H3C SecBlade SSL VPN Card Super Administrator Web Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW105-20130801
Copyright 2003-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved Trademarks No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. H3C,, H3CS, H3CIE, H3CNE, Aolynk,, H 3 Care,, IRF, NetPilot, Netflow, SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. Notice All other trademarks that may be mentioned in this manual are the property of their respective owners The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface The H3C SecBlade SSL VPN Card Web Configuration Guides describe how to configure the functions of the SSL VPN card at the web interface. The Super Administrator Web Configuration Guide describes the configuration tasks that a super administrator can perform after login. This preface includes: Audience Conventions About the H3C SecBlade SSL VPN Card Obtaining documentation Technical support Documentation feedback Audience This documentation is intended for: Network planners Field technical support and servicing engineers Network administrators working with the H3C SecBlade SSL VPN Card Conventions This section describes the conventions used in this documentation set. Command conventions Convention Boldface Italic Description Bold text represents commands and keywords that you enter literally as shown. Italic text represents arguments that you replace with actual values. [ ] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x y... } [ x y... ] { x y... } * [ x y... ] * Braces enclose a set of required syntax choices separated by vertical bars, from which you select one. Square brackets enclose a set of optional syntax choices separated by vertical bars, from which you select one or none. Asterisk marked braces enclose a set of required syntax choices separated by vertical bars, from which you select at least one. Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you select one choice, multiple choices, or none.
Convention &<1-n> Description The argument or keyword and argument combination before the ampersand (&) sign can be entered 1 to n times. # A line that starts with a pound (#) sign is comments. GUI conventions Convention Boldface Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. > Multi-level menus are separated by angle brackets. For example, File > Create > Folder. Symbols Convention WARNING CAUTION IMPORTANT NOTE TIP Description An alert that calls attention to important information that if not understood or followed can result in personal injury. An alert that calls attention to important information that if not understood or followed can result in data loss, data corruption, or damage to hardware or software. An alert that calls attention to essential information. An alert that contains additional or supplementary information. An alert that provides helpful information. Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. About the H3C SecBlade SSL VPN Card The H3C SecBlade SSL VPN Card documentation set includes: Category Documents Purposes Product description and specifications Marketing brochures Technology white papers Describe product specifications and benefits. Provide an in-depth description of software features and technologies.
Category Documents Purposes Hardware specifications and installation Software configuration Operations and maintenance Card manuals H3C SecBlade SSL VPN Card License Registration and Activation Guide H3C SecBlade Cards Software Upgrade Guide Configuration guides Configuration examples Release notes Provide the hardware specifications of cards. Guides you through registering and activating the license of cards. Guide you throuth upgrading the software of cards. Describe software features and configuration procedures. Describe typical network scenarios and provide configuration examples and instructions. Provide information about the product release, including the version history, hardware and software compatibility matrix, version upgrade information, technical support information, and software upgrading. Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support & Documents > Technical Documents] Provides hardware installation, software upgrading, and software feature configuration and maintenance documentation. [Products & Solutions] Provides information about products and technologies, as well as solutions. [Technical Support & Documents > Software Download] Provides the documentation released with the software version. Technical support service@h3c.com http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
Contents SSL VPN Overview 1 SSL VPN Gateway Configuration 2 Gateway Configuration 2 Connecting to the SSL VPN Device 2 Enabling Web Server and SSL VPN Services 3 Logging Into SSL VPN Management Interface 4 Introduction to the SSL VPN Management Platform 6 Device Management 7 Overview 7 Configuration Tasks 7 Configuration Procedures 8 Viewing and Refreshing System Statistics 8 Viewing System Status Information 8 Configuring Interfaces 9 Configuring a Log Host 9 Saving Configuration 10 Rebooting the Device 10 Configuring the Working Mode 10 Administrator Management 12 Overview 12 Configuration Tasks 12 Configuration Procedures 12 Creating an Administrator 12 Modifying an Administrator 13 SSL Offload Server 15 Overview 15 Configuration Tasks 15 Configuration Procedures 15 Configuring an SSL Offload Policy 15 Configuring an SSL Offload Resource 15 Domain Policy Management 17 Overview 17 Configuration Tasks 17 Configuration Procedures 17 Creating a Domain Policy 17 Modifying a Domain Policy 18 Performing Certificate Management 19 Configuring License Management 20 Configuration Management 22 Overview 22 Configuration Management 22 Configuration Examples 23 Creating a Normal Domain 23 Configuring a Super Administrator 23 i
