H3C SSL VPN Configuration Examples

(1)

Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/76

H3C SSL VPN Configuration Examples

Keywords: SSL, VPN, HTTPS, Web, TCP, IP

Abstract: This document describes characteristics of H3C SSL VPN, details the basic configuration and

configuration procedure of H3C SSL VPN, and presents typical configuration examples.

Acronyms:

Acronym Full spelling

SSL Security Socket Layer

VPN Virtual Private Network

HTTPS Hypertext Transfer Protocol Secure TCP Transfer Control Protocol

(2)

Introduction

H3C SSL VPN devices include H3C SecPath SSL VPN cards and H3C SecBlade SSL VPN cards. The configurations described in this document are supported by both types of devices unless otherwise noted. For example, parenthetic contents such as (supported by only SecPath SSL VPN) and (supported by only SecBlade SSL VPN), or different titles will be used to mark the configuration that is supported by only one type of devices.

Feature Overview

The SSL protocol is mainly used to ensure privacy and reliability between two communication application programs. The whole process is implemented through the cooperation of the SSL handshake protocol, record protocol, and alert protocol.

Compared with leased lines, VPN networking is cheap and flexible. Therefore, more and more enterprises use VPN to interconnect the headquarters, mobile employees, branch offices, and partners over public networks such as the Internet.

SSL VPN is an emerging VPN technology. It establishes VPN networks with connections encrypted by SSL. SSL VPN engages for the security of applications and works above the transport layer. It provides a secured connection between applications and is mainly applied to remote Web accesses. The SSL VPN system implements granular access control of network resources. It supports three resources access methods: Web access, TCP access, and IP access. The SSL VPN system uses role-based management of access rights, that is, it limits the resources that a login user can access based on the role of the user. Besides, it also uses security policies to check the security status of access PCs, assigning corresponding access rights to users dynamically according to the security checking results. The SSL VPN gateway supports Web based management. Administrators can configure and manage the SSL VPN system through Web browsers.

H3C SSL VPN devices are new generation, professional, enterprise-level SSL VPN devices, which can provide secure and convenient remote access services for mobile users of enterprises. An H3C SSL VPN device can be used as the ingress gateway of an enterprise, or the proxy gateway of the internal server group. SecPath SSL VPN is designed for small and medium sized enterprises, and SecBlade SSL VPN is for medium and large sized enterprises.

Benefits

Compared with conventional VPN, SSL VPN features high security and more granular control of security. Requiring no user configuration and no client installation, it is simple to deploy and very easy to use.

(5)

Usage Guide

Application Scenarios

With the popularity of Internet, home office and mobile office is rising, promoting conversion of applications from C/S to B/S structure based on Web service. It is required that employees, customers, and partners of an enterprise can access the internal resources securely and conveniently from outside of the enterprise. SSL VPN realizes this.

Role-Based Management Overview

The H3C SSL VPN system limits the resources that a login user can access based on the role of the user. It defines three roles:

z Super administrator: Managers of the entire system. A super administrator can create domains, initialize the administrator passwords of domains, assign resource groups to domains, and specify whether a domain administrator can create new resources. (supported by only SecBlade SSL VPN)

z Domain administrator: Managers of SSL VPN domains. A domain administrator can create and delete local users, user groups, resources, resource groups, and security policies for the domain, controlling the access rights of users in the domain.

z SSL VPN user: Users accessing network resources through the SSL VPN system. An SSL VPN user must pass authentication to log in to the SSL VPN system. After passing the authentication, an SSL VPN user can access the SSL VPN gateway, and the SSL VPN system will assign the user access rights based on the security status of the user and the user group to which the user belongs.

Before configuration, you need to understand the relationship of the roles, as well as the relationship of local users, user groups, resources, and resource groups, as shown below:

(6)

Figure 1 Relation diagram

Super administrator Domain A administrator User 1 User group 1 User groups Resource groups Resources Users Resource groups Resources Resource a Resource b Resource group a Resource group b Domain B administrator Domain N administrator Resource 1 Resource 2 Resource 3 Resource N Resource group 1 Resource group 2 Resource group 3 Resource group N User group 2 User group 3 User group n User 2 User 3 User N

By default, there is a root domain on the device. All users in the root domain are super administrators. A super administrator can create domains and resources, add resources to resource groups, assign resources to a domain, and specify whether a domain administrator can create new resources. (Supported by only SecBlade SSL VPN)

Domain administrators create and maintain resources, resource groups, local users, and user groups of their own domains. A resource/user can belong to multiple resource groups/user groups, and a resource group/user group can hold multiple resources/users. By associating resource groups with user groups, you can specify which user groups can access which resource groups. One resource group can be assigned to multiple user groups and one user group can contain multiple resource groups.

(7)

z Root domain and super administrator are supported by only SecBlade SSL VPN. SecPath SSL VPN supports only one domain.

z SecBlade SSL VPN supports multiple domains. Besides the default root domain, the maximum number of common domains allowed to be created depends on the device model.

z At present, SecBlade SSL VPN devices have three models, applicable to S7500E/S9500 switches and SR6600 routers. The difference is that the SSL VPN card for S7500E switches uses four GE interfaces to communicate with the S7500E backplane, while that for S9500/SR6600 uses one 10-GE interface to communicate with the S9500/SR6600 backplane. Software functions of the two models have no differences. The following SecBlade SSL VPN related sections all take the SSL VPN card for S7500E as an example.

Configuration Procedures

Perform following configurations to configure SSL VPN:

z Basic command line configuration

z Super administrator interface configuration (supported by only SecBlade SSL VPN)

z Domain administrator interface configuration

z Common user interface configuration

The last three configurations are Web configurations, which are illustrated later by examples directly.

