Example 5-141 Reconfigure SSL VPN

Request:

PUT https://<vsm-ip>/api/3.0/edges/<edgeId>/sslvpn/config/

Request Body:

<?xml version="1.0" encoding="UTF-8"?> <sslvpnConfig> <enabled>true</enabled> <logging> <!-- optional . --> <enable>false</enable> <logLevel>debug</logLevel> </logging> <serverSettings> <ip>10.112.243.109</ip>

<port>443</port> <!--optional. Default is 443 -->

<!-- Certificate has to be generated using certificate REST API and id returned should be mentioned here--> <!--<certificateId>certificate-1</certificateId> --> <!-- optional -->

<cipherList> <!-- any one or more of the following ciphers can be part of configuration --> <cipher>RC4-MD5</cipher>

<cipher>AES128-SHA</cipher> <cipher>AES256-SHA</cipher>

Chapter 5 vShield Edge Management <cipher>DES-CBC3-SHA</cipher> </cipherList> </serverSettings> <privateNetworks> <privateNetwork>

<description>This is a private network for UI-team</description> <network>192.168.1.0/24</network>

<sendOverTunnel>

<ports>20-40</ports> <!-- optional. Default is 0-0 --> <optimize>false</optimize> <!--optional. Default is true --> </sendOverTunnel>

<enabled>true</enabled> <!--optional. Default is true--> </privateNetwork> </privateNetworks> <users> <user> <userId>stalin</userId> <password>apple@123</password> <firstName>STALIN</firstName> <lastName>RAJAKILLI</lastName>

<description>This user belong to vsm team</description>

<disableUserAccount>false</disableUserAccount> <!--optional. Default is false--> <passwordNeverExpires>true</passwordNeverExpires> <!--optional. Default is false--> <allowChangePassword>

<changePasswordOnNextLogin>false</changePasswordOnNextLogin> <!--optional. Default is false--> </allowChangePassword> </user> </users> <ipAddressPools> <ipAddressPool> <description>description</description> <ipRange>10.112.243.11-10.112.243.57</ipRange> <netmask>255.0.0.0</netmask> <gateway>192.168.1.1</gateway> <primaryDns>192.168.10.1</primaryDns> <secondaryDns>4.2.2.2</secondaryDns> <dnsSuffix></dnsSuffix> <winsServer>10.112.243.201</winsServer>

<enabled>true</enabled> <!--optional. Default is true--> </ipAddressPool> </ipAddressPools> <clientInstallPackages> <clientInstallPackage> <profileName>client</profileName> <gatewayList> <gateway> <hostName>10.112.243.123</hostName>

<port>443</port> <!--optional. Default is 443--> </gateway>

</gatewayList>

<!-- Optional Parameters-->

<startClientOnLogon>false</startClientOnLogon> <!--optional. Default is false--> <hideSystrayIcon>true</hideSystrayIcon> <!--optional. Default is false--> <rememberPassword>true</rememberPassword> <!--optional. Default is false--> <silentModeOperation>true</silentModeOperation> <!--optional. Default is false--> <silentModeInstallation>false</silentModeInstallation> <!--optional. Default is false--> <hideNetworkAdaptor>false</hideNetworkAdaptor> <!--optional. Default is false--> <createDesktopIcon>true</createDesktopIcon> <!--optional. Default is true--> <enforceServerSecurityCertValidation>false</enforceServerSecurityCertValidation>

<!--optional. Default is true--> <createLinuxClient>false</createLinuxClient> <!--optional. Default is false--> <createMacClient>false</createMacClient> <!--optional. Default is false--> <description>windows client</description>

<enabled>true</enabled> <!--optional. Default is true--> </clientInstallPackage>

</clientInstallPackages> <webResources>

<name>VMware</name>

<url>http://www.vmware.com</url> <method name="POST">

<data>username=stalin </data> </method>

<description>Click here to visit the corporate intranet Homepage </description> <enabled>true</enabled> <!--optional. Default is true--> </webResource>

</webResources> <clientConfiguration>

<autoReconnect>true</autoReconnect> <!--optional. Default is false--> <fullTunnel><!--optional. Default Tunnel mode is SPLIT-->

<excludeLocalSubnets>true</excludeLocalSubnets> <!--optional. Default is false--> <gatewayIp>10.112.243.11</gatewayIp>

</fullTunnel>

<upgradeNotification>false</upgradeNotification> <!--optional. Default is false--> </clientConfiguration>

<advancedConfig>

<enableCompression>false</enableCompression> <!--optional. Default is false--> <forceVirtualKeyboard>false</forceVirtualKeyboard> <!--optional. Default is false--> <preventMultipleLogon>true</preventMultipleLogon> <!--optional. Default is false--> <randomizeVirtualkeys>false</randomizeVirtualkeys> <!--optional. Default is false--> <timeout><!--optional. -->

<forcedTimeout>16</forcedTimeout> <!--optional. -->

<sessionIdleTimeout>10</sessionIdleTimeout> <!--optional. Default value is 10 mins--> </timeout>

