Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-SSL VPN commands | 1.05 MB |
Contents
certificate username-attribute
certificate-authentication enable
custom-authentication request-header-field
custom-authentication request-method
custom-authentication request-template
custom-authentication response-custom-template
custom-authentication response-field
custom-authentication response-format
custom-authentication response-success-value
description (SSL VPN AC interface view)
display sslvpn ip-tunnel statistics
display sslvpn port-forward connection
display sslvpn prevent-cracking frozen-ip
display sslvpn webpage-customize template
execution (port forwarding item view)
force-logout max-onlines enable
gateway (SMS gateway authentication view)
gateway (SSL VPN context view)
ip-tunnel address-pool (SSL VPN context view)
ip-tunnel address-pool (SSL VPN policy group view)
ip-tunnel ipv6 access-route force-all
ip-tunnel ipv6 address-pool (SSL VPN context view)
ip-tunnel ipv6 address-pool (SSL VPN policy group view)
ip-tunnel web-resource auto-push
password-authentication enable
password-changing enable (SSL VPN context view)
password-changing enable (SSL VPN user view)
prevent-cracking freeze-ip enable
pevent-cracking verify-code enable
reset counters interface sslvpn-ac
reset sslvpn ip-tunnel statistics
rewrite server-response-message
service enable (SSL VPN context view)
service enable (SSL VPN gateway view)
sslvpn ip-client download-path
sso auto-build custom-login-parameter
sso auto-build login-parameter
sso basic custom-username-password enable
verification-code send-interval
vpn-instance (SSL VPN context view)
vpn-instance (SSL VPN gateway view)
web-access ip-client auto-activate
wechat-work-authentication app-secret
wechat-work-authentication authorize-field
wechat-work-authentication corp-id
wechat-work-authentication enable
wechat-work-authentication open-platform-url
wechat-work-authentication timeout
SSL VPN commands
The following compatibility matrix shows the support of hardware platforms for SSL VPN:
|
Hardware platform |
Module type |
SSL VPN compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Non-default vSystems do not support some of the SSL VPN commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
aaa domain
Use aaa domain to specify an ISP domain for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.
Use undo aaa domain to restore the default.
Syntax
aaa domain domain-name
undo aaa domain
Default
The default ISP domain is used for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Usage guidelines
An SSL VPN username cannot carry ISP domain information. After this command is executed, an SSL VPN gateway uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users in the context.
Examples
# Specify ISP domain myserver for authentication, authorization, and accounting of SSL VPN users in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] aaa domain myserver
access-deny-client
Use access-deny-client to configure the client types that are denied access to the SSL VPN.
Use undo access-deny-client to restore SSL VPN access permissions of the denied client types.
Syntax
access-deny-client { browser | mobile-inode | pc-inode } *
undo access-deny-client { browser | mobile-inode | pc-inode } *
Default
No client types are denied access to the SSL VPN.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
browser: Specifies browsers.
mobile-inode: Specifies mobile iNode clients.
pc-inode: Specifies mobile iNode clients.
Usage guidelines
Non-default vSystems do not support this command.
To deny users to use some types of client software to log in to the SSL VPN gateway, you can use this command to specify the denied SSL VPN client software types.
After browsers are denied, existing users and new users cannot use browsers to access the SSL VPN gateway. After browsers are restored permissions to SSL VPN access, users must refresh the login page to log in. The deny of other client types takes effect only on new users. Existing users are not affected.
In the same SSL VPN context, if you execute this command multiple times, all the specified client types take effect.
Examples
# In SSL VPN context ctx, specify the denied SSL VPN client type as browser.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] access-deny-client browser
authentication server-type
Use authentication server-type to specify the authentication server type.
Use undo authentication server-type to restore the default.
Syntax
authentication server-type { aaa | custom }
undo authentication server-type
Default
The SSL VPN authentication server is an AAA authentication server.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
aaa: Specifies the AAA authentication server.
custom: Specifies the custom authentication server.
Usage guidelines
Non-default vSystems do not support this command.
If you use a custom authentication server, you must also configure custom authentication settings, such as the URL of the custom authentication server and custom authentication HTTP request and response settings.
If you use an AAA authentication server, you must configure the AAA server. For more information about AAA server configuration, see Security Configuration Guide.
Examples
# Specify the authentication server type as custom authentication server in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] authentication server-type custom
Related commands
custom-authentication request-header-field
custom-authentication request-method
custom-authentication request-template
custom-authentication response-custom-template
custom-authentication response-field
custom-authentication response-format
custom-authentication response-success-value
custom-authentication timeout
custom-authentication url
authentication use
Use authentication use to specify the authentication methods required for user login.
Use undo authentication use to restore the default.
Syntax
authentication use { all | any-one }
undo authentication use
Default
To log in to an SSL VPN context, a user must pass all the authentication methods enabled for the context.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
all: Uses all enabled authentication methods.
any-one: Uses any enabled authentication method.
Usage guidelines
You can enable username/password authentication, certificate authentication, or both for an SSL VPN context. The authentication methods required for logging in to the SSL VPN context depend on the configuration of this command:
· If the authentication use all command is configured, a user must pass all the enabled authentication methods for login.
· If the authentication use any-one command is configured, a user can log in after passing any enabled authentication method.
Examples
# Configure SSL VPN context ctx to allow users to log in after passing any enabled authentication method.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] authentication use any-one
Related commands
certificate-authentication enable
display sslvpn context
password-authentication enable
bandwidth
Use bandwidth to set the expected bandwidth for an interface.
Use undo bandwidth to restore the default.
Syntax
bandwidth bandwidth-value
undo bandwidth
Default
The expected bandwidth is 64 kbps for an interface.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.
Usage guidelines
The expected bandwidth for an interface affects CBQ bandwidth and link costs in OSPF, OSPFv3, and IS-IS. For more information about CBQ bandwidth, see QoS configuration in ACL and QoS Configuration Guide. For more information about link costs, see Layer 3—IP Routing Configuration Guide.
Examples
# Set the expected bandwidth to 10000 kbps for SSL VPN AC 1000.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] bandwidth 10000
certificate username-attribute
Use certificate username-attribute to specify the certificate attribute as the SSL VPN username.
Use undo certificate username-attribute to restore the default.
Syntax
certificate username-attribute { cn | email-prefix | oid extern-id }
undo certificate username-attribute
Default
The device uses the value of the CN attribute in the subject of the user certificate as the SSL VPN username.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
cn: Specifies the CN attribute value in the subject of the user certificate as the SSL VPN username.
email-prefix: Specifies the string before the at sign (@) of the email address in the subject of the user certificate as the SSL VPN username.
oid extern-id: Specifies a user certificate attribute by its OID. The value of the attribute will be used as the SSL VPN username. The extern-id argument represents the OID, which is an object identifier in dotted decimal notation.
Usage guidelines
The SSL VPN username specified by this command takes effect only after you execute the certificate-authentication enable command.
Examples
# Use the value of the attribute whose OID is 1.1.1.1 in the user certificate as the SSL VPN username.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] certificate username-attribute oid 1.1.1.1
Related commands
certificate-authentication enable
certificate-authentication enable
Use certificate-authentication enable to enable certificate authentication.
Use undo certificate-authentication enable to disable certificate authentication.
Syntax
certificate-authentication enable
undo certificate-authentication enable
Default
Certificate authentication is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
After you enable certificate authentication, you must also execute the client-verify command in SSL server policy view. The SSL VPN gateway uses the digital certificate sent by an SSL VPN client to authenticate the client's identity. If the client's username and the username in the digital certificate are not the same, the client cannot log in to the SSL VPN gateway.
Examples
# Enable certificate authentication.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] certificate-authentication enable
Related commands
client-verify enable
client-verify optional
content-type
Use content-type to configure a file policy to rewrite a file in an HTTP response to a specific type of file.
Use undo content-type to restore the default.
Syntax
content-type { css | html | javascript | other }
undo content-type
Default
A file policy rewrites a file carried in an HTTP response to a file of the type indicated by the content-type field in the HTTP response.
Views
File policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
css: Changes the file type to CSS.
html: Changes the file type to HTML.
javascript: Changes the file type to JavaScript.
other: Does not change the file type.
Usage guidelines
A file policy rewrites a file carried in an HTTP response to a file of the type specified by this command. If the specified file type is different from that indicated by the content-type field in the HTTP response, users might not be able to read the file correctly.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure file policy fp to rewrite files to HTML files.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] content-type html
country code
Use country-code to specify the mobile country code.
Use undo country-code to restore the default.
Syntax
country-code country-code
undo country-code
Default
The country code is 86.
Views
SMS gateway authentication view
Predefined user roles
network-admin
context-admin
Parameters
country-code: Specifies the country code, a string of 1 to 7 digits.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Set the country code to 86 in SMS gateway authentication view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth sms-gw
[Sysname-sslvpn-context-ctx1-sms-auth-sms-gw] country-code 86
custom-authentication request-header-field
Use custom-authentication request-header-field to configure an HTTP request header field for custom authentication.
Use undo custom-authentication request-header-field to remove the configuration of an HTTP request header field for custom authentication.
Syntax
custom-authentication request-header-field field-name value value
undo custom-authentication request-header-field field-name
Default
A custom authentication request header includes the following fields:
· Content-type:application/x-www-form-urlencoded.
· User-Agent:nodejs 4.1.
· Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
field-name: Specifies a request header field name, a case-insensitive string of 1 to 63 characters. The name cannot include the following characters:
· ()<>@,;:\"/[]?={}
· Spaces.
· Horizontal tabs.
· ASCII characters with codes ≤ 31 or ≥ 127.
value value: Specifies the value of the request header field, a string of 1 to 255 characters, which cannot contain question mark (?) metacharacters.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure HTTP request header fields sent to the custom authentication server. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication request settings, such as the HTTP request method and the request template.
Execute this command multiple times to configure multiple HTTP request header fields. For the same field, the most recent configuration takes effect.