Basic Command Line Configuration for SSL VPN

You can perform basic SSL VPN configurations through command line interface (CLI), including enabling the Web server and SSL VPN service. By default, the system will enable the Web server and SSL VPN service, without the need of manual start through command lines.

Perform the following configurations on the device:

z Enable the Web server

(8)

Configuration Guidelines

Figure 2 Configuration management

z After performing configurations on the Web interface, you need to save the configuration file. Otherwise, the configurations will be lost after device reboot.

z You can save the current configuration to the configuration file and backup file.

z To replace the configuration file with the backup file, click Restore.

z To make the new configuration file take effect, click Restart.

Supporting Devices and Versions

Supporting Devices

SecBlade:

SecBlade for S7500E, SecBlade for S9500, SecBlade for SR6600

SecPath:

Devices with a built-in encryption card: SecPath V100-E

Devices that need an external encryption card: SecPath A, SecPath A-SI, SecPath F100-E, SecPath F100-M, SecPath F1000-A, SecPath V1000-A, SecPath F1000-S

SSL VPN Configuration Examples

Network Requirements

Two-arm mode: The SSL VPN acts as an ingress gateway between the internal network and external network, providing complete protection for the internal network. In this case, however, the gateway is at the key path of communication. Its performance and reliability greatly affects the data transfer between the internal network and external network.

(9)

Figure 3 Dual-arm networking of SSL VPN

Authentication servers Intranet IP network IP network Mobile user Desktop PC user Internet LAN CA server Log server SSL VPN

One-arm mode: The SSL VPN gateway acts as a proxy gateway for the communication between the remote host and the internal network. In this case, the SSL VPN gateway is not at the key path for communication, and therefore will not result in single point failures.

Figure 4 One-arm networking of SSL VPN

Authentication servers Intranet IP network IP network Mobile user Desktop PC user Internet LAN CA server Log server SSL VPN

(10)

SSL VPN Network Diagrams

Figure 5 Network diagram for SecBlade SSL VPN in one-arm mode

Figure 6 Network diagram for SecPath SSL VPN in two-arm mode

Basic Command Line Configurations

SecBlade SSL VPN Command Line Configurations

Basic configuration on an S7500E switch

[S7503E]vlan 100 //*Refer to the Figure 5 for port related configuration*// [S7503E-vlan100]port GigabitEthernet 3/0/1

[S7503E-vlan100]port GigabitEthernet 4/0/1 [S7503E-vlan100]quit

(11)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 11/76 [S7503E]interface vlan 100 [S7503E-Vlan-interface100]ip address 172.1.1.3 24 [S7503E-Vlan-interface100]quit [S7503E]vlan 200 [S7503E-vlan200]port GigabitEthernet 4/0/13 [S7503E-vlan200]quit [S7503E]inter vlan 200 [S7503E-Vlan-interface200]ip address 172.2.1.1 24 [S7503E-Vlan-interface200]quit

[S7503E]ip route-static 10.5.1.0 24 172.1.1.2 //*Configure a static route to the virtual address segment, with the next hop being the SSL VPN card. This is for forwarding data coming from the internal network.*//

[S7503E]ip route-static 0.0.0.0 0 172.1.1.1 //*Configure a route to the public network*//

[S7503E]ip route-static 192.168.0.0 16 172.2.1.2 [S7503E]ip route-static 10.0.0.0 8 172.2.1.2 [S7503E]interface g3/0/1

[S7503E-GigabitEthernet3/0/1]speed 1000

[S7503E-GigabitEthernet3/0/1]duplex full //*Configure the interface communicating with the backplane to work in forced mode, and make sure the port is up.*//

[S7503E-GigabitEthernet3/0/1]quit

Basic configuration on the SSL VPN card

[H3C]interface GigabitEthernet 0/0/0

[H3C-GigabitEthernet0/0/0]ip address 172.1.1.2 24 [H3C-GigabitEthernet0/0/0]quit

[H3C]ip route-static 0.0.0.0 0 172.1.1.3

[H3C]ntp-service unicast-server 172.1.1.3 //*Specify the NTP server. The SSL VPN card does not support local clock and the device time defaults to year 2000. Without this configuration, the certificate will expire.*//

Routing configuration on the NAT-IN node

[H3C]ip route-static 10.5.1.0 24 172.2.1.1 //*Configure a route to the virtual network segment.*//

[H3C]ip route-static 172.1.1.0 24 172.2.1.1

Service configuration on the SSL VPN card

By default, the system will enable the Web server and SSL VPN service. In this case, you do not need to execute the following commands.

[H3C] svpn service enable //*Enable the SSL VPN service*// [H3C] Web server enable //*Enable the Web server*//

(12)

z At present, SecBlade SSL VPN cards are applicable to S7500E/S9500 switches and SR6600 routers, which are normally in the internal network. Therefore one-arm mode is used.

z In a practical network, if there is no NAT-IN node, you need to perform route configurations on each internal network node, ensuring the virtual network segment, 10.5.1.0/24 in the example, is reachable.

z As the above configuration uses only one GE interface of the SecBlade SSL VPN for S7500E, and the SecBlade SSL VPN for S9500/SR6600 has only one 10-GE interface, the above configuration is applicable to the SecBlade SSL VPN for S9500/SR6600.

SecPath SSL VPN Command Line Configurations

Basic configurations [H3C] interface Ethernet0/0 [H3C-Ethernet0/0] ip address 192.168.96.22 255.255.255.0 [H3C-Ethernet0/0] quit [H3C] interface Ethernet0/1 [H3C-Ethernet0/1] ip address 155.1.1.1 255.0.0.0 [H3C-Ethernet0/1] quit [H3C] ip route-static 0.0.0.0 0 155.1.1.1 preference 60 SSL VPN related configurations

By default, the system will enable the Web server and SSL VPN service. In this case, you do not need to execute the following commands.

