GET https://<vsm-ip>/api/3.0/edges/<edgeId>/sslvpn/config/layout/
Request Body:
<?xml version="1.0" encoding="UTF-8"?> <layout>
<!-- portal layout configuration-->
<portalTitle>Pepsi Remote Access</portalTitle><!--optional. Default value is VMware --> <companyName>pepsi, Inc.</companyName><!--optional. Default value is VMware --> <!-- Portal Color Configuration-->
<logoBackgroundColor>FFFFFF</logoBackgroundColor><!--optional. Default value is FFFFFF --> <titleColor>996600</titleColor><!--optional. Default value is 996600 -->
<topFrameColor>000000</topFrameColor><!--optional. Default value is 000000 --> <menuBarColor>999999</menuBarColor><!--optional. Default value is 999999 -->
<rowAlternativeColor>FFFFFF</rowAlternativeColor><!--optional. Default value is FFFFFF --> <bodyColor>FFFFFF</bodyColor><!--optional. Default value is FFFFFF -->
<rowColor>F5F5F5</rowColor><!--optional. Default value is F5F5F5 --> </layout>
Configure Authentication Parameters
You can add an external authentication server (AD, LDAP, Radius, or RSA) which is bound to the SSL gateway.
All users in the bounded authenticated server will be authenticated.
Upload RSA Config File
Uploads the RSA configuration file to vShield Manager.
Example 5-126. Upload RSA config file
Request:
POST https://<vsm-ip>/api/3.0/edges/<edgeId>/sslvpn/config/auth/settings/rsaconfigfile/
Apply Authentication Configuration
Sets authentication process for remote users. The administrator specifies whether username password based
authentication should be enabled and the list and details of authentication servers such as active directory,
ldap, radius etc. The administrator can also enable client certificate based authentication.
Example 5-127. Apply Authentication Configuration
Request:
edgeIdPUT https://<vsm-ip>/api/3.0/edges/<edgeId>/sslvpn/config/auth/settings/
Request Body:
<?xml version="1.0" encoding="UTF-8"?> <authenticationConfig>
<passwordAuthentication>
<authenticationTimeout>1</authenticationTimeout> <!--optional. Default value is 1 mins-->
<!-- Only four auth servers can be part of authentication configuration including secondary auth server and can be of type AD,LDAP,RADIUS,LOCAL and RSA -->
Chapter 5 vShield Edge Management
<primaryAuthServers>
<com.vmware.vshield.edge.sslvpn.dto.LdapAuthServerDto> <ip>1.1.1.1</ip>
<port>90</port> <!--optional. Default value is 639 if ssl enabled or 389 for normal cfg--> <timeOut>20</timeOut> <!--optional. Default value is 10 secs-->
<enableSsl>false</enableSsl> <!--optional. Default is false--> <searchBase>searchbasevalue</searchBase>
<bindDomainName>binddnvalue</bindDomainName> <bindPassword>password</bindPassword> <!--optional.-->
<loginAttributeName>cain</loginAttributeName> <!--optional. Default is sAMAccountName --> <searchFilter>found</searchFilter> <!--optional. Default is 'objectClass=*'-->
<enabled>true</enabled> <!--optional. Default is ture--> </com.vmware.vshield.edge.sslvpn.dto.LdapAuthServerDto>
<com.vmware.vshield.edge.sslvpn.dto.RadiusAuthServerDto> <ip>3.3.3.3</ip>
<port>90</port> <!--optional. Default value is 1812--> <timeOut>20</timeOut> <!--optional. Default value is 10 secs--> <secret>struct9870</secret>
<nasIp>1.1.1.9</nasIp> <!--optional. Default value is 0.0.0.0--> <retryCount>10</retryCount> <!--optional. Default value is 3--> </com.vmware.vshield.edge.sslvpn.dto.RadiusAuthServerDto>
<com.vmware.vshield.edge.sslvpn.dto.LocalAuthServerDto> <!--Only one Local auth server can be part of authentication configuration -->
<enabled>true</enabled>
<passwordPolicy> <!-- optional. -->
<minLength>1</minLength> <!--optional. Default value is 1--> <maxLength>1</maxLength> <!--optional. Default value is 63--> <minAlphabets>0</minAlphabets> <!--optional -->
<minDigits>0</minDigits> <!--optional --> <minSpecialChar>1</minSpecialChar> <!--optional -->
<allowUserIdWithinPassword>false</allowUserIdWithinPassword> <!-- optional. Default value is false -->
<passwordLifeTime>20</passwordLifeTime> <!--optional. Default value is 30 days--> <expiryNotification>1</expiryNotification> <!--optional. Default value is 25 days--> </passwordPolicy>
<accountLockoutPolicy> <!--optional -->
<retryCount>3</retryCount> <!--optional. Default value is 3--> <retryDuration>3</retryDuration> <!--optional. Default value is 2 days --> <lockoutDuration>3</lockoutDuration> <!--optional. Default value is 2 days --> </accountLockoutPolicy>
</com.vmware.vshield.edge.sslvpn.dto.LocalAuthServerDto>
<!-- Only one RSA auth server can be configured. RSA configuration file has to be uploaded prior to config RSA auth server RSA timeOut is optional. Default value is 60 secs-->
<com.vmware.vshield.edge.sslvpn.dto.RsaAuthServerDto> <timeOut>20</timeOut> <sourceIp>1.2.2.3</sourceIp> </com.vmware.vshield.edge.sslvpn.dto.RsaAuthServerDto> --> </primaryAuthServers> <secondaryAuthServer>
<!--Any of one of the auth server AD, LDAP, RSA, LOCAL or RADIUS can be sec auth server --> <com.vmware.vshield.edge.sslvpn.dto.AdAuthServerDto>
<ip>1.1.1.1</ip>
<port>90</port> <!--optional. Default value is 639 if ssl enabled or 389 for normal cfg--> <timeOut>20</timeOut> <!--optional. Default value is 10 secs-->
<enableSsl>false</enableSsl> <!--optional. Default is false--> <searchBase>searchbasevalue</searchBase>
<bindDomainName>binddnvalue</bindDomainName>
<bindPassword>password</bindPassword> <!--optional. -->
<loginAttributeName>cain</loginAttributeName> <!--optional. Default is sAMAccountName --> <searchFilter>found</searchFilter> <!--optional. Default is 'objectClass=*'-->
<terminateSessionOnAuthFails>false</terminateSessionOnAuthFails> <!--optional. Default is false--> <enabled>true</enabled>
</com.vmware.vshield.edge.sslvpn.dto.AdAuthServerDto> </secondaryAuthServer>
</passwordAuthentication> </authenticationConfig>