Examples
# Specify the host field as 192.168.56.2:8080 in the HTTP request header for custom authentication in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication request-header-field host value 192.168.56.2:8080
Related commands
authentication server-type
custom-authentication request-method
custom-authentication request-template
custom-authentication url
custom-authentication request-method
Use custom-authentication request-method to configure the HTTP request method for custom authentication.
Use undo custom-authentication request-method to restore the default.
Syntax
custom-authentication request-method { get | post }
undo custom-authentication request-method
Default
The HTTP request method is GET.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
get: Specifies the GET method.
post: Specifies the POST method.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the HTTP request method for authentication requests sent to the custom authentication server. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication request settings, such as the HTTP request header fields and the request template.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the POST request method for custom authentication in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication request-method post
Related commands
custom-authentication request-template
custom-authentication url
custom-authentication request-template
Use custom-authentication request-template to configure the request template for custom authentication.
Use undo custom-authentication request-template to restore the default.
Syntax
custom-authentication request-template template
undo custom-authentication request-template
Default
No request template is configured for custom authentication.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
template: Specifies the request template through which the SSL VPN gateway sends username and password information to the custom authentication server. The template is a case-insensitive string of 1 to 255 characters.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the HTTP request template through which the SSL VPN gateway sends the username and password to the custom authentication server. Perform this configuration after the custom authentication server is specified by the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication request settings, such as the HTTP request header fields and the request method.
If you execute this command multiple times, the most recent configuration takes effect.
This command supports the following request template formats:
· Form format for the POST and GET methods: username=$$USERNAME$$&password=$$PASSWORD_MD5$$&resid=1234.
· JSON type for the POST method: {“name”:”$$USERNAME$$”,“password”:”,$$PASSWORD$$”,“resid”:”1234”}.
· XML type for the GET method: <uname>$$USERNAME$$</uname><psw>$$PASSWORD$$</psw>.
The USERNAME, PASSWORD, and PASSWORD_MD5 between $$ pairs in the request templates are variables. The PASSWORD_MD5 represents a password encrypted by MD5. When a user logs in to the SSL VPN gateway, the gateway replaces these variables with the login username and password. Then, the SSL VPN gateway sends the authentication request to the custom authentication server.
Examples
# Configure the custom authentication HTTP request template as username=$$USERNAME$$&password=$$PASSWORD_MD5$$&resid=1952252223973828 in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication request-template username=$$USERNAME$$&password=$$PASSWORD_MD5$$&resid=1952252223973828
Related commands
authentication server-type
custom-authentication request-template
custom-authentication url
custom-authentication response-custom-template
Use custom-authentication response-custom-template to configure response templates for the fields in the HTTP response for custom authentication.
Use undo custom-authentication response-custom-template to restore the default.
Syntax
custom-authentication response-custom-template { group | message | result } template
undo custom-authentication response-custom-template { group | message | result }
Default
No response templates are configured for custom authentication.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
group: Specifies the group field in the authentication response.
message: Specifies the message field in the authentication response.
result: Specifies the result field in the authentication response.
template: Specifies the content of the response template for the specified field. The template is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the response templates for the device to identify the fields in a custom-format authentication response. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. This configuration is applicable when the HTTP response format is custom. When you configure response templates, the response template for the result field is required.
When you configure a response template for a field, follow these restrictions and guidelines:
· A response template for a field must contain $$value$$.
¡ The value keyword represents the field value in the response.
¡ The pairs of dollar signs ($$) are used to identify the start and end of the field in a response. The device considers the content before the first $$ the start identifier and that after the second $$ the end identifier for parsing the field of the response.
· Make sure the contents before and after $$value$$ in the response template are consistent with those before and after the field value in the response from the authentication server.
Here is an example. Assume that the result field information in the response from the authentication server is auth-result=true,. You must configure the response template for the result field as auth-result=$$value$$,. The contents before and after $$value$$ are auth-result= and a comma (,), which are the same as those before and after true, respectively. Then, the device can use the auth-result=$$value$$, template to correctly identify and parse the result field in the authentication response.
Examples
# Configure the response templates in SSL VPN context ctx1 as result=$$value$$,company=$$value$$,message=$$value$$.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication response-custom-template result result=$$value$$,
[Sysname-sslvpn-context-ctx1] custom-authentication response-custom-template group company=$$value$$,
[Sysname-sslvpn-context-ctx1] custom-authentication response-custom-template message message=$$value$$
Related commands
authentication server-type
custom-authentication response-format
custom-authentication response-success-value
custom-authentication response-field
Use custom-authentication response-field to configure a field name in the HTTP response for custom authentication.
Use undo custom-authentication response-field to restore the default.
Syntax
custom-authentication response-field { group group | message message | result result }
undo custom-authentication response-field { group | message | result }
Default
No HTTP response field names are configured.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
group group: Specifies the name of the policy group field in the HTTP response, a case-insensitive string of 1 to 31 characters. In the authentication response, the value following the group argument represents the policy groups authorized to the user.
message message: Specifies the name of the message field in the HTTP response, a case-insensitive string of 1 to 31 characters. In the authentication response, the value following the message argument represents the authentication prompt.
result result: Specifies the name of the result field in the HTTP response, a case-insensitive string of 1 to 31 characters. In the authentication response, the value following the message argument represents the authentication result.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the names of the fields in the HTTP response. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. This configuration is applicable when the HTTP response format is JSON or XML. When you configure HTTP response field names, the result field name is required.
The device uses the configured field names to parse the HTTP response returned from the custom authentication server, as follows:
· If you specify the policy field name, the SSL VPN gateway uses the specified name to identify the policy group field in the response. For example, if the policy group field name is specified as company, the device uses the value following company in the response as the server-authorized policy group.
The policy group finally assigned to the user is determined as follows:
¡ If the SSL VPN context has the server-authorized policy group configured, the gateway assigns the authorized policy group to the user.
¡ If the SSL VPN context has no policy groups, or the server does not authorize a policy group, the gateway assigned the default policy to the user.
· If you specify the message field name, the SSL VPN gateway uses the specified name to identify the authentication result message in the response. The message indicates the authentication result, such as authentication success or failure.
· If you specify the result field name, the SSL VPN gateway uses the specified name to identify the authentication result value in the response. The gateway then determines the authentication result based on the configured authentication success value (see the custom-authentication response-success-value command).
If you execute this command multiple times for a field, the most recent configuration takes effect.
Examples
# Specify the group field name as company and the message field name as resultDescription in the custom authentication response for SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication response-field group company
[Sysname-sslvpn-context-ctx1] custom-authentication response-field message resultDescription
Related commands
authentication server-type
custom-authentication response-format
Use custom-authentication response-format to specify the HTTP response format for custom authentication.
Use undo custom-authentication response-format to restore the default.
Syntax
custom-authentication response-format { custom | json | xml }
undo custom-authentication response-format
Default
The HTTP response format for custom authentication is JSON.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
custom: Specifies the XML format.
json: Specifies the JSON format.
xml: Specifies the custom response format.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the HTTP response format for custom authentication after the custom authentication server is specified by using the authentication server-type custom command. After you specify the HTTP response format, you must also configure corresponding HTTP response settings (such as the HTTP response templates and field names) for the specified format.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the HTTP response format as JSON in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication response-format json
Related commands
authentication server-type
custom-authentication response-custom-template
custom-authentication response-success-value
Use custom-authentication response-success-value to configure the authentication success value in the HTTP response for custom authentication.
Use undo custom-authentication response-success-value to restore the default.
Syntax
custom-authentication response-success-value success-value
undo custom-authentication response-success-value
Default
No authentication success value is configured for custom authentication.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
success-value: Specifies the value that represents the authentication success result, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the authentication success value in the HTTP response. Perform this configuration after the custom authentication server is specified by using the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication settings, such as specifying the result field name in the HTTP response.
The SSL VPN gateway considers the user authentication successful only when the value of the result field in the custom authentication response is the value specified by this command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the authentication success value as true in the custom authentication response for SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication response-success-value true
Related commands
authentication server-type
custom-authentication response-field
custom-authentication timeout
Use custom-authentication timeout to specify the custom authentication timeout.
Use undo custom-authentication timeout to restore the default.
Syntax
custom-authentication timeout seconds
undo custom-authentication timeout
Default
The custom authentication timeout is 15 seconds.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
seconds: Specifies the custom authentication timeout, in the range of 5 to 50 seconds.
Usage guidelines
Non-default vSystems do not support this command.
After sending an HTTP request to the custom authentication server, the SSL VPN gateway waits for responses from the server. If the gateway receives no response within the authentication timeout, it returns an authentication failure message to the SSL VPN client.
Examples
# Specify the custom authentication timeout as 20 seconds in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication timeout 20
Related commands
authentication server-type
custom-authentication url
Use custom-authentication url to configure the URL of the custom authentication server.
Use undo custom-authentication url to restore the default.
Syntax
custom-authentication url url
undo custom-authentication url
Default
No URL is configured for the custom authentication server.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
url: Specifies the URL of the authentication server in an HTTP request sent by the SSL VPN gateway to the custom authentication server. The URL is a case-insensitive string of 1 to 255 characters, and it cannot contain question mark (?) metacharacters.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the URL of the custom authentication server after the custom authentication server is specified by the authentication server-type custom command. To have the configuration take effect, you must also configure other custom authentication settings, such as the HTTP request header fields, request method, and request template.
A URL consists of the protocol type, host name or address, port number, and resource path. The complete URL format is protocol type://host name or address:port number/resource path. The protocol type currently supports only HTTP and HTTPS. If not specified, the protocol type is HTTP by default. If the URL contains an IPv6 address, enclose the IPv6 address in brackets, for example, https://[1234::5678]:8080.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the URL of the custom authentication server in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] custom-authentication url https://192.168.56.2:8080/register/user/checkUserAndPwd
Related commands
authentication server-type
custom-authentication request-method
custom-authentication request-template
default
Use default to restore the default settings for an SSL VPN AC interface.
Syntax
default
Views
SSL VPN AC interface view
Predefined user roles
network-admin
context-admin
Usage guidelines
|
|
CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you use it on a live network. |
Non-default vSystems do not support this command.