[H3C] svpn service enable //*Enable the SSL VPN service*// [H3C] Web server enable //*Enable the Web server*//

Web Service Configuration Example

Logging In as a Super Administrator (supported by only SecBlade SSL VPN)

1) In the address bar of a browser, enter the SSL VPN gateway port address for connecting the external network, that is, https://155.1.1.1:444 to enter the SSL VPN login page. The certificate authentication dialog box (Security Alert) will appear. Click Yes.

(13)

Figure 7 Security Alert dialog box (click Yes)

Use the default super administrator account administrator to log in to the SSL VPN system with the local authentication method: type administrator as the username, type administrator as the password, select Super administrator as the identity, and then click Login, as shown in Figure 8.

Figure 8 SSL VPN login page

2) Create domain h3c, and specify the initial password of the domain administrator.

Select Domain from the navigation tree to enter the domain policy configuration page. To create a domain, click Add. To modify an existing domain, select the domain and click Configure.

(14)

Figure 9 Create a domain

Create domain h3c. The domain administrator named administrator is generated by default. You need to specify the default administrator password, for example, 123456. You can also specify the timeout time and the maximum number of online users for domain h3c, 30 minutes and 100 respectively in this example. You can assign the existing resource groups to domain h3c, and specify to allow the administrator of domain h3c to add resources.

3) After you finish your configuration, you need save the configuration file. Otherwise, your configuration will be lost after the device reboots.

(15)

Logging In to a Common Domain

All following configurations in this configuration example are performed in a common domain. After you log in as the administrator of the domain and finish configurations, you need to save the configuration file. Otherwise, the configuration will be lost after the device reboots.

Logging in to the common domain of SecBlade SSL VPN

The same as the supper administrator login, use the default administrator account to log in to the SSL VPN domain h3c with the local authentication method. Type administrator as the username and

123456 (specified when the domain was created) as the password, select Administrator as the

identity, and then click Login.

Figure 11 Domain administrator login

In a domain, users that belong to the administrators group are administrators of the domain. A domain administrator is also a common user. If you are a domain administrator but log in as a common user, you enter the common user interface. In the common user interface, the resources that you can access are confined to the resources that assigned for the administrators group.

Logging in to the common domain of SecPath SSL VPN

Enter https://155.1.1.1/admin in the address bar to open the login page. Type the default administrator account, with both the username and password being administrator, and then click

(16)

Figure 12 Domain administrator login page

Configuring Web Service Resources

Web page is a service provided by a remote Web server. The Web proxy server function of SSL VPN provides a secure connection mode for users to access Web servers, and it can prevent illegal users from accessing the protected Web servers.

Select Resource > Web Site from the navigation tree to enter the Web proxy management page. Click Add to create a new Web proxy server resource.

(17)

z You can specify an IP address or domain name for the website name. If you specify a domain name, you need to configure the DNS server correctly in CLI.

z The site matching supports fuzzy match. In this example, you can specify tech.* for fuzzy match, ensuring that all pages on a website are reachable. More specifically, to allow access to

sports.sina.com.cn, news.sina.com.cn and other sina Web pages for example, you can

specify *.sina.com.cn in the Site Matching Pattern field. You can specify multiple match keywords, separating them by vertical bars (|).

z After you add the Web proxy server resources, the Web proxy server list appears.

Figure 14 Web proxy server list

Creating a Resource Group and Add Existing Resources to the Resource Group

Select Resources > Resource Group from the navigation tree to enter the resource group management page. Click Add to create a new resource group.

Type the resource group name as Web and add the existing resource tech to the resource group

Web. Click Apply.

(18)

Creating a User and User Group, and Associating the Resource Group and User

Group

Select User > Local User from the navigation tree to enter the local user list page. Click Add to create a user

Figure 16 Add a local user

After you create the user successfully, the local user list page appears again, as shown in the following figure:

(19)

Figure 17 User list

Select User > User Group from the navigation tree to enter the user group. Click Add to create a new user group.

z Type user group name usergroup.

z Add svpn to the user group.

z Assign resource group Web to user group usergroup. Click Apply.

(20)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 20/76 After the above configuration, user svpn in group usergoup can access all resources in resource group Web.

Verifying the Web Service Configuration

1) Logging in as a common user

Enter https://155.1.1.1 in the address bar to open the user login page. Type username spvn and the corresponding password. Click Login.

Figure 19 Available Web resources

2) A remote user can access the Web proxy service successfully.

For example, you can successfully access the tech resources by clicking the website link tech, and the URL is replaced as https://155.1.1.1/sslvpn/proxy /1275152384/.

(21)

Figure 20 Access a web resource through Web proxy

TCP Service Configuration Example

Logging In as a Super Administrator (supported by only SecBlade SSL VPN)

Refer to Logging In as a Super Administrator (supported by only SecBlade SSL VPN).

Logging In to a Common Domain

Refer to Logging In to a Common Domain.

Configuring TCP Service Resources

Telnet service

Telnet service is transferred in plaintext over Internet. SSL VPN uses the SSL encryption technology to encrypt the Telnet service data, ensuring the security of data transfer.

Select Resource > TCP Application from the navigation tree. The Telnet resource list page appears. Click Add to create a remote access service resource.

(22)

Figure 21 Add a Telnet service resource

The format of the command line configuration is telnet local host, where local host must be the same with that in the Local Host text box. The local host specifies the local listening port. It can be a local loopback address in the range of 127.0.0.2 to 127.0.0.254 or a character string when the host file is configurable.

