09-Configuration Examples

HomeSupportConfigure & DeployH3C Firewall Products Comware 7 Web Configuration Guide-6W60009-Configuration Examples
Table of Contents
Related Documents
31-SSL VPN TCP access configuration examples
Title Size Download
31-SSL VPN TCP access configuration examples 731.65 KB

SSL VPN TCP access configuration examples

 

·     Introduction

·     Prerequisites

·     Example: Configuring TCP access with a CA-signed server certificate

·     Example: Configuring TCP access with a self-signed server certificate

 

The following information provides SSL VPN TCP access configuration examples.

Prerequisites

 

This document is not restricted to specific software or hardware versions. Procedure and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of SSL VPN.

Example: Configuring TCP access with a CA-signed server certificate

Network configuration

As shown in Figure 1, the device acts as the SSL VPN gateway that connects the public network and the private network. A Windows Server 2008 R2 CA server is deployed on the private network. Users need secure access to the internal Telnet server in TCP access mode.

Perform the following tasks:

·     Request a server certificate for the device from the CA server.

·     Configure the SSL VPN TCP access service on the device to allow users to access the server in TCP access mode.

·     Configure the device to perform local authentication and authorization for TCP access users.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on R8860 of the F1000-AI-55 device.

Restrictions and guidelines

·     Certificate-based client authentication is not available in TCP access mode.

·     To start the TCP client from the Web interface, make sure the Java Runtime Environment is installed on the client host.

·     To access internal resources in TCP access mode from the host, modifications to the Hosts file on the host might be required. Make sure you log in to the host with administrative privileges.

Procedure

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Untrust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 1.1.1.2/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 2.2.2.2/24 in the same way you configure GE 1/0/1.

# Add GE 1/0/3 to the Trust security zone and set its IP address to 192.168.100.3/24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures static routes.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 40.1.1.1:

a.     Enter destination IP address 40.1.1.1.

b.     Enter mask length 24.

c.     Enter next hop address 1.1.1.3.

d.     Use the default settings for other parameters.

e.     Click OK.

# Configure a static IPv4 route to reach 20.2.2.2:

a.     Enter destination IP address 20.2.2.2.

b.     Enter mask length 24.

c.     Enter next hop address 2.2.2.3.

d.     Use the default settings for other parameters.

e.     Click OK.

3.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-local to permit the specified traffic from the Untrust to Local security zones:

¡     Enter policy name untrust-local.

¡     Select source zone Untrust.

¡     Select destination zone Local.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.1.

¡     Select destination IPv4 address 1.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy local-trust to permit the specified traffic from the Local to Trust security zones:

¡     Enter policy name local-trust.

¡     Select source zone Local.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 addresses 2.2.2.2 and 192.168.100.3.

¡     Select destination IPv4 addresses 20.2.2.2 and 192.168.100.247.

¡     Use the default settings for other parameters.

# Click OK.

4.     Request a server certificate for the device:

a.     Create a certificate subject:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate Subject.

# Click Create.

# Create a certificate subject as shown in Figure 2, and the click OK.

Figure 2 Creating a certificate subject

b.     Create a PKI domain:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate.

# Click Create PKI domain.

# Create a PKI domain as shown in Figure 3, and then click OK.

Figure 3 Creating a PKI domain

c.     Create a certificate request:

# On the Certificate page, click Submit Cert Request.

# Configure the certificate request settings as shown in Figure 4.

Figure 4 Creating a certificate request

# Click OK.

The certificate request content will be displayed, as shown in Figure 5.

Figure 5 Certificate request content

 

# Copy the certificate request content and click OK.

d.     Request a server certificate from the CA:

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 6, click Request a certificate.

Figure 6 Certificate service home page

# On the Request a Certificate page shown in Figure 7, click advanced certificate request.

Figure 7 Request a Certificate page

# Paste the previously copied certificate request content in the Base-64-encoded certificate request CMC or PKCS # 10 or PKCS # 7) field, as shown in Figure 8.

Figure 8 Pasting the certificate request content

# Click Submit.

After the certificate request is approved by the CA administrator, enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 9, click View the status of a pending certificate request.

Figure 9 Certificate service home page

# Select the certificate request you want to view. In this example, select Saved-Request Certificate (9/24/2018 9:53:57 AM), as shown in Figure 10.

Figure 10 View the Status of a Pending Certificate Request page

 

The Certificate Issued page opens, indicating that the requested server certificate has been issued, as shown in Figure 11.