<clientNotification></clientNotification>

<enablePublicUrlAccess>false</enablePublicUrlAccess> <!--optional. Default is false--> <enableLogging>false</enableLogging> <!--optional. Default is false--> </advancedConfig>

<authenticationConfiguration> <passwordAuthentication>

<authenticationTimeout>1</authenticationTimeout> <!--optional. Default value is 1 mins-->

<!-- Only four auth servers can be part of authentication configuration including secondary auth server and can be of

type AD,LDAP,RADIUS,LOCAL and RSA --> <primaryAuthServers>

<com.vmware.vshield.edge.sslvpn.dto.LdapAuthServerDto> <ip>1.1.1.1</ip>

<port>90</port> <!--optional. Default value is 639 if ssl enabled or 389 for normal cfg-->

<timeOut>20</timeOut> <!--optional. Default value is 10 secs--> <enableSsl>false</enableSsl> <!--optional. Default is false--> <searchBase>searchbasevalue</searchBase>

<bindDomainName>binddnvalue</bindDomainName>

<bindPassword>password</bindPassword> <!--optional.-->

<loginAttributeName>cain</loginAttributeName> <!--optional. Default is sAMAccountName -->

<searchFilter>found</searchFilter> <!--optional. Default is 'objectClass=*'--> <enabled>true</enabled> <!--optional. Default is ture-->

</com.vmware.vshield.edge.sslvpn.dto.LdapAuthServerDto> <com.vmware.vshield.edge.sslvpn.dto.RadiusAuthServerDto>

<ip>3.3.3.3</ip>

<port>90</port> <!--optional. Default value is 1812--> <timeOut>20</timeOut> <!--optional. Default value is 10 secs--> <secret>struct9870</secret>

<nasIp>1.1.1.9</nasIp> <!--optional. Default value is 0.0.0.0--> <retryCount>10</retryCount> <!--optional. Default value is 3--> </com.vmware.vshield.edge.sslvpn.dto.RadiusAuthServerDto>

<com.vmware.vshield.edge.sslvpn.dto.LocalAuthServerDto>

<!--Only one Local auth server can be part of authentication configuration -->

<enabled>true</enabled>

<passwordPolicy> <!-- optional. -->

<minLength>1</minLength> <!--optional. Default value is 1--> <maxLength>63</maxLength> <!--optional. Default value is 63--> <minAlphabets>0</minAlphabets> <!--optional -->

Chapter 5 vShield Edge Management

<minSpecialChar>1</minSpecialChar> <!--optional -->

<allowUserIdWithinPassword>false</allowUserIdWithinPassword> <!-- optional. Default value is false -->

<passwordLifeTime>20</passwordLifeTime> <!--optional. Default value is 30 days--> <expiryNotification>1</expiryNotification> <!--optional. Default value is 25 days--> </passwordPolicy>

<accountLockoutPolicy> <!--optional -->

<retryCount>3</retryCount> <!--optional. Default value is 3--> <retryDuration>3</retryDuration> <!--optional. Default value is 2 days --> <lockoutDuration>3</lockoutDuration> <!--optional. Default value is 2 days --> </accountLockoutPolicy>

</com.vmware.vshield.edge.sslvpn.dto.LocalAuthServerDto>

<!-- Only one RSA auth server can be configured.RSA configuration file has to be uploaded prior to config RSA auth server RSA timeOut is optional. Default value is 60 secs --> <!--<com.vmware.vshield.edge.sslvpn.dto.RsaAuthServerDto> <timeOut>20</timeOut> <sourceIp>1.2.2.3</sourceIp> </com.vmware.vshield.edge.sslvpn.dto.RsaAuthServerDto> --> </primaryAuthServers> <secondaryAuthServer>

<!--Any of one of the auth server AD, LDAP, RSA, LOCAL or RADIUS can be sec auth server --> <com.vmware.vshield.edge.sslvpn.dto.AdAuthServerDto>

<ip>1.1.1.1</ip>

<port>90</port> <!--optional. Default value is 639 if ssl enabled or 389 for normal cfg-->

<timeOut>20</timeOut> <!--optional. Default value is 10 secs--> <enableSsl>false</enableSsl> <!--optional. Default is false--> <searchBase>searchbasevalue</searchBase>

<bindDomainName>binddnvalue</bindDomainName>

<bindPassword>password</bindPassword> <!--optional. -->

<loginAttributeName>cain</loginAttributeName> <!--optional. Default is sAMAccountName -->

<searchFilter>found</searchFilter> <!--optional. Default is 'objectClass=*'--> <terminateSessionOnAuthFails>false</terminateSessionOnAuthFails>

<!--optional. Default is false--> <enabled>true</enabled> </com.vmware.vshield.edge.sslvpn.dto.AdAuthServerDto> </secondaryAuthServer> </passwordAuthentication> </authenticationConfiguration> </sslvpnConfig>

Query SSL VPN Configuration

In document vshield API Programming Guide (Page 122-125)