After you create a TCP resource successfully, the Telnet resource list appears again.

Figure 22 Telnet service resource list

Windows desktop sharing

Select Resource > TCP Application from the navigation tree. Click the Desktop Sharing tab to enter the desktop sharing resource list page. Click Add to create a desktop sharing resource.

(23)

Figure 23 Create a Windows desktop sharing resource

After you create the resource successfully, the desktop sharing resource list page appears again.

Figure 24 Windows desktop sharing resource list

Outlook mail service

Select Resource > TCP Application from the navigation tree. Click the Mail tab to enter the mail service resource list page. Click Add to create a new outlook mail service resource.

(24)

Figure 25 Create an outlook mail service resource

After you create the resource successfully, the outlook mail service resource list page appears again.

Figure 26 Outlook mail service resource list

Notes mail service

Select Resource > TCP Application from the navigation tree. Click the Notes tab to enter the Notes mail service resource list page. Click Add to create a Notes mail service resource. You must specify the real IP address or domain name of the database for Local Address.

(25)

Figure 27 Add a notes mail service resource

After you create the resource successfully, the Notes mail service resource list page appears again.

Figure 28 Notes mail service resource list

General application service

Select Resource > TCP Application from the navigation tree. Click the TCP Service tab to enter the general application service resource list page. Click Add to create a general application service resource.

(26)

Figure 29 Create a general application service

After the service is created successfully, the general service resource list appears again.

Figure 30 General application service resource list

Creating a Resource Group and Add Existing Resources to the Resource Group

(27)

Figure 31 Create a TCP resource group

Creating a User and User Group, and Associating the Resource Group and User

Group

Refer to Creating a User and User Group, and Associating the Resource Group and User Group.

Verifying the TCP Service Configuration

1) Log in as common user svpn. The TCP client is enabled by default. You can view the port listening information by clicking Information.

(28)

Figure 32 TCP access status

Figure 33 TCP port listening

(29)

Figure 34 Available TCP application resources

3) Click TCP application resource telnet110 to telnet to the remote device.

Figure 35 Telnet access

4) Click TCP application resource remote_desktop to log in to the remote host.

(30)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 30/76 5) To use TCP application resource POP3 or SMTP, you need to configure the right POP3 and

SMTP server addresses (the local host names of the resources) on the Outlook client configuration interface. Then, you can log in by correctly entering the username and password to process mails.

Figure 37 Outlook mail server configuration

(31)

Figure 38 HTTP access

TCP Service Configuration Guidelines

z When configuring a TCP resource, you can specify no command line. If you specify a command, make sure that the command can be recognized the operating system.

z To access mails, a client needs to configure the Outlook properly. Besides, as mail services use ports SMTP and POP3, you need to create two corresponding resources.

IP Service Configuration Example

Logging In as a Super Administrator (supported by only SecBlade SSL VPN)

Refer to Logging In as a Super Administrator (supported by only SecBlade SSL VPN).

Logging In to a Common Domain

(32)

Configuring IP Service Resources

The SSL VPN network service access allows users to access all applications above the IP layer. Users do not need to know the application types and configurations. After they log in to the SSL VPN system, the ActiveX SSL VPN client will be automatically downloaded and started, and then the users can access all services of certain hosts securely. The communication security between a user and a server is guaranteed by SSL VPN.

Global configuration

Select Resources > IP Network from the navigation tree. Select the Global Configuration tab to enter the global configuration page.

SecBlade SSL VPN:

Figure 39 Global configuration for IP service resources

z The start IP and end IP together specifies the virtual address segment from which the device will assign an address to a user after the user logs in.

z The gateway IP address is the default gateway for the client to access specified network resources.

z Configuration items in Configure IP Address Pool area are required, while those in Configure

(33)

z Heartbeat Interval: Interval at which the IP client send heartbeat packets to the gateway.

z Client Reachable: Specifies whether different login users can communicate with each other

through IP access.

z WINS Server/DNS Server: WINS server address and DNS server address to be assigned by the

gateway to user network adapters.

z Access VPN only: Specifies whether a login user can access the Internet besides the VPN.

z IP Networks Display Mode: Selects to display whether the description information or IP

addresses of the IP resources for login users.

SecPath SSL VPN:

Figure 40 Global configuration for IP service resources

z The start IP and end IP together specifies the virtual address segment from which the device will assign an address to a user after the user logs in.

z The gateway IP address is the default gateway for the client to access specified network resources.

(34)

z Internal interfaces are interfaces on the gateway that are connecting with the internal networks. After you specify an internal interface and enable NAT, the system automatically configure NAT on the internal interface and no return routes need to be configured on other devices in the internal network.

z Configuration items in Configure IP Address Pool area and Configure Internal Interface area are required, while those in Configure Basic Parameters area are optional.

z Heartbeat Interval: Interval at which the IP client send heartbeat packets to the gateway.

z Client Reachable: Specifies whether different login users can communicate with each other

through IP access.

z WINS Server/DNS Server: WINS server address and DNS server address to be assigned by the

gateway to user network adapters.

z Access VPN only: Specifies whether a login user can access the Internet besides the VPN.

z IP Networks Display Mode: Selects to display whether the description information or IP

addresses of the IP resources for login users.

User-IP Binding

Select Resources > IP Network from the navigation tree. Select the IP Binding tab to enter the user-IP binding configuration page.

Figure 41 User-IP binding configuration (SecBlade)

(35)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 35/76 After you bind a fix IP address for a user, the system will directly assign the bound IP address to the user after the user logs in, instead of assigning an IP address from the address pool to the virtual network card of the user.