This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.
Examples
# Restore the default settings of sslvpn-ac 1000.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] default
This command will restore the default settings. Continue? [Y/N]:y
default-policy-group
Use default-policy-group to specify a policy group as the default policy group.
Use undo default-policy-group to restore the default.
Syntax
default-policy-group group-name
undo default-policy-group
Default
No policy group is specified as the default policy group.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters. The specified policy group must have been created.
Usage guidelines
You can configure multiple policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not issue an authorized policy group to the user, the user can access only the resources allowed by the default policy group.
Examples
# Specify policy group pg1 as the default policy group.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] quit
[Sysname-sslvpn-context-ctx1] default-policy-group pg1
Related commands
display sslvpn context
policy-group
description (shortcut view)
Use description to configure a description for a shortcut.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a shortcut.
Views
Shortcut view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 63 characters.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure a description for shortcut shortcut1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] description shortcut1
description (SSL VPN AC interface view)
Use description to configure the description of an interface.
Use undo description to restore the default.
Syntax
description text
undo description
Default
The description of an interface is interface name Interface, for example, SSLVPN-AC1000 Interface.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Configure descriptions for interfaces for identification and management purposes.
You can use the display interface command to display the configured interface descriptions.
Examples
# Configure a description of SSL VPN A for SSL VPN AC 1000.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] description SSL VPN A
display interface sslvpn-ac
Use display interface sslvpn-ac to display SSL VPN AC interface information.
Syntax
display interface [ sslvpn-ac [ interface-number ] ] [ brief [ description | down ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify the sslvpn-ac keyword, this command displays information about all interfaces except virtual access (VA) interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all SSL VPN AC interfaces. For more information about VA interfaces, see PPP configuration in PPP and PPPoE Configuration Guide.
brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.
description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.
down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.
Examples
# Display detailed information about SSL VPN AC 1000.
<Sysname> display interface sslvpn-ac 1000
SSLVPN-AC1000
Current state: UP
Line protocol state: DOWN
Description: SSLVPN-AC1000 Interface
Bandwidth: 64kbps
Maximum transmission unit: 1500
Internet protocol processing: Disabled
Link layer protocol is SSLVPN
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
Table 1 Command output
|
Field |
Description |
|
SSLVPN-AC1000 |
Information about interface SSL VPN AC 1000. |
|
Current state |
Physical link state of the interface: · Administratively DOWN—The interface has been shut down by using the shutdown command. · DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). · UP—The interface is both administratively and physically up. |
|
Line protocol state |
Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. · UP—The data link layer protocol is up. · UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol is down. |
|
Description |
Description of the interface. |
|
Bandwidth |
Expected bandwidth of the interface. |
|
Maximum transmission unit |
MTU of the interface. |
|
Internet protocol processing: Disabled |
The interface is not assigned an IP address and cannot process IP packets. |
|
Internet address: ip-address/mask-length (Type) |
IP address of the interface and type of the address in parentheses. Possible IP address types include: Primary—Manually configured primary IP address. |
|
Last clearing of counters |
Most recent time the counters were cleared by using the reset counters interface command. If the reset counters interface command has never been executed since the device starts up, this field displays Never. |
|
Last 300 seconds input rate |
Average input rate in the last 300 seconds. |
|
Last 300 seconds output rate |
Average output rate in the last 300 seconds. |
# Display brief information about all SSL VPN AC interfaces.
<Sysname> display interface sslvpn-ac brief
Brief information of interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
SSLVPN-AC1000 UP DOWN --
# Display brief information about SSL VPN AC 1000, including the complete interface description.
<Sysname> display interface sslvpn-ac 1000 brief description
Brief information of interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
SSLVPN-AC1000 UP UP 1.1.1.1 SSLVPN-AC1000 Interface
# Display information about interfaces in DOWN state and the causes.
<Sysname> display interface sslvpn-ac brief down
Brief information of interfaces in route mode:
Link: ADM - administratively down; Stby - standby
Interface Link Cause
SSLVPN-AC1000 ADM
SSLVPN-AC1001 ADM
Table 2 Command output
|
Field |
Description |
|
Brief information of interfaces in route mode: |
Brief information about Layer 3 interfaces. |
|
Interface |
Abbreviated interface name. |
|
Link |
Physical link state of the interface: · UP—The interface is physically up. · DOWN—The interface is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Stby—The interface is a backup interface in standby state. |
|
Protocol |
Data link layer protocol state of the interface: · UP—The data link layer protocol of the interface is up. · UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces. · DOWN—The data link layer protocol of the interface is down. |
|
Primary IP |
Primary IP address of the interface. |
|
Description |
Description of the interface. |
|
Cause |
Cause for the physical link state of an interface to be DOWN: · Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. · Not connected—No physical connection exists (possibly because the network cable is disconnected or faulty). |
Related commands
reset counters interface
display sslvpn context
Use display sslvpn context to display SSL VPN context information.
Syntax
display sslvpn context [ brief | name context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
brief: Displays brief SSL VPN context information. If you do not specify this keyword, the command displays detailed SSL VPN context information.
name context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN contexts.
Examples
# Display detailed information about all SSL VPN contexts.
<Sysname> display sslvpn context
Context name: ctx1
Operation state: Up
AAA domain: domain1
Certificate authentication: Enabled
Certificate username-attribute: CN
Password authentication: Enabled
Authentication use: All
Authentication server-type: aaa
SMS auth type: iMC
Code verification: Disabled
Default policy group: Not configured
Associated SSL VPN gateway: gw1
Domain name: 1
Associated SSL VPN gateway: gw2
Virtual host: example.com
Associated SSL VPN gateway: gw3
SSL client policy configured: ssl1
SSL client policy in use: ssl
Maximum users allowed: 200
VPN instance:vpn1
Idle timeout: 30 min
Idle-cut traffic threshold: 100 Kilobytes
Password changing: Disabled
Context name: ctx2
Operation state: Down
Down reason: Administratively down
AAA domain not specified
Certificate authentication: Enabled
Certificate username-attribute: OID(2.5.4.10)
Password authentication: Disabled
Authentication use: Any-one
Authentication server-type: custom
SMS auth type: sms-gw
Code verification: Disabled
Default group policy: gp
Associated SSL VPN gateway: -
SSL client policy configured: ssl1
SSL client policy in use: ssl
Maximum users allowed: 200
VPN instance not configured
Idle timeout: 50 min
Idle-cut traffic threshold: 100 Kilobytes
Password changing: Disabled
Denied client types: Browsers
Table 3 Command output
|
Field |
Description |
|
Context name |
Name of the SSL VPN context. |
|
Operation state |
Operation state of the SSL VPN context: · Up—The context is running. · Down—The context is not running. |
|
Down reason |
Causes for the Down operations status: · Administratively down—The context is disabled. To enable the context, use the service enable command. · No gateway associated—The context is not associated with an SSL VPN gateway. · Applying SSL client-policy failed—Failed to apply an SSL client policy to the context. |
|
AAA domain |
ISP domain for the SSL VPN context. |
|
Certificate authentication |
Whether certificate authentication is enabled for the SSL VPN context. |
|
Certificate username-attribute |
Certificate attribute whose value is used as the SSL VPN username: · CN—CN attribute in the subject of the user certificate. · Email-prefix—String before the at sign (@) of the email address in the subject of the user certificate. · OID(x.x.x.x)—Object identifier of a user certificate attribute in dotted decimal notation. This field is available only when certificate authentication is enabled. |
|
Password authentication |
Whether username/password authentication is enabled for the SSL VPN context. |
|
Authentication use |
Authentication methods required for user login: · All—A user must pass all the enabled authentication methods to log in to the SSL VPN context. · Any-one—A user can log in to the SSL VPN context after passing any enabled authentication method. |
|
Authentication server-type |
Authentication server types: · aaa—AAA server. · custom—Custom authentication server. |
|
SMS auth type |
SMS authentication types: · iMC—SMS authentication by an IMC server. · sms-gw—SMS authentication by an SMS gateway. |
|
Code verification |
Whether code verification is enabled for the SSL VPN context. |
|
Default policy group |
Default policy group used by the SSL VPN context. |
|
Associated SSL VPN gateway |
SSL VPN gateway associated with the SSL VPN context. |
|
Domain name |
Domain name specified for the SSL VPN context. |
|
Virtual host |
Virtual host name specified for the SSL VPN context. |
|
SSL client policy configured |
SSL client policy configured for the SSL VPN context. A newly configured SSL client policy takes effect only after the SSL VPN context is restarted. |
|
SSL client policy in use |
SSL client policy being used by the SSL VPN context. |
|
Maximum users allowed |
Maximum number of sessions allowed in the SSL VPN context. |
|
VPN instance |
VPN instance associated with the SSL VPN context. |
|
Idle timeout |
Maximum idle time of an SSL VPN session, in minutes. |
|
Idle-cut traffic threshold |
SSL VPN idle session disconnection traffic threshold. |
|
Password changing |
Status of the SSL VPN login password modification feature: · Enabled. · Disabled. |
|
Denied client types |
Denied SSL VPN client types: · Browsers. · PC-iNode. · Mobile-iNode. · Not configured. |
# Display brief information about all SSL VPN contexts.
<Sysname> display sslvpn context brief
Context name Admin Operation VPN instance Gateway Domain/VHost
ctx1 Up Up - gw1 -/1
gw2 example.com/-
gw3 -/-
ctx2 Down Down - - -/-
Table 4 Command output
|
Field |
Description |
|
Context name |
Name of the SSL VPN context. |
|
Admin |
Administrative status of the SSL VPN context: · Up—The context has been enabled by using the service enable command. · Down—The context is disabled. |
|
Operation |
Operation state of the SSL VPN context: · Up—The context is running. · Down—The context is not running. |
|
VPN instance |
VPN instance associated with the SSL VPN context. |
|
Gateway |
SSL VPN gateway associated with the SSL VPN context. |
|
Domain/VHost |
Domain name or virtual host name specified for the SSL VPN context. |
display sslvpn gateway
Use display sslvpn gateway to display SSL VPN gateway information.
