletin management allows you to send different messages and notifications to different users of your company. Configuration Tasks Select Domain > Basic Configuration from the navigation tree to display the basic configuration tabs, as shown in Figure 1-1. Figure 1-1 Domain policy management page Perform the following tasks to complete basic configurations: Task Remarks Configuring the Domain Policy Performing Certificate Management 1-1
Task Configuring the Caching Policy Performing Bulletin Management Remarks Specify the downloaded items to be cleared after a user logs out Add, modify, or delete bulletins. Configuration Procedures Configuring the Domain Policy Select the Domain Policy tab to enter the domain policy configuration page. The following table describes the domain policy configuration items: Item Enable security checking If you enable security policies, the system will check the security status of a host to determine which resources the user of the host can use. Which items are to be checked depends on the configuration in the security policy management section. If you do not enable the security policy, the system will not check the security status of the hosts of users logging in. If you enable the security policy but do not specify the items to be checked, the system will not check the security status of the hosts of users logging in. Enable authentication code verification Enable MAC binding Enable auto login Enable HTTP compress Timeout Time Refresh Interval If you enable authentication code verification, the SSL VPN system will display the authentication code on the login page and perform authentication code verification. If you enable MAC address binding, the MAC address of a user will be delivered to the SSL VPN system when the user logs in to the SSL VPN system. If you enable automatic login, the system will log in any user who enters the SSL VPN gateway address in the address bar of the browser, using account guest or the account in the certificate. If you enable HTTP compression, the system will use the negotiated compression method to implement compressed HTTP transfer when users access Web proxy resources, so as to improve the resource access efficiency. Specify the maximum idle time of a session. Specify the interval at which the system automatically refreshes the online user information and history information. 1-2
Item Default Authentication Method Authentication Code Timeout Listen to port 80 Select an authentication method from the drop-down list to use the method as the default. A user using the default authentication method does not need to specify the authentication method when entering the username, while a user not using the default authentication method needs to suffix @authentication method.domain name to the username. Valid time of the authentication code picture, in the range 30 seconds to 600 seconds. Specify whether to enable the SSL VPN to listen to port 80. If you select this option, users can open the SSL VPN login page by entering the SSL VPN address in the form of http://host/. The system supports multiple authentication methods. If you do not enable an authentication method, the authentication method will not be available for users and will not appear in the Auth Mode drop-down list on the login page. For details, refer to Authentication Policy. Assume that you specify the default authentication method of the domain as local and there is a local user named user. In this case, on the login page, the local user needs to type only the username user for authentication. However, a user using another authentication method, such as RADIUS, needs to select the authentication method RADIUS from the Auth Mode drop-down list. By default, the default authentication method is local. If you enable SSL VPN to listen to port 80, you need to specify another port for the firewall module. After you enable automatic login, the system login mode varies with the certificate policy in the default authentication method. If the certificate policy is password authentication, the system automatically logs in using user account guest. If the certificate policy is password plus certificate authentication, the system automatically logs in using user account guest and requires the login user provides the client certificate issued for user guest. If the certificate policy is certificate authentication, the system automatically logs in using the username carried in the client certificate. If you have defined your own CA system and want to use the automatic login feature, it is recommended to select certificate authentication for the certificate policy. 1-3
Performing Certificate Management Select the Certificate Management tab to enter the certificate management page, as shown in Figure 1-2. Figure 1-2 Certificate management page This page allows you to perform certificate related operations, such as importing the CA certificate, importing the local certificate, configuring CRL related parameters, and rebooting the Web service. The following table describes the certificate configuration items: Import CA Certificate Import Local Certificate Configure CRL Item CA Certificate Password Local Certificate Enable CRL Checking URL for CRL CRL Update Interval Click Browse to locate the CA certificate file, and then click Update to import the CA certificate. Specify the password of the local certificate. Click Browse to locate the local certificate file, and then click Update to import the local certificate. Select the check box to enable CRL checking. Type the URL for obtaining the CRL. Specify the CRL update interval. 1-4