Host Configuration

Select Resources > IP Network from the navigation tree. Select the Host Configuration tab to enter the host configuration page. Click Add, type the resource name, configure the accessible network service and shortcut, and then click Apply to add a host resource.

(36)

Figure 44 Shortcut configuration

After configuring the Accessible Network Service and Shortcut in the editing area, you need click

Add. In IP networks, you can configure shortcut accesses for various services, such as ping, ftp, and

file sharing.

Creating a Resource Group and Add Existing Resources to the Resource Group

Figure 45 Add IP resources to a resource group

Creating a User and User Group, and Associating the Resource Group and User

Group

(37)

Verifying the IP Service Configuration

1) Log in as common user svpn. The IP client is enabled by default. You can view the client data to check the IP service start information.

Figure 46 IP client status

2) You can view all the available IP network resources.

(38)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 38/76 3) Click shortcut command ping h3c-security to ping the remote end network.

Figure 48 Shortcut for ping access

4) Click shortcut command ftp h3c-security to access the FTP service on the remote network.

Figure 49 Shortcut for FTP access

5) View whether the network adapter has obtained an IP address and whether a route to the resource is added on the PC.

(39)

Figure 51 Routing information on the PC

IP Service Troubleshooting

1) Using shortcut commands has the same effect as typing commands in the Windows CLI.

2) Note that as character \ will be escaped by the Windows system, characters \\ just means character \ in the CLI. For example, file sharing shortcut explorer \\\\10.154.2.100 equals to

explorer \\10.154.2.100 in the CLI. explorer means that the system uses the default browser of

the client to access the internal resource. For example, explorer ftp://10.154.2.100 means opening FTP services through the default browser.

3) After the client obtains an IP address for the virtual network adapter and a route to the resource, you also need to configure NAT on the internal interface or configure a route on the remote resource server to be accessed, with the route’s destination address being the virtual network segment 10.5.1.0/24.

Authentication Policy Configuration Example

RADIUS Authentication (Shiva)

Feature overview

Use the RADIUS system to perform authentication and accounting for remote users of SSL VPN.

Configuration procedure

1) Configuration prerequisites: This configuration example only introduces the SSL configurations related with RADIUS authentication. Before performing these configurations, make sure the basic configurations of SSL VPN, such as CLI configuration, domain configuration, resources, and resources are configured successfully.

2) Log in as the domain administrator. Select Domain > Authentication Policy from the navigation tree, and then select the RADIUS Authentication tab.

(40)

Figure 52 RADIUS authentication configuration page

Note that:

z The values of primary and secondary server addresses, authentication ports, and shard key must be consistent with those configured on the authentication servers.

z Select Enable Authentication, and select active for authentication server status. The certificate policy is optional. You can select Password or Password + Certificate. If you select the latter, the system will authenticate both the user password and certificate.

z The accounting function is optional. The accounting server address is the same with the authentication server address. The accounting key is the same with the authentication key. The accounting port configuration must be consistent with port configuration on the accounting server. Select active for the accounting server status.

Server configuration

In this configuration, use shiva access manager (trial version in this example) as the RADIUS server. 1) Install the shiva access manager.

2) In the installation directory c:\radtac\, find file AVDICT.DAT and add an SSL-VPN-GROUP attribute to the file, that is, (ATTRIBUTE SSL-VPN-GROUP 140 string

Huawei), or use file

AVDICT[1].TXT

to overwrite the existing file. 3) Configure the shiva access manager.

(41)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 41/76 Open shiva access manager and type username supermanager. No password is needed.

Configure the NAS address as the SSL VPN gateway address 192.168.96.22, and the encryption key as 123456.

(42)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 42/76 Add a user, with the username usera and password 123456.

(43)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 43/76 Configure RADIUS attributes for the user.

Primary configurations:

z Select user usera.

z Insert a row in the Attribute configured for user column.

z Select attribute SSL-VPN-GROUP from the attribute list.

z Specify usergroup as the attribute value, which must be consistent with the user group configured on the SSL VPN gateway. To specify multiple user groups, use semicolons to separate them.

z Click Commit Change.

Verifying the RADIUS authentication configuration

(44)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 44/76 When the default authentication policy of the domain is RADIUS, users can use account usera to log in, without the need of providing full username such as [email protected] (SecBlade SSL VPN) or selecting RADIUS from the type drop-down list (SecPath SSL VPN). This is true for all authentication types described below.

LDAP Authentication

Use the LDAP system to authenticate remote users of SSL VPN.

1) Select Domain > Authentication Policy from the navigation tree to enter the authentication

policy management page.

2) Select the LDAP Authentication tab to enter the LDAP authentication policy configuration page.

3) Configure the LDAP server address, service port, user group LDAP attribute, version, and certificate policy. Select the check box behind Enable Authentication.

4) Use template to query user DN. Configure the user DN template as

cn=%logon%,dc=vpn-domain,dc=com.

Figure 53 LDAP authentication configuration with the query mode as template

5) Check user DN by querying

z Specify Administrator DN as cn=manager,dc=vpn-domain,dc=com.

(45)

z Specify the query base DN as dc=vpn-domain,dc=com.

z Specify the query template as cn=%logon%.

Figure 54 LDAP authentication configuration with the query mode as query

Check user DN by querying and Query for user DN using template settings are mutually exclusive.

In this configuration example, the LDAP server used is openldap on the Linux server. When installing the Linux system, choose to install all components. After the installation, enable the LDAP server

openldap directly. openldap server uses process slapd. Follow these steps to configure openldap:

1) File slapd.conf in directory /etc/openldap/ is the LDAP server startup configuration file. Open the file and locate the following contents:

(46)

z The contents in the red box are the LDAP server root directory. You can modify this directory as your own directory, such as dc=vpn-domain,dc=com.

z The contents in the blue box are the default administrator DN and password. You can modify them, for example, to cn=vpn-manager,dc=vpn-domain,dc=com. Mask switch # before

rootpw can be used to specify whether to use clear text or cipher text to save the administrator

password, which is also changeable.