Syntax
display sslvpn gateway [ brief | name gateway-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
brief: Displays brief SSL VPN gateway information. If you do not specify this keyword, the command displays detailed SSL VPN gateway information.
name gateway-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN gateways.
Examples
# Display detailed information about all SSL VPN gateways.
<Sysname> display sslvpn gateway
Gateway name: gw1
Operation state: Up
IP: 192.168.10.75 Port: 443
HTTP redirect port: 80
SSL server policy configured: ssl1
SSL server policy in use: ssl
Front VPN instance: vpn1
Gateway name: gw2
Operation state: Down
Down reason: Administratively down
IP: 0.0.0.0 Port: 443
SSL server policy configured: ssl1
SSL server policy in use: ssl
Front VPN instance: Not configured
Gateway name: gw3
Operation state: Up
IPv6: 3000::2 Port: 443
SSL server policy configured: ssl1
SSL server policy in use: ssl
Front VPN instance: Not configured
Table 5 Command output
|
Field |
Description |
|
|
|
Gateway name |
Name of the SSL VPN gateway. |
|
|
|
Operation state |
Operation state of the SSL VPN gateway: · Up—The gateway is running. · Down—The gateway is not running. |
|
|
|
Down reason |
Causes for the Down operation status: · Administratively down—The SSL VPN gateway is disabled. To enable the gateway, use the service enable command. · VPN instance not exist—The VPN instance to which the SSL VPN gateway belongs does not exist. · Applying SSL server-policy failed—Failed to apply the SSL server policy to the SSL VPN gateway. |
|
|
|
IP |
IPv4 address of the SSL VPN gateway. |
|
|
|
IPv6 |
IPv6 address of the SSL VPN gateway. |
||
|
Port |
Port number of the SSL VPN gateway. |
|
|
|
HTTP redirect port |
HTTP redirection port number of the SSL VPN gateway. |
|
|
|
SSL server policy configured |
SSL server policy configured for the SSL VPN gateway. A newly configured SSL server policy takes effect only after the SSL VPN gateway is restarted. |
|
|
|
SSL server policy in use |
SSL server policy being used by the SSL VPN gateway. |
|
|
|
Front VPN instance |
Front VPN instance to which the SSL VPN gateway belongs. |
|
|
# Display brief information about all SSL VPN gateways.
<Sysname> display sslvpn gateway brief
Gateway name Admin Operation
gw1 Up Up
gw2 Down Down (Administratively down)
gw3 Up Up
Table 6 Command output
|
Field |
Description |
|
Gateway name |
Name of the SSL VPN gateway. |
|
Admin |
Administrative status of the SSL VPN gateway: · Up—The gateway has been enabled by using the service enable command. · Down—The gateway is disabled. |
|
Operation |
Operation state of the SSL VPN gateway: · Up—The gateway is running. · Down (Administratively down)—The gateway is disabled. To enable the gateway, use the service enable command. · Down (VPN instance not exist)—The gateway is down because the VPN instance to which the gateway belongs does not exist. · Down (Applying SSL server-policy failed)—The gateway is down because the SSL server policy failed to be applied to the gateway. |
display sslvpn ip-tunnel statistics
Use display sslvpn ip-tunnel statistics to display packet statistics for IP access users.
Syntax
display sslvpn ip-tunnel statistics [ context context-name ] [ user user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_).
user user-name: Specifies an IP access user by username, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify any parameters, this command displays IP access packets statistics for all SSL VPN contexts.
If you only specify an SSL VPN context, this command displays IP access packet statistics for the specified context and for each SSL VPN user in the context.
If you only specify an SSL VPN user, this command displays IP access packet statistics for the specified user in all SSL VPN contexts.
If you specify both an SSL VPN context and user, this command displays IP access packet statistics for the specified user in the specified context.
Examples
# Display IP access packet statistics for all SSL VPN contexts.
<Sysname> display sslvpn ip-tunnel statistics
IP-tunnel statistics in SSL VPN context ctx1:
Client:
In bytes : 125574 Out bytes : 1717349
Server:
In bytes : 1717349 Out bytes : 116186
IP-tunnel statistics in SSL VPN context ctx2:
Client:
In bytes : 521 Out bytes : 1011
Server:
In bytes : 1011 Out bytes : 498
# Display IP access packet statistics for SSL VPN context ctx1 and for each user in the context.
<Sysname> display sslvpn ip-tunnel statistics context ctx1
IP-tunnel statistics in SSL VPN context ctx1:
Client:
In bytes : 125574 Out bytes : 1717349
Server:
In bytes : 1717349 Out bytes : 116186
SSL VPN session IP-tunnel statistics:
Context : ctx1
User : user1
Session ID : 1
User IPv4 address : 192.168.56.1
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalive replies : 1
Received configuration updates: 0
Sent configuration updates : 0
Context : ctx1
User : user2
Session ID : 2
User IPv6 address : 1234::5001
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalive replies : 1
Received configuration updates: 0
Sent configuration updates : 0
# Display IP access packet statistics for user user1 in all SSL VPN contexts.
<Sysname> display sslvpn ip-tunnel statistics user user1
SSL VPN session IP-tunnel statistics:
Context : ctx1
User : user1
Session ID : 1
User IPv4 address : 192.168.56.1
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalive replies : 1
Received configuration updates: 0
Sent configuration updates : 0
Context : ctx2
User : user1
Session ID : 2
User IPv6 address : 1234::5001
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalives replies : 1
Received configuration updates: 0
Sent configuration updates : 0
# Display IP access packet statistics for user user1 in SSL VPN context ctx1.
<Sysname> display sslvpn ip-tunnel statistics context ctx1 user user1
SSL VPN session IP-tunnel statistics:
Context : ctx1
User : user1
Session ID : 1
User IPv4 address : 192.168.56.1
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalive replies : 1
Received configuration updates: 0
Sent configuration updates : 0
Context : ctx1
User : user1
Session ID : 2
User IPv6 address : 1234::5001
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalives replies : 1
Received configuration updates: 0
Sent configuration updates : 0
Table 7 Command output
|
Field |
Description |
|
Context |
SSL VPN context to which the SSL VPN user belongs. |
|
User |
Login username used by the SSL VPN user. |
|
User IPv4 address |
IPv4 address of the SSL VPN user. |
|
User IPv6 address |
IPv6 address of the SSL VPN user. |
|
Received requests |
Number of IP access requests received by the SSL VPN gateway from the user. |
|
Sent requests |
Number of IP access requests forwarded by the SSL VPN gateway to internal servers. |
|
Dropped requests |
Number of IP access requests dropped by the SSL VPN gateway. |
|
Received replies |
Number of IP access replies received by the SSL VPN gateway from internal servers. |
|
Sent replies |
Number of IP access replies forwarded by the SSL VPN gateway to the user. |
|
Dropped replies |
Number of IP access replies dropped by the SSL VPN gateway. |
|
Received keepalives |
Number of keepalive messages received by the SSL VPN gateway from the user. |
|
Sent keepalives replies |
Number of keepalive replies sent by the SSL VPN gateway to the user. |
|
Received configuration updates |
Number of configuration update messages received by the SSL VPN gateway from the user. |
|
Sent configuration updates |
Number of configuration update messages sent by the SSL VPN gateway to the user. |
|
Client |
Statistics of the traffic transmitted between the SSL VPN gateway and the IP access client: · In bytes—Number of bytes received by the SSL VPN gateway from the client. · Out bytes—Number of bytes sent by the SSL VPN gateway to the client. |
|
Server |
Statistics of the traffic transmitted between the SSL VPN gateway and the server: · In bytes—Number of bytes received by the SSL VPN gateway from the server. · Out bytes—Number of bytes sent by the SSL VPN gateway to the client. |
display sslvpn policy-group
Use display sslvpn policy-group to display SSL VPN policy group information.
Syntax
display sslvpn policy-group group-name [ context context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters.
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about policy groups with the specified group name in all SSL VPN contexts.
Examples
# Display information about policy groups named pg1 in all SSL VPN contexts.
<Sysname> display sslvpn policy-group pg1
Group policy: pg1
Context: context1
Idle timeout: 35 min
Redirect resource type: url-item
Redirect resource name: url1
Context: context2
Idle timeout: 40 min
Redirect resource: Not configured
Table 8 Command output
|
Field |
Description |
|
Idle timeout |
Maximum idle time of an SSL VPN session, in minutes. |
|
Redirect resource |
Redirect resource in the policy group assigned to the SSL VPN context. |
display sslvpn port-forward connection
Use display sslvpn port-forward connection to display TCP port forwarding connection information.
Syntax
In standalone mode:
display sslvpn port-forward connection [ context context-name ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display sslvpn port-forward connection [ context context-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays TCP port forwarding connection information for all SSL VPN contexts.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays TCP port forwarding connection information for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays TCP port forwarding connection information for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display TCP port forwarding connection information for all SSL VPN contexts.
<Sysname> display sslvpn port-forward connection
SSL VPN context : ctx1
Client address : 192.0.2.1
Client port : 1025
Server address : 192.168.0.39
Server port : 80
Slot : 1
Status : Connected
SSL VPN context : ctx2
Client address : 3000::983F:7A36:BD06:342D
Client port : 56190
Server address : 300::1
Server port : 23
Slot : 1
Status : Connecting
# (In IRF mode.) Display TCP port forwarding connection information for all SSL VPN contexts.
<Sysname> display sslvpn port-forward connection
Chassis 1 Slot 5 CPU 1
SSL VPN context: ctx1
Client address : 192.0.2.1
Client port : 1025
Server address : 192.168.0.39
Server port : 80
Chassis : 1
Slot : 0
Status : Connected
SSL VPN context : ctx2
Client address : 3000::983F:7A36:BD06:342D
Client port : 56190
Server address : 300::1
Server port : 23
Chassis : 1
Slot : 0
Status : Connecting
Table 9 Command output
|
Field |
Description |
|
Client address |
IP address of the SSL VPN client. |
|
Client port |
Port number of the SSL VPN client. |
|
Server address |
IP address of the internal server. |
|
Server port |
Port number of the internal server. |
|
Chassis |
(In IRF mode.) IRF member ID of the device. |
|
Slot |
Card slot number. |
|
CPU |
CPU number. |
|
Status |
Connection status, Connected or Connecting. |
display sslvpn prevent-cracking frozen-ip
Use display sslvpn prevent-cracking frozen-ip to display information about IP addresses frozen for cracking prevention.