Reboot Web Service Item Reboot web service Reboot the Web service of the SSL VPN device. Configuring the Caching Policy Select the Caching Policy tab to enter the caching policy configuration page, as shown in Figure 1-3. Figure 1-3 Caching policy configuration page This page allows you to specify the downloaded items to be cleared after a user logs out. The items include buffered web pages, Cookies, downloaded programs, and configuration files. Performing Bulletin Management Select the Bulletin Management tab to enter the bulletin management page, as shown in Figure 1-4. Figure 1-4 Bulletin management page Click Add on the bulletin management page to create a bulletin, or select a bulletin and then click Configure to modify the bulletin. The following table describes the bulletin configuration items: 1-5
Item Bulletin Title Bulletin Content Groups of the Bulletin Specify the name of the bulletin. Type the content of the bulletin. Specify the user group of the bulletin. Only users of the group can see the bulletin. As contents of bulletins are usually effective in a short period of time and are large in size, bulletins are not suitable to be stored in the Flash and are therefore not stored in the Flash. As a result, bulletins cannot survive a system reboot. The bulletins for common users will scroll on the bulletin area below the left navigation tree of the user service page. 1-6
2 Authentication Policy Overview The H3C SecPath SSL VPN system supports four authentication methods, namely local authentication, RADIUS authentication, LDAP authentication, and AD authentication. It supports using any two of the four authentication methods for user authentication. In addition, you can also configure the certificate policy for each authentication method except the RADIUS authentication. The certificate policy can be password, password + certificate, or certificate: Password authentication requires that a user input valid username and password to log in to the SSL VPN system. Password + certificate authentication requires that a user provide valid username and password, as well as the valid certificate. Certificate authentication requires that a user provide the valid certificate to log in. The username carried in the certificate will be used as the account name automatically. All these enable the SSL VPN system to cooperate with the user authentication databases of enterprises seamlessly, eliminating the heavy burden to deploy users, which are in large quantities, on the SSL VPN system. This chapter describes how to configure the authentication methods. Configuration Tasks Select Domain > Authentication Policy from the navigation tree to enter the authentication policy configuration page. Perform these tasks to complete authentication policy configurations: Task Remarks Configuring the Local Authentication Policy Configuring the RADIUS Authentication Policy Configuring the LDAP Authentication Policy Configuring the AD Authentication Policy Configuring the Combination Authentication Policy Configuration Procedures Configuring the Local Authentication Policy The local authentication policy is used when the user information is stored on the SSL VPN device. Local authentication does not require interaction with external servers, and therefore the authentication process is faster. However, the number of local users is limited by the device s capacity. Select Domain > Authentication Policy from the navigation tree and then select the Local Authentication tab to enter the local authentication policy configuration page. 2-1
The following table describes the local authentication policy configuration items: Item Certificate Policy Select the certificate policy for users logging in using the local authentication method. Configuring the RADIUS Authentication Policy The Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol using the client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required. For example, RADIUS is often used to manage a large number of dial-in users, who use serial ports and modems. Through the RADIUS authentication policy, the SSL VPN system can integrate seamlessly with the existing RADIUS server of an enterprise to implement authentication of the existing RADIUS users of the enterprise. This avoids the necessity of creating accounts for users anew. Select Domain > Authentication Policy from the navigation tree and then select the RADIUS Authentication tab to enter the RADIUS authentication policy configuration page. The following table describes the RADIUS authentication policy configuration items: Item Primary Server Address Secondary Server Address Shared Key Username Format Timeout Retransmission Times Timeout Interval Primary Server Quiet Interval User Group RADIUS Attribute Enable Authentication Certificate Policy Specify the address of the primary RADIUS server. Specify the address of the secondary RADIUS server. Specify the shared key for encryption. Read only. Username without the domain name. Specify the maximum number of attempts to reconnect the RADIUS server. Specify the interval between two attempts to reconnect the RADIUS server. Specify the waiting time before switching back from the secondary server to the primary server when the primary server comes back into service. Read only. User group RADIUS attribute value, which is 140 currently. Select to enable RADIUS authentication. Select the certificate policy for users using the RADIUS authentication method. 2-2