2) Add users. Users in LDAP are saved in a directory tree. You can create different levels of directories to store users. There are several ways to add LDAP records. It is recommended to use a file, that is, create a *.ldif, with its contents being the records to be added. In this way, you can add users in a batch.

First, you need to create a root directory, that is, dc=vpb-domain,dc=com. Create file root.ldif, with its contents in the format of:

dn: dc=vpn-domain,dc=com objectClass: dcObject objectClass: organization dc:vpn-domain o:Corporation description: Corporation

Then, use ldapadd -x –D “cn=Manager,dc=vpn-domain,dc=com” –w “secret” –f root.ldif command. If the following output is displayed, the root directory is added successfully.

Proceed to add a user. Create file user.ldif, with its contents being: dn: cn=usera,dc=vpn-domain,dc=com

objectClass: person cn:usera

sn:usera

description: usergroup

Then, use ldapadd -x –D “cn=Manager,dc=vpn-domain,dc=com” –w “secret” –f user.ldif command. If the following output is displayed, the user is added successfully.

Use the ldapsearch –x –b “dc=vpn-domain,dc=com” command to display related information on the LDAP server.

(47)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 47/76 In this example, an LDAP attribute description is used as the user group attribute. In actual application, you can add a self-defined user group attribute depending on customer requirements.

Verifying the LDAP authentication configuration

After logging in, remote user [email protected] can view and access various resources.

If the default authentication type is LDAP, users can directly use usera to log in.

AD Authentication

Use the AD domain system to authenticate remote users of SSL VPN.

2) Select the AD Authentication tab to enter the AD authentication policy configuration page.

z Configure the AD domain name and AD server address list. You can specify multiple AD server addresses, separating them by (;). This configuration allows the system to switch to another AD server for user authentication when the current AD server is down.

z Configure the administrator account and password. The administrator account can be any user in directory Users in the AD domain who has the right to access the directory.

z Select the username format. You can just use the default username format.

(48)

z Configure the server failure restoration time. When the system detects that the AD server used for authentication is down, the system will automatically switch to another AD server. Before processing a new authentication request, the system will check whether the failure time of the failed AD server has exceeded the failure restoration time. If yes, the system considers that the AD server is resumed and switches to the AD server. If no, the system sends the authentication request to another AD server.

Figure 55 AD authentication policy configuration

At present, the directory service of Windows 2000 Server or a later version is used. 1) Log in to the AD domain management platform.

z Log in to the Windows system.

z Click Start and select Programs > Administrative Tools > Active Directory Users and

Computers.

2) Add a user.

z Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree.

z Right click the directory and select New > User. 3) Configure information for the user.

z Type usera for both the username and login name.

z Click Next and type password 123456, select Password never expires for the user, use the default settings of other items, and then click OK.

4) Add a group.

z Select any directory, which can be a built-in directory other than directory Builtin or a created directory, from the left navigation tree.

z Right click the directory and select New > Group. 5) Configure information for the group.

z Specify the group name as usergroup, which must also exist on the SSL VPN gateway.

z Use the default settings of other items.

6) Add the user to the group.

z Select group usergroup. Right click the group and select Properties. Click the Members tab and then the Add button. Enter usera in the Enter the object names to select field and click

Check Names. The system will check and supplement the username.

(49)

Verifying the AD authentication configuration

After logging in, remote user usera can access various resources.

If the default authentication type is AD, users can directly use usera to log in.

Combination Authentication

A combination authentication policy can combine any two of the four authentication policies (local authentication, RADIUS authentication, LDAP authentication, and AD authentication). You can configure a combination authentication policy, so that the system authenticates a user twice using the two specified authentication policies. Suppose the application is "username and password + authentication code". A user first enters the username and password for authentication. After the user passes the authentication, the system sends an authentication code through a short message to the cell phone of the user and provides the login page for the user again. The user enters the authentication code for authentication again.

1) Select Domain > Authentication Policy from the navigation tree. Select the Combination Authentication tab to enter the combination authentication policy configuration page.

2) Select Enable Authentication to enable combination authentication, and configure the authentication policies to be used in the first and second authentications. In this example, configure them as local authentication and RADIUS authentication respectively.

3) Password Input Needed allows you to select whether password is required to input for the second authentication. If you select this option, the system will push the login page to the user again after the user passes the first authentication, and the user needs to input the password for the second authentication. At present, if customized authentication pages are not configured, this option does not take effect.

(50)

Verifying the combination authentication configuration

Log in as a common user and the system will authenticate you twice, first the local authentication and then RADIUS authentication. The first authentication result determines the resources that you can access after login.

USB-Key Certificate Authentication

Remote users save the certificate in a USB-Key smart card, which is used to pass the certification authentication of login.

2) Select the Local Authentication tab to enter the local authentication policy configuration page.

3) For Authentication Method, that is, the certificate policy, select Password + Certificate or Certificate.

4) Make sure that the smart card drive is installed on the client PC and the valid client certificate is imported into the smart card. Valid certificate means that the certificate is valid and is assigned by the CA server that issues the SSL VPN gateway certificate.

Verifying the USB-Key certificate authentication

On the remote client PC, insert the USB-Key smart card, the smart card drive installed on the PC will import the certificate saved in the key to the IE browser, and then the certificate will be used for authentication during SSL connection establishment. Note that, the value of the Issued To filed in the client certificate must be the actual, valid login username.