Syntax
display sslvpn prevent-cracking frozen-ip { statistics | table } [ context context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
statistics: Displays frozen IP address statistics.
table: Displays information about frozen IP address entries.
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays frozen IP address information for all SSL VPN contexts.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Display frozen IP address statistics in all SSL VPN contexts.
<Sysname> display sslvpn prevent-cracking frozen-ip statistics
SSL VPN context: ctx1
Total number of frozen IP addresses: 1
Total number of username/password authentication failures: 1
Total number of code verification failures: 1
Total number of SMS authentication failures: 1
Total number of custom authentication failures: 1
SSL VPN context: ctx2
Total number of frozen IP addresses: 1
Total number of username/password authentication failures: 1
Total number of code verification failures: 1
Total number of SMS authentication failures: 1
Total number of custom authentication failures: 1
# Display frozen IP address entries in all SSL VPN contexts.
<Sysname> display sslvpn prevent-cracking frozen-ip table
SSL VPN context: ctx1
IP address Authentication method Frozen at Unfrozen at
8.1.1.80 code verification 2019-10-08 08:30:01 2019-10-08 08:35:04
3.3.3.30 Username/password authentication 2019-10-08 08:35:01 2019-10-08 08:39:04
SSL VPN context: ctx2
IP address Authentication method Frozen at Unfrozen at
121.5.5.32 Username/password authentication 2019-10-08 08:31:01 2019-10-08 08:45:04
123.3.3.3 code verification 2019-10-08 08:35:01 2019-10-08 08:55:04
Table 10 Command output
|
Field |
Description |
|
SSL VPN context |
Name of the SSL VPN context. |
|
IP address |
Frozen IP address. |
|
Authentication method |
Authentication methods required for logging in to the SSL VPN context. Options include: · Username/password authentication. · Code verification. · SMS authentication. · Custom authentication. The use of authentication methods must meet the following requirements: · You can enable one or multiple authentication methods. · Username/password authentication must be enabled in an SSL VPN context. · Custom authentication and SMS authentication cannot both be enabled at the same time. All authentication methods can be used independently except for code verification. |
|
Frozen at |
Time when the IP address was frozen. |
|
Unfrozen at |
Time when the frozen IP address is to be unfrozen. N/A means that the IP address will never be unfrozen. |
display sslvpn session
Use display sslvpn session to display SSL VPN session information.
Syntax
display sslvpn session [ context context-name ] [ user user-name | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays SSL VPN session information for all SSL VPN contexts.
user user-name: Specifies an SSL VPN user by the username, a case-insensitive string of 1 to 63 characters. If you specify a user, this command displays detailed SSL VPN session information for the user. If you do not specify a user, this command displays brief SSL VPN session information for all users.
verbose: Displays detailed SSL VPN session information for all SSL VPN users. If you do not specify this keyword, the command displays brief SSL VPN session information for the specified or all SSL VPN users.
Examples
# Display brief SSL VPN session information for all users in all SSL VPN contexts.
<Sysname> display sslvpn session
Total users: 4
SSL VPN context: ctx1
Users: 2
Username Connections Idle time Created User IP
user1 5 0/00:00:23 0/04:47:16 192.0.2.1
user2 5 0/00:00:46 0/04:48:36 192.0.2.2
SSL VPN context: ctx2
Users: 2
Username Connections Idle time Created User IP
user3 5 0/00:00:30 0/04:50:06 192.168.2.1
user4 5 0/00:00:50 0/04:51:16 192.168.2.2
Table 11 Command output
|
Field |
Description |
|
Total users |
Total number of users in all SSL VPN contexts. |
|
SSL VPN context |
Name of the SSL VPN context. |
|
Users |
Number of users in the SSL VPN context. |
|
Username |
Login name for the SSL VPN session. |
|
Connections |
Number of connections in the SSL VPN session. |
|
Idle time |
Duration that the SSL VPN session has been idle, in the format of days/hh:mm:ss. |
|
Created |
Time elapsed since the SSL VPN session was created, in the format of days/hh:mm:ss. |
|
User IP |
IP address used by the SSL VPN session. |
# Display SSL VPN session information for SSL VPN user user1.
<Sysname> display sslvpn session user user1
User : user1
Authentication method : Username/password authentication
Context : context1
Policy group : pgroup
Idle timeout : 30 min
Created at : 13:49:27 UTC Wed 05/14/2014
Lastest : 17:50:58 UTC Wed 05/14/2014
Allocated IPv4 : 2.2.2.1
Allocated IPv6 : 2000::1
User IPv4 address : 192.0.2.1
Session ID : 1
Web browser/OS : Internet Explorer
Send rate : 0.00 B/s
Receive rate : 0.00 B/s
Sent bytes : 0.00 B
Received bytes : 0.00 B
User : user1
Authentication method : Username/password authentication
Context : context2
Policy group : Default
Idle timeout : 2100 sec
Created at : 14:15:12 UTC Wed 05/14/2014
Lastest : 18:56:58 UTC Wed 05/14/2014
User IPv6 address : 0:30::983F:7A36:BD06:342D
Session ID : 5
Web browser/OS : Internet Explorer
Send rate : 0.00 B/s
Receive rate : 0.00 B/s
Sent bytes : 0.00 B
Received bytes : 0.00 B
# Display detailed SSL VPN session information for all users in all SSL VPN contexts.
<Sysname> display sslvpn session verbose
User : user1
Authentication method : Username/password authentication
Context : context1
Policy group : pgroup
Idle timeout : 30 min
Created at : 13:49:27 UTC Wed 05/14/2014
Lastest : 17:50:58 UTC Wed 05/14/2014
User IPv4 address : 192.0.2.1
Session ID : 1
Web browser/OS : Internet Explorer
Send rate : 0.00 B/s
Receive rate : 0.00 B/s
Sent bytes : 0.00 B
Received bytes : 0.00 B
User : user1
Authentication method : Username/password authentication
Context : context2
Policy group : Default
Idle timeout : 2100 sec
Created at : 14:15:12 UTC Wed 05/14/2014
Lastest : 18:56:58 UTC Wed 05/14/2014
User IPv6 address : 0:30::983F:7A36:BD06:342D
Session ID : 5
Web browser/OS : Internet Explorer
Send rate : 0.00 B/s
Receive rate : 0.00 B/s
Sent bytes : 0.00 B
Received bytes : 0.00 B
Table 12 Command output
|
Field |
Description |
|
User |
SSL VPN username. |
|
Authentication method |
Authentication methods required for logging in to the SSL VPN context. Options include: · Username/password authentication. · Certificate authentication. · Code verification. · SMS authentication. · Custom authentication. The use of authentication methods must meet the following requirements: · You can enable one or multiple authentication methods. · Username/password authentication, certificate authentication, or both must be enabled in an SSL VPN context. · Custom authentication and SMS authentication cannot both be enabled at the same time. · All authentication methods can be used independently except for code verification. |
|
Context |
Context to which the user belongs. |
|
Policy group |
Policy group used by the user. |
|
Idle timeout |
Idle timeout time of the SSL VPN session, in seconds. |
|
Created at |
Time at which the SSL VPN session was created. |
|
Lastest |
Most recent time when the SSL VPN user accessed resources through the SSL VPN session. |
|
Allocated IPv4 |
IPv4 address allocated to the iNode client of the SSL VPN user. This field is displayed only for iNode users. |
|
Allocated IPv6 |
IPv6 address allocated to the iNode client of the SSL VPN user. This field is displayed only for iNode users. |
|
User IPv4 address |
IPv4 address used by the SSL VPN session. |
|
User IPv6 address |
IPv6 address used by the SSL VPN session. |
|
Web browser/OS |
Web browser or operating system used by the SSL VPN user. |
|
Send rate |
Sending rate of the SSL VPN session in one of the following units: · B/s—Bytes per second. · KB/s—Kilobytes per second. · MB/s—Megabytes per second. · GB/s—Gigabytes per second. · TB/s—Terabytes per second. · PB/s—Petabytes per second. |
|
Receive rate |
Receiving rate of the SSL VPN session in one of the following units: · B/s—Bytes per second. · KB/s—Kilobytes per second. · MB/s—Megabytes per second. · GB/s—Gigabytes per second. · TB/s—Terabytes per second. · PB/s—Petabytes per second. |
|
Sent bytes |
Traffic sent by the SSL VPN session in one of the following units: · B—Bytes. · KB—Kilobytes. · MB—Megabytes. · GB—Gigabytes. · TB—Terabytes. · PB—Petabytes. |
|
Received bytes |
Traffic received by the SSL VPN session in one of the following units: · B—Bytes. · KB—Kilobytes. · MB—Megabytes. · GB—Gigabytes. · TB—Terabytes. · PB—Petabytes. |
display sslvpn webpage-customize template
Use display sslvpn webpage-customize template to display SSL VPN webpage template information.
Syntax
display sslvpn webpage-customize template
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Display information about all webpage templates.
<Sysname> display sslvpn webpage-customize template
Template name Type Status
default Pre-defined Normal
system Predefined Normal
User1 User-defined File login.html missing
User2 User-defined File home.html missing
Table 13 Command output
|
Field |
Description |
|
Template name |
Name of the SSL VPN webpage template. |
|
Type |
Type of the SSL VPN webpage template: · Pre-defined. · User-defined. |
|
Status |
State of the SSL VPN webpage template: · Normal—The template is complete and can be used. · File login.html missing—The login.html file is missing in the template. · File home.html missing—The home.html file is missing in the template. · Version incompatible—The template has an incompatible version with the device predefined template. |
Related commands
webpage-customize
emo-server
Use emo-server to specify an Endpoint Mobile Office (EMO) server for mobile clients.