Item Authentication Port Secondary Server Auth. Port Primary Authentication Server Status Secondary Authentication Server Status Enable Accounting Upload Virtual IP Accounting Port Secondary Server Acct. Port Realtime-Accounting Interval Realtime-Accounting Packet Retransmission Times Enable Stop-Accounting Buffer Stop-Accounting Packet Retransmission Times Primary Accounting Server Status Secondary Accounting Server Status Specify the authentication port of the primary RADIUS server. Specify the authentication port of the secondary RADIUS server. Specify the status of the primary authentication server, active or block. Specify the status of the secondary authentication server, active or block. Select whether to enable RADIUS accounting. Specify whether to upload the assigned virtual NIC address after RADIUS accounting succeeds. Specify the accounting port of the primary RADIUS server. Specify the accounting port of the secondary RADIUS server. Specify the interval at which the device sends accounting update packets to the RADIUS server. Specify the retransmission times the device can try if the device fails to send an accounting update packet to the RADIUS server. Select to enable the stop-accounting packet buffering function. With this function enabled, if the device fails to send a stop-accounting packet, it will buffer the packet and then retransmit the packet. After Enable Stop-Accounting Buffer is selected, set the retransmission times the device can try if the device fails to send a stop-accounting packet to the RADIUS server. Specify the status of the primary accounting server, active or block. Specify the status of the secondary accounting server, active or block. 2-3
Currently, the SSL VPN system implements authentication, authorization and accounting mainly through the RADIUS server. Assume that the maximum number of authentication/accounting request retransmission attempts is n: If an error occurs on the primary server and no secondary server is configured, the authentication request will be sent to the primary server for up to n times. If an error occurs on the primary server and the secondary server is configured, the authentication request will be sent to the primary server for k times and then to the secondary server for m times at most, where k = (n + 1)/2, k + m = n. Configuring the LDAP Authentication Policy The Lightweight Directory Access Protocol (LDAP) is developed on the basis of the X.500 standard but is simpler than the X.500 standard and can be customized as needed. LDAP is a cross-platform protocol. You do not need to care about the devices hosting the LDAP server and client. At present, an increasing number of enterprises store user information on the LDAP server, which can authenticate users and provide corresponding services after the users pass the authentication. The SSL VPN system uses the LDAP authentication policy for authentication of users stored on the LDAP server and the users can obtain the access right to the corresponding resources. Select Domain > Authentication Policy from the navigation tree and then select the LDAP Authentication tab to enter the LDAP authentication policy configuration page. The following table describes the LDAP authentication policy configuration items: Item LDAP Server Address Service Port Version User Group LDAP Attribute Certificate Policy Enable Authentication Specify the LDAP server address. Specify the LDAP authentication port. Specify the LDAP version, V2 or V3. Specify the user group LDAP attribute. You can add customized attributes as needed. Select the certificate policy for users using the LDAP authentication method. Select whether to enable LDAP authentication. The following item is available only when Query for user DN using template is selected. User DN Template Specify the user DN template. The following items are available only when Check user DN by querying is selected. 2-4
Item Administrator DN Password Confirm Password Query Base DN Query Template Specify the predefined user DN. Specify the DN password. Type the password again. Specify the base DN to be searched. Specify the query template. Configuring the AD Authentication Policy Active Directory (AD) is a directory service of Windows 2000 Server or later versions. It is used to store information of various objects on the network for the administrators and users to search and use. AD service uses structural data storage, which forms the basis of the hierarchical structure of the directory information. SSL VPN uses the AD authentication policy to integrate seamlessly with the existing AD domain authentication of the enterprise. Select Domain > Authentication Policy from the navigation tree and then select the AD Authentication tab to enter the AD authentication policy configuration page. The following table describes the AD authentication policy configuration items: Item AD Domain Name AD Server Address List Administrator s Account Password Confirm Password Username Format Certificate Policy Enable Authentication Specify the AD domain name. Specify the AD server address list, which can contain multiple addresses, separated with semicolons (;). Specify the administrator s account to be bound to the AD server. Specify the password of the administrator s account. Type the password again. Specify the format of the username for logging into the AD server, that is, whether to exclude the AD domain name from the username. Select the certificate policy for users using the AD authentication method. Select whether to enable AD authentication. 2-5