Binding the Certificate Serial Number and Username

The function of binding a certificate serial number and a username ensures the matches between certificates and usernames, providing a more secure access method.

1) Make sure that certificate policy for local authentication is password plus certificate. (Select

Domain > Authentication Policy from the navigation tree. Select the Local Authentication tab

to enter the local authentication policy configuration page. Select Password + Certificate for

Authentication Method.)

2) Select User > Local User from the navigation tree to enter the local user list page. Click Add to

enter the local user configuration page.

3) Create local user svpn, set the password to 123456, certificate serial number to

747407e2000100000540, select Permitted for Status, and add the user to a group. Log in as

(51)

Figure 57 Bind a local user with a certificate serial number

4) On the local user configuration page, change the certificate serial number to

848408e2000100000540. Log in as user svpn and still use 747407e2000100000540 for

certificate authentication. You will see result 2).

5) On the local user configuration page, change the certificate serial number back to

747407e2000100000540 and change the status to Denied. Use user svpn and certificate serial

number 747407e2000100000540 to log in. You will see result 3).

Results of Certificate Serial Number-to-Username binding configurations

1) User svpn logs in successfully.

2) User svpn cannot log in. The system displays that the client certificate is not the one bound with

the username.

3) User svpn cannot log in. The domain user can control user accesses in this way.

Configuration guidelines

z The binding function can take effect only when Password + Certificate is configured in the authentication policy.

z Currently, this function is applicable to only local authentication.

z The resources that can be accessed by a user bound with a certificate serial number are still determined by the user group that the user belongs to.

(52)

Security Checking and Dynamic Authorization Configuration

Example

Security Checking

The SSL VPN system performs a complete security checking on user hosts.

1) Select Domain > Security Policy from the navigation tree to enter the security policy management page. Click Add.

2) Add a security policy named sec1, select level 1, and specify the check categories, such as operating system, browser, anti-virus software, firewall, and other security related items. For example, specify the operating system as Windows XP Professional and browser as IE 6.0 or later in this policy.

(53)

Figure 58 Configure a browser rule

Add another policy:

1) Add a security policy named sec10, select level 10, and specify the operating system and browser, for example, as Windows XP Professional and IE 7.0 or later respectively in this policy. 2) Add a proper description for this policy, for example, the top level.

(54)

Security checking verification

The security policies are configured successfully.

z For security policy levels, the bigger the level number, the higher the priority.

z A security policy includes several check categories, and the relationship between them is logical

AND, that is, a host passes the security policy only after it passes all check categories.

z Each check category includes several check rules, and the relationship between them is logical OR, that is, a host only needs to satisfy the requirement of one check rule in the check category. For example, you can configure two check rules Windows XP Professional and Window Me in check category Operating System. Then, a host can pass the operating system checking when its operating system is either Windows XP Professional or Window Me.

z If you define multiple security policies, the security checking starts from the one with the highest priority, and stops until a security policy is passed or no security policy is passed. The security policy that a user passes will assign resources to the user.

Dynamic Authorization

SSL VPN assigns different resources to different users according to the security checking results of the user hosts. This is referred to as dynamic authorization of resources.

1) After configuring the security policies, click Apply to return to the security policy list page.

2) Select a security policy, and click Configure Resource to enter the page for assigning resources to the policy. The resources include Web resources, TCP resources, and IP resources. 3) Assign only Web resources to policy sec1, and all resources to policy sec10.

Figure 60 Assign Web resources to sec1

4) Select Domain > Basic Configuration from the navigation tree. The domain policy configuration

(55)

Figure 61 Enable security checking

Dynamic authorization verification

z A remote host whose operating system is Windows XP Professional and IE version is 6.0 or later satisfies security policy sec1 and the host can access only Web resources.

z A remote host whose operating system is Windows XP Professional and IE version is 7.0 or later satisfies security policy sec10 and the host can access all resources.

z As the security checking starts from the security policy with the highest priority and stops immediately when a security policy is passed, it is recommended to assign more resources to security policies with higher priority.

Other Features

Importing User Accounts in Batches

The SSL VPN system allows you to import local user accounts in batches.

1) First, create a file named Batch Import.txt, containing the user accounts to be imported. Then, select User > Batch Import from the navigation tree to enter the batch import page.

2) Click Browse to find file Batch Import.txt, and then click Import.

Batch import result

(56)

z Select User > Local User from the navigation tree, you can see all users in the file are imported to the SSL VPN system successfully.

z The content of the batch import file: user11 123456

user12 123456 user13 123456 user14 123456

z At present, only usernames and passwords can be imported. A username and its password are separated by a space or tab.

z Users imported in batches will not overwrite existing local users.

User Interface Customization

User interface customization includes partial customization and full customization.

Partial customization: Customize login page logo and title, welcome title, service page logo, title, and background picture.

Full customization: Customize the login page for common users.

Partial customization configuration procedure

1) Select Device > Device Management from the navigation tree. Select the UI Customizing tab

and then click Partial customization to customize part of the UI pages.

2) Configure the login page title, login page welcome title, and service page title. Figure 62 illustrates these titles.

3) Customize the service page logo and login page logo. Click Browse to select a picture file, and then click Update to update the logo with the picture in the file. Figure 62 illustrates these pictures.

(57)

Figure 62 Custom titles and pictures

Partial customization configuration result

z The system prompts that the configuration or update succeeds.

z Open the login page, you can see that the login page title, welcome title, and logo are updated.

z Log in as user svpn, and you can see that the service page title and logo are updated

There are requirements on the width and height of a figure. Refer to the information on the configuration page for details.

Full customization configuration procedure

1) Define a custom page, which usually includes one or more htm, js, css, and picture files.