Index 25 ii
SSL VPN Overview Security Socket Layer (SSL) VPN is an emerging VPN technology. It uses SSL to provide certificate-based identity authentication, data encryption, and data integrity check for remote users to securely access the internal corporate network. H3C SecBlade SSL VPN greatly simplifies mobile user and network management by providing the following benefits: easy to use, zero configuration for users, no need to install and maintain the client, simple to deploy, high security, and fine grained security control. The H3C SecBlade series devices can function as ingress gateways for enterprises of any size as well as proxy gateways of internal server clusters for medium-sized and large enterprises. SSL VPN supports three access methods: Web access: Enables web users to access servers over HTTPS connections through the SSL VPN gateway. TCP access: Enables TCP-based applications to securely access open server ports. TCP-based applications include remote desktop web access, desktop sharing, Telnet, mail transfer, Notes, and general TCP service. IP access: Enables secure communications between user terminals and servers at the network layer so that all IP-based applications can securely communicate with other hosts. Using role-based right management, SSL VPN can restrict user access to resources according to user identity. In addition, it incorporates the user host security checking feature, implementing dynamic user access rights assignment. SSL VPN gateways support Web management. An administrator can configure and manage the SSL VPN system through a Web browser. H3C SecBlade SSL VPN defines three roles: Super administrator: Managers of the root domain, which is created automatically upon SSL VPN startup. A super administrator can create domains, initialize the administrator passwords of domains, and assign resource groups to domains. Domain administrator: Managers of common domains, which are created by super administrators. A domain administrator can create and delete local users, user groups, resources, resource groups, and security policies for the domain. SSL VPN user: Users accessing network resources through SSL VPN. An SSL VPN user must pass authentication on the SSL VPN gateway. After authentication, an SSL VPN user can access the SSL VPN gateway, and the SSL VPN system will assign the user access rights based on the security status of the user and the user group to which the user belongs. This document introduces the configuration and management tasks of super administrators. 1
SSL VPN Gateway Configuration Gateway Configuration Before logging into the SSL VPN Web management interface, you need to perform some simple configurations on the SSL VPN device: Task Connecting to the SSL VPN Device Enabling the Web server Enabling the SSL VPN service Remarks Use a console cable to connect the terminal for configuration with the console port of the SSL VPN card. To allow administrative access to the SSL VPN Web management interface, you must enable the Web server on the gateway. Enable SSL VPN service through the command line. Connecting to the SSL VPN Device Introduction to the console port Every H3C SecBlade SSL VPN card has an RS232 port, that is, the console port, through which you can configure the card. Introduction to the console cable The console cable is an 8-wire shielded cable with an RJ-45 connector at one end and a DB-9 receptacle at the other end, as shown in Figure 1. The RJ-45 connector is for connecting the console port of an SSL VPN card and the DB-9 receptacle is for connecting the serial port of a terminal for configuration. Figure 1 Console cable A X3 A Connecting the console cable Connect the console cable as follows: 1. Select a terminal for configuration. The terminal can be a character terminal with a standard RS232 port or a common PC. A PC is used in most cases. 2. Connect the cable. Making sure that the SSL VPN device and the terminal for configuration are powered off, connect one end of the console cable to the RS232 port of the terminal and the other end to the console port of the SSL VPN card. 2
Enabling Web Server and SSL VPN Services After you enable the Web server and SSL VPN service, the gateway will be able to provide default settings-based SSL VPN services. Enabling the Web server Follow these steps to enable the Web server: To do Use the command Remarks Enter system view system-view Enable the Web server web server enable Enabled by default Enabling the SSL VPN service Follow these steps to enable the SSL VPN service: To do Use the command Remarks Enter system view system-view Enable SSL VPN service svpn service enable Enabled by default 3