Figure 11 Certificate Issued page

 

# Click Download certificate to download the server certificate and save it locally.

5.     Download the CA certificate:

# Enter http://192.168.100.247/certsrv in the browser address bar.

# On the certificate service home page shown in Figure 12, click Download a CA certificate, certificate chain, or CRL.

Figure 12 Certificate service home page

 

# On the Download a CA certificate, certificate chain, or CRL page, click Download CA certificate.

Figure 13 Download a CA certificate, certificate chain, or CRL page

 

# Save the downloaded CA certificate locally.

6.     Import the CA and server certificates:

a.     Import the CA certificate:

# On the top navigation bar, click Objects.

# From the navigation pane, select PKI > Certificate.

# Click Import certificate.

# Import the locally saved CA certificate, as shown in Figure 14, and then click OK.

Figure 14 Importing the CA certificate

 

b.     Import the server certificate:

# On the Certificate page, click Import certificate.

# Import the locally saved server certificate, as shown in Figure 15, and then click OK.

Figure 15 Importing the server certificate

 

7.     Configure an SSL server policy:

# On the top navigation bar, click Objects.

# From the navigation pane, select SSL > SSL Server Policies.

# Click Create.

# Configure an SSL server policy as shown in Figure 16, and then click OK.

Figure 16 Creating an SSL server policy

 

8.     Configure the SSL VPN gateway:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Gateways.

# Click Create.

# Create an SSL VPN gateway as shown in Figure 17, and then click OK.

Figure 17 Creating an SSL VPN gateway

 

9.     Configure an SSL VPN context:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Contexts.

# Click Create.

# Configure the basic settings for the SSL VPN context as shown in Figure 18, and then click Next.

Figure 18 Creating an SSL VPN context

 

# Configure authentication settings, as shown in Figure 19, and then click Next.

Figure 19 Configuring authentication settings

 

# On the URI ACL page, click Next.

# On the Access services page, select TCP access and click Next.

# On the TCP access page, click Create in the Port Forwarding Item area.

# Create a port forwarding item named pfitem as shown in Figure 20, and then click OK.

Figure 20 Creating a port forwarding item

 

# Create a port forwarding list named pflist and assign port forwarding item pfitem to it, as shown in Figure 21.

Figure 21 Configuring TCP access resources

 

# Click Next on the Shortcuts page.

# On the Resource groups page, click Create.

# Create a resource group named resourcegrp and select port forwarding list pflist from the TCP resources list, as shown in Figure 22.

Figure 22 Creating an SSL VPN resource group

 

# Click OK.

The newly created resource group is displayed on the Resource groups page, as shown in Figure 23.

Figure 23 Resource groups configuration page

 

# Click Finish.

# Select the Enable check box to enable the SSL VPN context, as shown in Figure 24.

Figure 24 Enabling the SSL VPN context

 

10.     Create an SSL VPN user:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > User Management > Local Users.

# Click Create.

# Create an SSL VPN user:

a.     Set the username to user1 and password to 123456, and select SSL VPN as the available service, as shown in Figure 25.

Figure 25 Creating an SSL VPN user

 

b.     In the Authorization Attributes area, authorize the user to use SSL VPN resource group resourcegrp, as shown in Figure 26.

Figure 26 Setting the authorization attributes for the SSL VPN user

 

c.     Click OK.

Configuring the host

# Configure the IP address and gateway address settings for the host and make sure it can reach the SSL VPN gateway.

Verifying the configuration

1.     In the browser address bar of the host, enter https://1.1.1.2 and press Enter to open the domain list page.

Figure 27 Domain list page

 

2.     Select domaintcp to access the login page.

3.     On the login page, enter username user1 and password 123456, and then click Login.

Figure 28 Login page

 

The SSL VPN home page opens, displaying the TCP resources the user can access in the TCP Resource area.

Figure 29 Accessible TCP resources

 

4.     Click START to start the TCP client application.

You cannot start the TCP client application by double-clicking it.

5.     Telnet to local address 127.0.0.1 and local port 2323 to access the server.

Network configuration

As shown in Figure 32, the device acts as the SSL VPN gateway that connects the public network and the private network. Users need secure access to the internal Telnet server in TCP access mode.

Configure the SSL VPN TCP access service on the device to allow users to access the server in TCP access mode.

Configure the device to perform local authentication and authorization for TCP access users.

The device uses a self-signed SSL server certificate.

Figure 30 Network diagram

 

Software versions used

This configuration example was created and verified on R8860 of the F1000-AI-55 device.

Restrictions and guidelines

When you configure TCP access with a self-signed server certificate, follow these restrictions and guidelines:

·     Certificate-based client authentication is not available in TCP access mode.