Use undo emo-server to restore the default.
Syntax
emo-server address { host-name | ipv4-address } port port-number
undo emo-server
Default
No EMO server is specified for mobile clients.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
address: Specifies the host name or IPv4 address of the EMO server.
host-name: Specifies the host name of the EMO server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).
ipv4-address: Specifies the IPv4 address of the EMO server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.
port port-number: Specifies the port number of the EMO server, in the range of 1025 to 65535.
Usage guidelines
An EMO server provides services for mobile clients. The SSL VPN gateway issues the EMO server information to the clients, and the clients can access available service resources through the EMO server.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the IP address of the EMO server as 10.10.1.1 and the port number as 9058 for context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] emo-server address 10.10.1.1 port 9058
exclude
Use exclude to add an excluded IPv4 route to an IPv4 route list.
Use undo exclude to delete an excluded IPv4 route from an IPv4 route list.
Syntax
exclude ip-address { mask | mask-length }
undo exclude ip-address { mask | mask-length }
Default
No excluded IPv4 routes exist in an IPv4 route list.
Views
IPv4 route list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies the destination IPv4 address of the route. It cannot be a multicast, broadcast, or loopback address.
mask: Specifies the subnet mask of the destination IPv4 address.
mask-length: Specifies the mask length of the destination IPv4 address, an integer in the range of 0 to 32.
Usage guidelines
When a client accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway issues excluded IPv4 routes to the client. The client adds the excluded IPv4 routes to the local routing table. Traffic that matches the excluded IPv4 routes are not sent to the SSL VPN gateway.
You can add multiple excluded IPv4 routes to an IPv4 route list.
If you execute the include and exclude commands to add the same IPv4 route to an IPv4 route list, the most recent configuration takes effect.
Examples
# Add excluded IPv4 route 192.168.0.0/16 to IPv4 route list rtlist.
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist] exclude 192.168.0.0 16
Related commands
include
exclude ipv6
Use exclude ipv6 to add an excluded IPv6 route to an IPv6 route list.
Use undo exclude ipv6 to delete an excluded IPv6 route from an IPv6 route list.
Syntax
exclude ipv6 ipv6-address prefix-length
undo exclude ipv6 ipv6-address prefix-length
Default
No excluded IPv6 routes exist in an IPv6 route list.
Views
IPv6 route list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address: Specifies the destination IPv6 address of the route. It can be a unicast or anycast address and cannot be a multicast, loopback, or link local unicast address.
prefix-length: Specifies the prefix length of the destination IPv6 address, in the range of 0 to 128.
Usage guidelines
To deny user access to specific IPv6 network nodes or segments behind an SSL VPN gateway, configure excluded IPv6 routes for those nodes or segments.
When a client accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway issues excluded IPv6 routes to the client. The client adds the excluded IPv6 routes to the local routing table. Traffic that matches the excluded IPv6 routes are not sent to the SSL VPN gateway.
You can add multiple excluded IPv6 routes to an IPv6 route list.
If you execute the include and exclude commands to add the same IPv6 route to an IPv6 route list, the most recent configuration takes effect.
Examples
# Add excluded IPv6 route 1234::100/48 to IPv6 route list ipv6rtlist.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ipv6-route-list ipv6rtlist
[Sysname-sslvpn-context-ctx1-ipv6-route-list-ipv6rtlist] exclude ipv6 1234::100 48
Related commands
include ipv6
execution (port forwarding item view)
Use execution to configure a resource link for a port forwarding item.
Use undo execution to restore the default.
Syntax
execution script
undo execution
Default
No resource link is configured for a port forwarding item.
Views
Port forwarding item view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
script: Specifies the script for the resource link, a case-insensitive string of 1 to 255 characters.
Usage guidelines
You can configure a resource link in one of the following methods:
· Enter a URL resource in the format of url('url-value'). The url-value argument specifies the URL link. The complete format for url-value is protocol://hostname or address:port number/resource path.
· Enter an executable JavaScript for a resource to provide access to the resource.
After you configure a resource link for a port forwarding item, you can click the port forwarding name on the SSL VPN Web page to access the resource.
If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect.
Examples
# Configure the url('https://127.0.0.1') resource for port forwarding item pfitem1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-forward-item-pfitem1] execution url(‘https://127.0.0.1’)
execution (shortcut view)
Use execution to configure a resource link for a shortcut.
Use undo execution to restore the default.
Syntax
execution script
undo execution
Default
No resource link is configured for a shortcut.
Views
Shortcut view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
script: Specifies the script for the resource, a case-insensitive string of 1 to 255 characters.
Usage guidelines
You can configure a resource link in either of the following methods:
· Enter the resource link in the format of url('url-value'). The url-value argument specifies the corresponding resource. The complete format for url-value is protocol://hostname or address:port number/resource path.
· Enter an application resource in the format of app('app-value'). The app-value argument specifies the application path. For example, the app-value argument can be c:\windows\system32\notepad++.exe, which is used for opening the notepad++.exe application.
· Enter an executable JavaScript for a resource to provide access to the resource.
After you configure a resource link for a shortcut, you can click the shortcut name on the SSL VPN Web page to access the resource.
If you execute this command for a shortcut multiple times, the most recent configuration takes effect.
Examples
# Configure the url('https://10.0.0.1') resource for shortcut shortcut1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] execution url(‘https://10.0.0.1’)
# Configure the app(‘c:\windows\system32\notepad++.exe’) resource for shortcut shortcut2.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut2
[Sysname-sslvpn-context-ctx1-shortcut-shortcut2] execution app(‘c:\windows\system32\notepad++.exe’)
file-policy
Use file-policy to create a file policy and enter its view, or enter the view of an existing file policy.
Use undo file-policy to delete a file policy.
Syntax
file-policy policy-name
undo file-policy policy-name
Default
No file policies exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies a file policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The SSL VPN gateway uses a file policy to rewrite the content of Web page files before forwarding them to requesting Web access users.
You can configure multiple file policies in an SSL VPN context.
Examples
# Create a file policy named fp and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp]
Related commands
sslvpn context
filter ip-tunnel acl
Use filter ip-tunnel acl to specify an advanced ACL for IP access filtering.
Use undo filter ip-tunnel acl to remove the advanced ACL configuration for IP access filtering.
Syntax
filter ip-tunnel [ ipv6 ] acl advanced-acl-number
undo filter ip-tunnel [ ipv6 ] acl
Default
All IP accesses are permitted.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.
acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for IP access filtering.
The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:
1. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.
2. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
If no URI ACL or advanced ACL is specified for IP access filtering, the SSL VPN gateway permits all IP accesses by default.
You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.
Examples
# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for IP access filtering.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel acl 3000
[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel ipv6 acl 3500
Related commands
filter ip-tunnel uri-acl
filter ip-tunnel uri-acl
Use filter ip-tunnel uri-acl to specify a URI ACL for IP access filtering.
Use undo filter ip-tunnel uri-acl to remove the URI ACL configuration for IP access filtering.
Syntax
filter ip-tunnel uri-acl uri-acl-name
undo filter ip-tunnel uri-acl
Default
All IP accesses are permitted.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for IP access filtering.
The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:
1. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.
2. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
If no URI ACL or advanced ACL is specified for IP access filtering, the SSL VPN gateway permits all IP accesses by default.
If a rule in the URI ACL specified for IP access filtering contains HTTP or HTTPS settings, the rule does not take effect.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure policy group abcpg to use URI ACL abcuriacl for IP access filtering.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] policy-group abcpg
[Sysname-sslvpn-context-abc-policy-group-abcpg] filter ip-tunnel uri-acl abcuriacl
filter tcp-access acl
Use filter tcp-access acl to specify an advanced ACL for TCP access filtering.
Use undo filter tcp-access acl to remove the advanced ACL configuration for TCP access filtering.
Syntax
filter tcp-access [ ipv6 ] acl advanced-acl-number
undo filter tcp-access [ ipv6 ] acl
Default
A user can access only the TCP resources in the TCP port forwarding list authorized to the user.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.
acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for TCP access filtering.
For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:
1. Matches the request against the authorized port forwarding list.
¡ If the request matches a port forwarding item in the list, the gateway forwards the request.
¡ If the request does not match any port forwarding items in the list, the gateway proceeds to step 2.
2. Matches the request against the rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against the rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.
You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.
Examples
# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for TCP access filtering.
<Sysname> system-view
[Sysname]sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access acl 3000
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access ipv6 acl 3500
Related commands
filter tcp-access uri-acl
filter tcp-access uri-acl
Use filter tcp-access uri-acl to specify a URI ACL for TCP access filtering.
Use undo filter tcp-access uri-acl to remove the URI ACL configuration for TCP access filtering.
Syntax
filter tcp-access uri-acl uri-acl-name
undo filter tcp-access uri-acl
Default
A user can access only the TCP resources in the TCP port forwarding list authorized to the user.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for TCP access filtering.
For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:
1. Matches the request against the authorized port forwarding list.
¡ If the request matches a port forwarding items in the list, the gateway forwards the request.
¡ If the request does not match any port forwarding items in the list, the gateway proceeds to step 2.
2. Matches the request against the rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against the rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure policy group abcpg to use URI ACL abcuriacl2 for TCP access filtering.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] policy-group abcpg
[Sysname-sslvpn-context-abc-policy-group-abcpg] filter tcp-access uri-acl abcuriacl2
Related commands
filter tcp-access acl
filter web-access acl
Use filter web-access acl to specify an advanced ACL for Web access filtering.
Use undo filter web-access acl to remove the advanced ACL configuration for Web access filtering.
Syntax
filter web-access [ ipv6 ] acl advanced-acl-number
undo filter web-access [ ipv6 ] acl
Default
A user can access only the Web resources in the URL list authorized to the user.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.
acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for Web access filtering.