Logging Into SSL VPN Management Interface IMPORTANT: For security purposes, after you log in to the SSL VPN for the first time by using the default super administrator account, change the default password and save the new password properly. On a PC, launch the Web browser and enter the SSL VPN login address in the form of https://ip address of the Ethernet interface of the device/admin to log into the SSL VPN management interface. The management port number defaults to 444. It is recommended that you use IE 6.0, Firefox 1.5, Netscape 8.0 or above, and set the screen resolution to 1024 768. NOTE: If the device operates in SSL Offload Mode and then restarts, you need to enter the address https://ip address of the Ethernet interface of the device:management port (444 by default)/admin to log into the device. For information about the SSL Offload Mode, see the Work Mode in Device Management. After the SSL VPN service is enabled, the system automatically creates a domain named root and create a default super administrator account, whose username and password are both administrator. To log into the SSL VPN gateway, enter the default username and password, Click Option and select to log in to the root domain, and click Login, as shown in Figure 2. If you select the check box before Save current user name, the input username is saved and you can select it from the Username dropdown list at the next login. To switch to the interface in simplified Chinese, click the language link at the top right corner. When you log in to an SSL VPN on the same host, if the language of the interface has been switched, you must clear the cache of the browser. Otherwise, English and Chinese will appear on the pages at the same time. Figure 2 SSL VPN login page 4
NOTE: The root domain is the default domain of the system. All users in the root domain are super administrators, whose responsibilities include managing devices, creating common domains, creating resources, and assigning resources to common domains. 5
Introduction to the SSL VPN Management Platform The SSL VPN management platform is very friendly. It allows you to perform SSL VPN configuration and management easily and quickly, as shown in Figure 3. Figure 3 SSL VPN management interface (1) Information column (2) Configuration area (3) Navigation tree Information column: Displays administrator login information. The logo picture and page title can be customized by the administrator. You can click Help to view information about SSL VPN overview, functions, and scope, or click Exit to return to the login page. Configuration area: Allows the administrator to view system information, and configure users, resources, and policies. Click the tabs to switch between tab pages. Navigation tree: Navigates you to different management functions. You can click a cross button to display sub-menus. 6
Device Management Overview Device management can provide you with the operation status of the SSL VPN system. Through device management, you can view real-time information such as the current system resource utilization and SSL connection status, and history information such as the start time and SSL connection statistics. Besides, you can configure an IP address for every physical Ethernet interface of the device, configure the log host for the device, save the system configuration of the device, and reboot the whole device. Configuration Tasks Select Device from the navigation tree to enter the statistics page, as shown in Figure 4 Figure 4 Statistics page Perform these tasks to perform device management: Viewing and Refreshing System Statistics Viewing System Status Information Configuring Interfaces Configuring a Log Host Saving Configuration Rebooting the Device Configuring the Working Mode 7
Configuration Procedures Viewing and Refreshing System Statistics Select the Statistics tab to enter the statistics page, which displays the system start time, running time, CPU utilization, and SSL connection statistics. The following table describes the items for refreshing the statistics: Item Refresh automatically Refresh Action Optional Select whether to refresh the statistics automatically. The refreshing interval defaults to 10 seconds and cannot be modified. Optional Click Refresh to refresh the statistics immediately. Viewing System Status Information Select the System Status tab to enter the system status page shown in Figure 5, which displays the system memory utilization, Flash utilization, and CF card utilization. Figure 5 System Status Information The following table describes the items for refreshing the system status information: Item Refresh automatically Refresh Action Optional Select whether to refresh the system status information automatically. The refreshing interval defaults to 10 seconds and cannot be modified. Optional Click Refresh to refresh the system status information immediately. 8
Configuring Interfaces Select the Interface Management tab to enter the interface management page shown in Figure 6. Select an interface, and then click Configure to enter the interface configuration page. Figure 6 The following table describes the interface configuration item: Item Configure IP address of interface Action Specify the address assign mode, IP address, and subnet mask for the selected interface. NOTE: Interface management supports configuring only physical Ethernet interfaces. Logical interfaces are not supported. If you select None as the address assign mode, after you apply the configuration, the system will delete all IP address configurations or DHCP or BOOTP configurations of the current interface. Configuring a Log Host Select the Loghost tab to enter the log host configuration page shown in Figure 7. Click Add to configure a log host for the device. Figure 7 Log host page The following table describes the log host configuration items: Item Logging Host IP Address Action Specify the IP address of the log host. System logs will be sent to this log host. 9