·     To start the TCP client from the Web interface, make sure the Java Runtime Environment is installed on the client host.

·     To access internal resources in TCP access mode from the host, modifications to the Hosts file on the host might be required. Make sure you log in to the host with administrative privileges.

Procedure

Configuring the device

1.     Assign IP addresses to interfaces and add the interfaces to security zones.

# On the top navigation bar, click the Network tab.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Untrust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 1.1.1.2/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Trust security zone and set its IP address to 2.2.2.2/24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures static routes.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 40.1.1.1:

a.     Enter destination IP address 40.1.1.1.

b.     Enter mask length 24.

c.     Enter next hop address 1.1.1.3.

d.     Use the default settings for other parameters.

e.     Click OK.

# Configure a static IPv4 route to reach 20.2.2.2:

a.     Enter destination IP address 20.2.2.2.

b.     Enter mask length 24.

c.     Enter next hop address 2.2.2.3.

d.     Use the default settings for other parameters.

e.     Click OK.

3.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-local to permit the specified traffic from the Untrust to Local security zones:

¡     Enter policy name untrust-local.

¡     Select source zone Untrust.

¡     Select destination zone Local.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 40.1.1.1.

¡     Select destination IPv4 address 1.1.1.2.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy local-trust to permit the specified traffic from the Local to Trust security zones:

¡     Enter policy name local-trust.

¡     Select source zone Local.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IPv4 address 2.2.2.2.

¡     Select destination IPv4 address 20.2.2.2.

¡     Use the default settings for other parameters.

# Click OK.

4.     Configure the SSL VPN gateway:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Gateways.

# Click Create.

# Create an SSL VPN gateway as shown in Figure 33, and then click OK.

Figure 31 Creating an SSL VPN gateway

 

5.     Configure an SSL VPN context:

# On the top navigation bar, click Network.

# From the navigation pane, select SSL VPN > SSL VPN Contexts.

# Click Create.

# Configure the basic settings for the SSL VPN context as shown in Figure 34, and then click Next.

Figure 32 Creating an SSL VPN context

 

# Configure authentication settings, as shown in Figure 35, and then click Next.

Figure 33 Configuring authentication settings

 

# On the URI ACL page, click Next.

# On the Access services page, select TCP access and click Next.

# On the TCP access page, click Create in the Port Forwarding Item area.

# Create a port forwarding item named pfitem as shown in Figure 36, and then click OK.

Figure 34 Creating a port forwarding item

 

# Click Create in the Port Forwarding List area.

# Create a port forwarding list named pflist and assign port forwarding item pfitem to it, as shown in Figure 37.

Figure 35 Configuring TCP access resources

 

# Click Next on the Shortcuts page.

# On the Resource groups page, click Create.

# Create a resource group named resourcegrp and select port forwarding list pflist from the TCP resources list, as shown in Figure 38.

Figure 36 Creating an SSL VPN resource group

 

# Click OK.

The newly created resource group is displayed on the Resource groups page, as shown in Figure 39.

Figure 37 Resource groups configuration page

 

# Click Finish.

# Select the Enable check box to enable the SSL VPN context, as shown in Figure 40.

Figure 38 Enabling the SSL VPN context

 

6.     Create an SSL VPN user:

# On the top navigation bar, click Objects.

# From the navigation pane, select User > User Management > Local Users.

# Click Create.

# Create an SSL VPN user:

a.     Set the username to user1 and password to 123456, and select SSL VPN as the available service, as shown in Figure 41.

Figure 39 Creating an SSL VPN user

 

b.     In the Authorization Attributes area, authorize the user to use SSL VPN resource group resourcegrp, as shown in Figure 42.

Figure 40 Setting the authorization attributes for the SSL VPN user

 

c.     Click OK.

Configuring the host

# Configure the IP address and gateway address settings for the host and make sure it can reach the SSL VPN gateway.

Verifying the configuration

1.     In the browser address bar of the host, enter https://1.1.1.2 and press Enter to open the domain list page.

Figure 41 Domain list page

 

2.     Select domaintcp to access the login page.

3.     On the login page, enter username user1 and password 123456, and then click Login.

Figure 42 Login page

 

The SSL VPN home page opens, displaying the TCP resources the user can access in the TCP Resource area.

Figure 43 Accessible TCP resources

 

4.     Click START to start the TCP client application.

You cannot start the TCP client application by double-clicking it.

5.     Telnet to local address 127.0.0.1 and local port 2323 to access the server.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网