The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request:
1. Matches the request against the authorized URL list.
¡ If the request matches a URL item in the list, the gateway forwards the request.
¡ If the request does not match any URL entries in the list, the gateway proceeds to step 2.
2. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.
Examples
# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for Web access filtering.
<Sysname> system-view
[Sysname]sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter web-access acl 3000
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter web-access ipv6 acl 3500
Related commands
filter web-access uri-acl
filter web-access uri-acl
Use filter web-access uri-acl to specify a URI ACL for Web access filtering.
Use undo filter web-access uri-acl to remove the URI ACL configuration for Web access filtering.
Syntax
filter web-access uri-acl uri-acl-name
undo filter web-access uri-acl
Default
Users can access only the Web resources authorized to them through the URL list.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.
Usage guidelines
The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request:
1. Matches the request against the authorized URL list.
¡ If the request matches a URL item in the list, the gateway forwards the request.
¡ If the request does not match any URL entries in the list, the gateway proceeds to step 2.
2. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure policy group abcpg to use URI ACL abcuriacl1 for Web access filtering.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] policy-group abcpg
[Sysname-sslvpn-context-abc-policy-group-abcpg] filter web-access uri-acl abcuriacl1
Related commands
filter web-access acl
force-logout
Use force-logout to force online users to log out.
Syntax
force-logout [ all | session session-id | user user-name ]
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
all: Logs out all users.
session session-id: Logs out all users in a session. The session-id argument specifies the session ID in the range of 1 to 4294967295.
user user-name: Logs out a user. The user-name argument specifies the username, a case-sensitive string of 1 to 63 characters.
Examples
# Log out all users in session 1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] force-logout session 1
force-logout max-onlines enable
force-logout max-onlines enable to enable the force logout feature.
undo force-logout max-onlines enable to disable the force logout feature.
Syntax
force-logout max-onlines enable
undo force-logout max-onlines enable
Default
The force logout feature is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
By default, a user cannot log in if the number of logins using the account reaches the limit.
When a login is attempted but logins using the account reach the maximum, this feature logs out the user with the longest idle time to allow the new login.
Examples
# Enable the force logout feature.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] force-logout max-onlines enable
gateway (SMS gateway authentication view)
Use gateway to specify an SMS gateway for SMS authentication.
Use undo gateway to restore the default.
Syntax
gateway sms-gateway-name
undo gateway
Default
No SMS gateway is specified for SMS authentication.
Views
SMS gateway authentication view
Predefined user roles
network-admin
context-admin
Parameters
sms-gateway-name: Specifies an SMS gateway by its name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Specify SMS gateway gw1 in SMS gateway authentication view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth sms-gw
[Sysname-sslvpn-context-ctx1-sms-auth-sms-gw] gateway gw1
gateway (SSL VPN context view)
Use gateway to associate an SSL VPN context with an SSL VPN gateway.
Use undo gateway to remove associated SSL VPN gateways.
Syntax
gateway gateway-name [ domain domain-name | virtual-host virtual-host-name ]
undo gateway [ gateway-name ]
Default
An SSL VPN context is not associated with an SSL VPN gateway.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
gateway-name: Specifies an SSL VPN gateway by its name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
domain domain-name: Specifies a domain name for the SSL VPN context, a case-insensitive string of 1 to 127 characters.
virtual-host virtual-host-name: Specifies a virtual host name for the SSL VPN context, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).
Usage guidelines
When you associate an SSL VPN context with an SSL VPN gateway, follow these guidelines:
· Make sure the context has a domain name or virtual host name different than any existing contexts associated with the SSL VPN gateway.
The SSL VPN gateway uses the domain name or virtual host name that a remote user entered to determine the SSL VPN context to which the user belongs.
· If you do not specify a domain name or virtual host name for the context, you cannot associate other SSL VPN contexts with the SSL VPN gateway.
You can associate an SSL VPN context with a maximum of 10 SSL VPN gateways.
Examples
# Associate SSL VPN context ctx1 with SSL VPN gateway gw1, and specify the domain name as domain1 for the context.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] gateway gw1 domain domain1
Related commands
display sslvpn context
heading
Use heading to configure a heading for a URL list.
Use undo heading to restore the default.
Syntax
heading string
undo heading
Default
The heading of a URL list is Web.
Views
URL list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
string: Specifies a URL list heading, a case-sensitive string of 1 to 31 characters.
Examples
# Specify urlhead as the heading of URL list url.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-list url
[Sysname-sslvpn-context-ctx1-url-list-url] heading urlhead
Related commands
sslvpn context
url-list
http-redirect
Use http-redirect to enable HTTP redirection.
Use undo http-redirect to disable HTTP redirection.
Syntax
http-redirect [ port port-number ]
undo http-redirect
Default
HTTP redirection is disabled. An SSL VPN gateway does not process HTTP traffic.
Views
SSL VPN gateway view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-number: Specifies the HTTP port number to listen to, a value of 80 (the default) or in the range of 1025 to 65535.
Usage guidelines
This command enables an SSL VPN gateway to perform the following operations:
1. Listen to an HTTP port.
2. Redirect HTTP requests with the port number to the port used by HTTPS.
3. Send redirection packets to clients.
Examples
# Enable HTTP redirection for HTTP port 1025.
<Sysname> system-view
[Sysname] sslvpn gateway gateway1
[Sysname-sslvpn-gateway-gateway1] http-redirect port 1025
idle-cut traffic-threshold
Use idle-cut traffic-threshold to set the SSL VPN session idle-cut traffic threshold.
Use undo idle-cut traffic-threshold to restore the default.
Syntax
idle-cut traffic-threshold kilobytes
undo idle-cut traffic-threshold
Default
The SSL VPN session idle-cut traffic threshold is 0 Kilobytes. An SSL VPN session will be disconnected if no traffic is transmitted within the session idle timeout.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
kilobytes: Specifies the session idle-cut traffic threshold in Kilobytes. The value range is 1 to 4294967295.
Usage guidelines
The SSL VPN session idle-cut traffic threshold refers to the minimum traffic required in the session idle timeout interval for a session not to be disconnected as an idle session.
After the idle-cut traffic threshold is set, the system counts the traffic transmitted in each SSL VPN session at intervals specified by the timeout idle command. If the traffic is less than the idle-cut traffic threshold, the system determines the session to be idle and disconnects the session.
If you change the setting of the idle-cut traffic-threshold or timeout idle command in an SSL VPN context, all session idle-cut traffic counters in the SSL VPN context will be cleared.
Examples
# Set the SSL VPN session idle-cut traffic threshold to 1000 Kilobytes in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] idle-cut traffic-threshold 1000
Related commands
timeout idle
include
Use include to add an included IPv4 route to an IPv4 route list.
Use undo include to delete an included IPv4 route from an IPv4 route list.
Syntax
include ip-address { mask | mask-length }
undo include ip-address { mask | mask-length }
Default
No included IPv4 routes exist.
Views
IPv4 route list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies the destination IPv4 address of the route. It cannot be a multicast, broadcast, or loopback address. The specified IPv4 address must be the address of the network segment where the internal servers reside.
mask: Specifies the subnet mask of the IPv4 route.
mask-length: Specifies the mask length of the IPv4 route, an integer in the range of 0 to 32.
Usage guidelines
To permit user access to specific IPv4 network nodes or segments behind an SSL VPN gateway, configure included IPv4 routes for those nodes or segments.
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway issues the included IPv4 routes to the client. The client adds the included IPv4 routes to the local routing table, using the VNIC as the output interface. Traffic that matches the included IPv4 routes are sent to the SSL VPN gateway through the VNIC.
You can add multiple included IPv4 routes to an IPv4 route list.
If you execute the include and exclude commands to add the same IPv4 route to an IPv4 route list, the most recent configuration takes effect.
Examples
# Add included IPv4 route 10.0.0.0/8 to IPv4 route list rtlist.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 10.0.0.0 8
Related commands
exclude
include ipv6
Use include ipv6 to add an included IPv6 route to an IPv6 route list.
Use undo include ipv6 to delete an included IPv6 route from an IPv6 route list.
Syntax
include ipv6 ipv6-address prefix-length
undo include ipv6 ipv6-address prefix-length
Default
No included IPv6 routes exist.
Views
IPv6 route list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address: Specifies the destination IPv6 address of the route. It can be a unicast or anycast address and cannot be a multicast, loopback, or link local unicast address.
prefix-length: Specifies the prefix length of the destination IPv6 address, in the range of 0 to 128.
Usage guidelines
To permit user access to specific IPv6 network nodes or segments behind an SSL VPN gateway, configure included IPv6 routes for those nodes or segments.
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway issues the included IPv6 routes to the client. The client adds the included IPv6 routes to the local routing table, using the VNIC as the output interface. Traffic that matches the included IPv6 routes are sent to the SSL VPN gateway through the VNIC.
You can add multiple included IPv6 routes to an IPv6 route list.
If you execute the include and exclude commands to add the same IPv6 route to an IPv6 route list, the most recent configuration takes effect.
Examples
# Add included IPv6 route 1234::100/48 to IPv6 route list ipv6rtlist.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ipv6-route-list ipv6rtlist
[Sysname-sslvpn-context-ctx1-ipv6-route-list-ipv6rtlist] include ipv6 1234::100 48
Related commands
exclude ipv6
interface sslvpn-ac
Use interface sslvpn-ac to create an SSL VPN AC interface and enter its view, or enter the view of an existing SSL VPN AC interface.
Use undo interface sslvpn-ac to delete an SSL VPN AC interface.
Syntax
interface sslvpn-ac interface-number
undo interface sslvpn-ac interface-number
Default
No SSL VPN AC interfaces exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
interface-number: Specifies an SSL VPN AC interface number in the range of 0 to 4095.
Examples
# Create SSL VPN AC 1000 and enter its view.
<Sysname>system-view
[Sysname]interface SSLVPN-AC 1000
[Sysname-SSLVPN-AC1000]
ip address
Use ip address to configure an IPv4 address and a port number for an SSL VPN gateway.