Item Logging Host Facility Language Environment Action Select the logging facility to be used. Select the language to be used to record logs. Saving Configuration Click the Save Configuration tab to enter the page shown in Figure 8 where you can save the current system configuration, such as the interface IP configuration and log host configuration. Figure 8 Save configuration page Rebooting the Device Select the Reboot Device tab to enter the page shown in Figure 9 where you can reboot the current device. After the device is rebooted, you need to re-log in to the device as the administrator to proceed managing the SSL VPN device. Figure 9 Reboot device page Configuring the Working Mode Select the Work Mode tab to enter the working mode configuration page shown in Figure 10. 10
Figure 10 Work mode page The following table describes the device working mode configuration items: Item Device work mode Action Specify the working mode of the device, which can be SSL VPN Mode or SSL Offload Mode. For information about SSL offload mode, see the SSL Offload manual. 11
Administrator Management Overview Through the SSL VPN system, you can manage multiple administrators. Configuration Tasks Select User > Administrator from the navigation tree to enter the administrator management page, as shown in Figure 11. Figure 11 Administrator management page As shown in Figure 11, the administrator management page displays all super administrators and the default administrators of all normal domains (that is, all default domain administrators). Perform these tasks to perform administrator management: Creating an Administrator Modifying an Administrator Configuration Procedures Creating an Administrator Click Add on the administrator management page to create a super administrator in the page shown in Figure 11. 12
Figure 12 Add a super administrator The following table describes the administrator configuration items: Item Account Account Description Password Confirm Password Action Specify an administrator account. Optional Describe the administrator account information. Type a password for the account. Type the password again for confirmation. NOTE: You can create up to two super administrators. Modifying an Administrator Select an administrator on the administrator management page and then click Configure to modify the administrator s settings in the page shown in Figure 13. 13
Figure 13 Modify an administrator The following table describes the administrator configuration items: Item Account Description Password Confirm Password Action Optional Describe the administrator account information. Type a new password for the administrator account. Type the password again for confirmation. NOTE: All users in the root domain are super administrators. All super administrators and the default domain administrators will be displayed on the administrator management page. Clicking Add on the page, you can create only super administrators. You cannot remove any super administrator or default domain administrator; you can only modify their passwords. 14
SSL Offload Server Overview SSL offload means that plug-in cards provide SSL encryption and decryption services for the internal Web server and provide externally SSL encrypted access to the Web server through HTTPS, while the internal Web server only processes services but performs no SSL encryption calculation, which consumes lots of CPU resources. This improves the Web server's processing ability. Configuration Tasks Select SSL Offload from the navigation tree to enter the SSL offload policy configuration page, as shown in Figure 14. Figure 14 SSL offload policy configuration page Perform these tasks to configure SSL offload: Configuring an SSL Offload Policy Configuring an SSL Offload Resource Configuration Procedures Configuring an SSL Offload Policy The following table describes the SSL offload policy configuration item: Item Enable HTTP Compression Action Optional Enable or disable HTTP compression. Enabling HTTP compression improves bandwidth utilization. Configuring an SSL Offload Resource Click the SSL Offload Resource tab to enter the page shown in Figure 15. 15
Figure 15 SSL offload resource configuration Click Add to create an SSL offload resource or select an SSL offload resource and then click Configure to modify the SSL offload resource. The following table describes the SSL offload resource configuration items: Item Resource Name Server IP Address Server Port Action Specify a unique name for the SSL offload server resource. Specify the IP address of the internal Web server. Specify the internal Web server port. The default is 80. 16
Domain Policy Management Overview You can create multiple SSL VPN domains, each of which forms a separate SSL VPN system. Thus, each branch of a company can use and manage a separate SSL VPN system. Configuration Tasks Select Domain > Domain Policy from the navigation tree to enter the domain policy configuration page, as shown in Figure 16. Figure 16 Domain policy configuration page Perform these tasks to configure a domain policy: Creating a Domain Policy Modifying a Domain Policy Performing Certificate Management Configuring License Management Configuration Procedures Creating a Domain Policy Click Add on the domain policy configuration page to create a domain policy in the page shown in Figure 17. 17