Item Server Failure Restoring Time Specify the waiting time before restarting the AD service after it fails. For Administrator s Account, you can type the default administrator account of the AD domain, namely administrator, or type any account in the user group users. Configuring the Combination Authentication Policy The combination authentication policy can combine any two of the four authentication policies in any order. You can specify whether a user needs to input the password for the second authentication after the user passes the first authentication. Select Domain > Authentication Policy from the navigation tree and then select the Combination Authentication tab to enter the combination authentication policy configuration page. The following table describes the combination authentication policy configuration items: First Authentication Policy Second Authentication Policy Item Enable Authentication Authentication Policy Password Input Needed Authentication Policy Select this check box to enable combination authentication. Select the authentication policy to be used in the first authentication. Select whether password is required to input for the second authentication. If you select this option, the system will push the login page to the user again after the user passes the first authentication, and the user needs to input the password for the second authentication. Select the authentication policy to be used in the second authentication. With combination authentication, the first authentication policy determines the resources that can be accessed by a user and the online username of the user. When a user accesses the login-once resources, the SSL VPN system automatically uses the password that was input in the first authentication. 2-6
Authentication Server Configuration Configuring the RADIUS Servers In a RADIUS authentication process, the client sends the username and password to the RADIUS server, which then searches the user information in the local database and verifies the validity of the user. If the user is valid, the RADIUS server returns the corresponding attribute value. The attribute is the information that the client obtains from the RADIUS server after passing the authentication. Although RADIUS defines a lot of attributes, you need to define an extended attribute for the user group. The VPN system requires that the extended attribute number must be 140. Configuring any other number will cause authentication failure. When you add a user that has multiple user group attribute values on the RADIUS server, you need to separate the attribute values with semicolons (;), for example, usergroup;sergroup1;usergroup2. Note that no semicolon is required at the end. Configuring the LDAP Server The LDAP authentication process is similar to the RADIUS authentication process. LDAP defines a lot of attributes, which can be used to obtain the required user group information. You can also define extended attributes as needed. For LDAP authentication, if an attribute has multiple values, you need to type them in different lines. Suppose that you define an attribute named sslvpnusergroup. If user svpnuser belongs to usergroup, usergroup1 and usergroup2, you need to type the user information as follows: dn:cn=svpnuser,dc=vpn-domain,dc=com objectclass:sslvpnuser sslvpnusergroup:usergroup sslvpnusergroup:usergroup1 sslvpnusergroup:usergroup2 userpassword:svpnuser Configuring the AD Server Because the AD server itself has the group concept, you do not need to define attributes of your own. You only need to create user groups and then add users to the groups. The user group information on the authentication server exists in the form of user attribute values. Make sure that the user groups defined on the authentication server are consistent with those defined on the gateway system; otherwise, login failures may occur. The maximum number of user groups that a user can join depends on the device model. The number of user groups configured for a user on the authentication server cannot exceed the upper limit supported by the device. 2-7
3 Security Policy Management Overview Insecure terminal accessing the internal network may lead to information leakage. Using the host checking plug-in, the system can check the operating system version, browser version, processes, files and security software of the terminal and then determine which resources the terminal can use. A security policy specifies the method for evaluating the security of user terminals. It defines the items to be checked. A security policy can define multiple categories of items to be checked, with each category containing multiple items. If a terminal satisfies any item of a category, it is considered that the terminal satisfies the category. Only when a terminal satisfies all the categories, does the terminal satisfy the security policy. Configuration Tasks Select Domain > Security Policy from the navigation tree to enter the security policy management page, as shown in Figure 3-1. Figure 3-1 Security policy management page Perform the following tasks to configure a security policy: Task Configuring a Security Policy Configuring Security Policy Resources Remarks Add, modify, and delete security policies Configure the resources to be protected by the security policy. Configuration Procedures Configuring a Security Policy On the security policy management page, you can click Add to create a security policy, or select a security policy and then click Configure Policy to modify it. 3-1