2) Telnet to the device and then create directory www/login under directory flash:/domain1, that is, the storage directory of the custom page is flash:/domain1/www/login. Then, upload all files of the custom page to this directory through TFTP or FTP, as shown in Figure 63, where user.htm is the login page file. (SecBlade SSL VPN has two types of storage devices CF card and Flash card. SecPath SSL VPN provides Flash only. Flash is used in this example.)

(58)

Figure 63 Upload the custom page

3) Log in to the SSL VPN system as an administrator. Select Device > Device Management from the navigation tree. Select the UI Customizing tab and then click Full customization to customize the common user login page fully. In this example, the page storage directory is flash:/domain1/www/login and the login page file is user.htm, as shown in Figure 64. (For SecBlade SSL VPN, as it provides two storage devices, you need to input the directory without specifying the storage device, for example, /domain1/www/login.)

Figure 64 Full page customization for SecPath SSL VPN

4) Save the domain configuration file and then reboot the domain or reboot the SVPN service.

Full customization configuration result

The login page customized for common users takes effect.

External Network Access Control

The domain administrator can specify whether a login user can access the Internet besides the VPN.

1) Select Resource > IP Network from the navigation tree, and then select the Global

Configuration tab.

2) Configure the IP address pool, setting the start IP to 10.5.1.1, end IP to 10.5.1.100, subnet mask to 255.255.255.0, gateway IP to 10.5.1.1.

(59)

Hangzhou H3C Technologies Co., Ltd www.h3c.com 59/76 3) Select the Host Configuration tab to configure the IP host resource. Configure the accessible

host as 10.154.2.44/32.

4) Select the Global Configuration tab. In the Configure Basic Parameters area, select Access VPN Only. Log in a as a common user. You will see result 1).

Figure 65 Specify that login users can access the VPN only (SecPath SSL VPN)

5) Select the Global Configuration tab. In the Configure Basic Parameters area, deselect Access VPN Only. Log in a as a common user. You will see result 2).

Verification

1) After you log in, you can see that the default gateway of the virtual network adapter is 10.5.1.1, and the default gateway of the PC is 10.5.1.1. In this case, you can access only the SSL VPN. You cannot access the Internet.

(60)

Figure 66 Virtual network adapter configuration information

Figure 67 Routing information on the PC

2) After logging in, you can see that the default gateway of the virtual adapter is null. View the routes and you can see that the default gateway of the PC is not changed. In this case, you can access both the VPN and the Internet. See Verifying the IP Service Configuration.

Guest Account

The SSL VPN system provides a default account guest, which allows remote users to log in without password. Multiple users can use the guest account to log in simultaneously. The administrator can define the maximum number of login users allowed.

(61)

1) Log in as the administrator, select User > Local User from the navigation tree to enter the local user list page. Select account guest and click Configure to enter the local user configuration page.

Figure 68 guest user configuration page

2) Select User > User Group from the navigation tree. Select group Guests and click Configure to

configure the group. Add resource groups and user guest to the group. User guest will be able to access the resources added to group Guests.

(62)

Figure 69 guest user group configuration page

Verification

z User guest logs in successfully.

z Ten users can log in using the guest account at the same time.

Figure 70 User guest logs in successfully.

Certificate Management

You can replace the system default CA certificates with your certificates and manage them, so as to define your own CA authentication system as needed.

(63)

1) Log in as the administrator. Select Domain > Basic Configuration from the navigation tree, and then select the Certificate Management tab.

2) In the Import CA Certificate area, click Browse to locate the CA certificate file, and then click Update to import the CA certificate.

3) In the Import Local Certificate area, specify the password of the local certificate, click Browse

to locate the local certificate file, and then click Update to import the local certificate.

4) In the Configure CRL area, select the check box before Enable CRL Checking to enable CRL

checking, type the URL for obtaining the CRL, and specify the CRL update interval. Click Apply to submit the requests.

5) After the above configuration, click Reboot web service to restart SSL VPN Web service to bring the certificates into effect. (For SecBlade SSL VPN, you need to reboot the Web service in CLI.)

Figure 71 Certificate management page

Certificate management configuration result

z "Imported the CA certificate successfully." is displayed.

(64)

z "Configured the CRL parameters successfully." is displayed.

z Open the SSL VPN homepage, the certificate provided on the server side is the local certificate imported last time.

Read carefully about the contents in the Note area and comply with these notes.

Auto Login Using Certificate

After an enterprise builds up its own CA authentication system, the client certificate assigned to a common user actually identifies the user uniquely. Assume that the user of the client certificate is legal and the client certificate is valid, the SSL VPN login authentication can be simplified to client certificate authentication without the need of username and password. This is implemented usually by importing the client certificate to a specific certificate storage device, such as USB-key. As the certificate in the USB-Key cannot be exported and a PIN code is required to access the certificate in the USB-Key, the certificate is hard to be revealed. At the same time, it is easy to control the validity of the certificate through the certificate revocation list mechanism. Local authentication is used in this example.

1) Import the CA and local certificates. See Certificate Management.

2) Create a local user. See Creating a User and User Group, and Associating the Resource Group and User Group.

3) Assign a client certificate issued by the CA system to the local user and the import the client certificate into the USB-Key or IE.

4) Log in as the administrator. Select Domain > Authentication Policy from the navigation tree, and then select the Local Authentication tab. Select Certificate as the certificate policy, as shown in the following figure.

Figure 72 Configure the local authentication policy as certificate authentication

5) Select Domain > Basic Configuration from the navigation tree. The domain policy configuration

page appears. Select Enable Auto Login and specify the default authentication method as

H3C SSL VPN Configuration Examples