Figure 17 Domain policy configuration page The following table describes the domain policy configuration items: Item Domain Name Default Administrator Password Confirm Password Timeout Time Max. number of Online Users Action Specify a name for the domain, which will be used during user login. Specify the password of the default domain administrator. Creating a domain will create a default domain administrator with the account name administrator at the same time. Type the password again for confirmation. Specify the timeout time to force a user offline if the user performs no operation within the time. Specify the maximum of users that can get online at the same time. After the number of online users reaches the limit, no other users can log in. Note that this limit does not take administrators into account. The maximum number set here cannot exceed the maximum number allowed by the system. Modifying a Domain Policy Select a domain policy and click Configure on the domain policy configuration page to modify a domain policy in the page shown in Figure 18. 18
Figure 18 Modify a domain policy The following table describes the domain policy configuration items that you can modify: Item Domain Name Timeout Time Max. number of Online Users Action Specify a name for the domain, which will be used during user login. Specify the timeout time to force a user offline if the user performs no operation within the time. Specify the maximum of users that can get online at the same time. After the number of users reaches the limit, no other users can log in. Note that this limit does not take administrators into account. The maximum number set here cannot exceed the maximum number allowed by the system. Performing Certificate Management Overview Certificate Management includes managing CA and domain certificates and configuring CRLs. Configuration Procedure Select the Certificate Management tab to enter the certificate management page, as shown in Figure 19. 19
Figure 19 Certificate management page The following table describes the certificate management configuration items: Item CA Certificate Password Local Certificate Enable CRL Checking URL for CRL CRL Update Interval Action Click Browse to locate the CA certificate file, and then click Update to import the CA certificate. Specify the password of the local certificate. Click Browse to locate the local certificate file, and then click Update to import the local certificate. Optional Select the check box to enable CRL checking. Optional Type the URL address for obtaining the CRL. Optional Specify the CRL update interval. Configuring License Management Select the License tab to enter the license management page, as shown in Figure 20. On the license management page, you can view the device serial number and the maximum number of online users allowed, and import the license. 20
Figure 20 License management The following table describes the license configuration item: Item Import License Action Click Browse to select the license file and then click Import to import the license file to the SSL VPN system. 21
Configuration Management Overview The SSL VPN system provides functions for you to save your configuration and restore the most recent configuration saved. Configuration Management Select Domain > Configuration Management from the navigation tree to enter the configuration management page, as shown in Figure 21. Figure 21 Configuration management page The following table describes the configuration management items: Item Save Restore Action Click Save to save the current configuration file as the backup file and save the current configuration to the configuration file. Click Restore to restore the backup file as the configuration file. The system can load the restored configurations after a reboot. NOTE: If the system shuts down abnormally without saving the current configuration, it loads the most recently saved configurations after reboot. If an upload failure occurs, the system restores the default configuration. 22
Configuration Examples Creating a Normal Domain Select Domain > Domain Policy from the navigation tree to enter the domain policy configuration page, and then click Add to enter the domain policy configuration page as shown in Figure 22 to create a domain policy. Figure 22 Create a domain policy Type domain for Domain Name. Type the same password for Default Administrator Password and Confirm Password. Type 30 for Timeout Time. Type 50 for Max. number of Online Users. Click Apply. Configuring a Super Administrator Select User > Administrator from the navigation tree to enter the administrator page, and then click Add to enter the super administrator configuration page, as shown in Figure 23. 23
Figure 23 Create a super administrator Type superman for Account. Type 123456 for Password and Confirm Password. Click Apply. 24
Index C G O C Configuration Management,22 Configuration Procedures,17 Configuration Procedures,8 Configuration Procedures,15 Configuration Procedures,12 Configuration Tasks,7 Configuration Tasks,15 Configuration Tasks,17 Configuration Tasks,12 Configuring a Super Administrator,23 Creating a Normal Domain,23 G Gateway Configuration,2 O Overview,7 Overview,22 Overview,15 Overview,12 Overview,17 25