Use undo ip address to restore the default.
Syntax
ip address ip-address [ port port-number ]
undo ip address
Default
An SSL VPN gateway uses IPv4 address 0.0.0.0 and port number 443.
Views
SSL VPN gateway view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies an IP address for the SSL VPN gateway, in dotted decimal notation.
port port-number: Specifies a port number for the SSL VPN gateway. The port number is 443 (the default value) or in the range of 1025 to 65535.
Usage guidelines
A remote user uses the IPv4 address and port number configured by this command to access an SSL VPN gateway.
The specified IPv4 address must be the IP address of an interface on the gateway device and is reachable from clients and internal servers.
If the gateway uses the default address (0.0.0.0), make sure its port number is different from the port number of the HTTPS server on the device.
The IPv4 address and port number of an SSL VPN gateway cannot both be the same as those of the HTTPS server on the device. Otherwise, you can access only the SSL VPN Web interface but cannot access the device management Web interface by using those IPv4 address and port number.
If you execute this command multiple times, the most recent configuration takes effect.
An SSL VPN gateway can use an IPv4 address, an IPv6 address, but not both. If you configure both IPv4 and IPv6 addresses, the most recent configuration takes effect. (The IPv6 address is configured by using the ipv6 address command.)
Examples
# Configure the IPv4 address of SSL VPN gateway gw1 as 10.10.1.1 and the port number as 8000.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] ip address 10.10.1.1 port 8000
Related commands
display sslvpn gateway
ipv6 address
ip range
Use ip range to specify an IPv4 address range for an SSL VPN SNAT address pool.
Use undo ip range to restore the default.
Syntax
ip range start-ipv4-address end-ipv4-address
undo ip range
Default
No IPv4 address range is specified for an SSL VPN SNAT address pool.
Views
SSL VPN SNAT address pool view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
start-ipv4-address end-ipv4-address: Specifies the start and end IPv4 addresses. The end IPv4 address must be greater than or equal to the start IPv4 address.
Usage guidelines
The addresses in the range are equally assigned to all security modules. The number of addresses in the address range must be greater than or equal to the number of security modules.
A SNAT address pool can have a maximum of 256 IPv4 addresses. No overlapping IPv4 addresses are allowed in different SNAT address pools.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify IPv4 address range 1.1.1.1 to 1.1.1.100 for SNAT address pool spool1.
<Sysname> system-view
[Sysname] sslvpn snat-pool spool1
[Sysname-sslvpn-snatpool-spool1] ip range 1.1.1.1 1.1.1.100
ip-route-list
Use ip-route-list to create an IPv4 route list for an SSL VPN context and enter its view, or enter the view of an existing IPv4 route list.
Use undo ip-route-list to delete an IPv4 route list.
Syntax
ip-route-list list-name
undo ip-route-list list-name
Default
No IPv4 route lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
list-name: Specifies a name for the IPv4 route list, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can add IPv4 routes to an IPv4 route list. The IPv4 routes can be issued to IP access clients for them to access internal servers behind the SSL VPN gateway.
You cannot delete an IPv4 route list that is used by a policy group. To delete the IPv4 route list, execute the undo ip-tunnel access-route command to remove the configuration and then execute the undo ip-route-list command.
Examples
# In SSL VPN context ctx1, create an IPv4 route list named rtlist and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist]
Related commands
ip-tunnel access-route
ip-tunnel access-route
Use ip-tunnel access-route to specify the IPv4 routes to be issued to clients.
Use undo ip-tunnel access-route to restore the default.
Syntax
ip-tunnel access-route { ip-address { mask-length | mask } | force-all | ip-route-list list-name }
undo ip-tunnel access-route
Default
No IPv4 routes to be issued to clients are specified.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address { mask-length | mask }: Configures an IPv4 route to be issued to a client. The ip-address argument specifies the destination address of the IPv4 route. It cannot be a multicast, broadcast, or loopback address. The mask-length argument specifies the mask length of the route, in the range of 0 to 32.
force-all: Forces all IPv4 traffic of a client to be sent to the SSL VPN gateway.
ip-route-list list-name: Issues routes in the specified IPv4 route list to clients. The list-name argument specifies the IPv4 route list name, a case-insensitive string of 1 to 31 characters. The specified IPv4 route list must have been created by using the ip-route-list command.
Usage guidelines
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway issues the configured IPv4 route or the specified IPv4 routes to the client. The client adds the IPv4 routes, using the VNIC as the output interface. Packets from the client to the internal servers match the IPv4 routes, and therefore are sent to the SSL VPN gateway through the VNIC.
To issue multiple IPv4 routes to a client, execute the ip-tunnel access-route ip-route-list list-name command. To issue an IPv4 route to a client, execute the ip-tunnel access-route ip-address { mask-length | mask } command.
After you execute the ip-tunnel access-route force-all command, the SSL VPN gateway issues a default IPv4 route to the SSL VPN client. The default IPv4 route uses the VNIC as the output interface and has the highest priority among all default IPv4 routes on the client. Packets for destinations not in the IPv4 routing table are sent to the SSL VPN gateway through the VNIC. The SSL VPN gateway monitors the SSL VPN client in real time. It does not allow the client to delete the default IPv4 route or add a default IPv4 route with a higher priority.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In the view of policy group pg1, configure the SSL VPN gateway to issue routes in IPv4 route list rtlist to a client.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 10.0.0.0 8
[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 20.0.0.0 8
[Sysname-sslvpn-context-ctx1-route-list-rtlist] quit
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel access-route ip-route-list rtlist
Related commands
ip-route-list
ip-tunnel address-pool (SSL VPN context view)
Use ip-tunnel address-pool to specify an IPv4 address pool for IP access in an SSL VPN context.
Use undo ip-tunnel address-pool to restore the default.
Syntax
ip-tunnel address-pool pool-name mask { mask-length | mask }
undo ip-tunnel address-pool
Default
No IPv4 address pool is specified for IP access in an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
pool-name: Specifies an IPv4 address pool by its name, a case-insensitive string of 1 to 31 characters.
mask { mask-length | mask }: Specifies the mask length or mask of the IPv4 address pool. The value range for the mask length is 1 to 30.
Usage guidelines
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway allocates an IPv4 address to the client from either of the following address pools:
· IPv4 address pool specified for the policy group authorized to the client.
· IPv4 address pool specified for the SSL VPN context. This address pool is used only if no IPv4 address pool is specified for the policy group authorized to the client.
If no free address is available in the IPv4 address pool or the IPv4 address pool does not exist, address allocation to the client will fail and the client's IP access request will be rejected.
If you specify a nonexistent IPv4 address pool, the pool is effective for IPv4 address allocation after it is created.
You can specify only one IPv4 address pool for an SSL VPN context. If you execute this command multiple times, the most recent configuration takes effect.
For IP access users to access the SSL VPN gateway correctly, make sure the IPv4 addresses in the IPv4 address pool do not conflict with the IPv4 addresses used on the device.
Examples
# Specify IPv4 address pool pool1 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel address-pool pool1 mask 24
Related commands
sslvpn ip address-pool
ip-tunnel address-pool (SSL VPN policy group view)
Use ip-tunnel address-pool to specify an IPv4 address pool for IP access in an SSL VPN policy group.
Use undo ip-tunnel address-pool to restore the default.
Syntax
ip-tunnel address-pool pool-name mask { mask-length | mask }
undo ip-tunnel address-pool
Default
No IPv4 address pool is specified for IP access in an SSL VPN policy group.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
pool-name: Specifies an IPv4 address pool by its name, a case-insensitive string of 1 to 31 characters.
mask { mask-length | mask }: Specifies the mask length or mask of the IPv4 address pool. The value range for the mask length is 1 to 30.
Usage guidelines
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway allocates an IPv4 address to the client from either of the following address pools:
· IPv4 address pool specified for the policy group authorized to the client.
· IPv4 address pool specified for the SSL VPN context. This address pool is used only if no IPv4 address pool is specified for the policy group authorized to the client.
If no free address is available in the IPv4 address pool or the IPv4 address pool does not exist, address allocation to the client will fail and the client's IP access request will be rejected.
If you specify a nonexistent IPv4 address pool, the pool is effective for address allocation after it is created.
You can specify only one IPv4 address pool for an SSL VPN policy group. If you execute this command for an SSL VPN policy group multiple times, the most recent configuration takes effect.
For IP access users to access the SSL VPN gateway correctly, make sure the IPv4 addresses in the address pool do not conflict with the IPv4 addresses used on the device.
Examples
# Specify IPv4 address pool pool1 for IP access in SSL VPN policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel address-pool pool1 mask 24
Related commands
sslvpn ip address-pool
ip-tunnel bind address
Use ip-tunnel bind address to bind IPv4 addresses to an SSL VPN user.
Use undo ip-tunnel bind address to restore the default.
Syntax
ip-tunnel bind address { ip-address-list | auto-allocate number }
undo ip-tunnel bind address
Default
An SSL VPN user is not bound to IPv4 addresses.
Views
SSL VPN user view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address-list: Specifies an IPv4 address list, a string of 1 to 255 characters, which can contain digits, dots (.), commas (,), and hyphens (-). The IPv4 address list specifies comma-separated IP address items. Each item specifies an IPv4 address or specifies a range of IPv4 addresses in the form of start IP address-end IP address. For example, 10.1.1.5,10.1.1.10-10.1.1.20. The IPv4 address list can contain a maximum of 10000 addresses excluding multicast addresses, broadcast addresses, and loopback addresses.
auto-allocate number: Enables the SSL VPN gateway to automatically bind the specified number of free IPv4 addresses to the user. The value range for the number argument is 1 to 10.
Usage guidelines
When an SSL VPN user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway must assign an IPv4 address to the user. This command allows you to specify the IPv4 addresses that can be assigned to a user.
You can bind IPv4 addresses to an SSL VPN user as follows:
· Use the ip-address-list argument to bind a list of IPv4 addresses to the user.
When the user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway assigns a bound IPv4 address to the user.
If an IPv4 address has been assigned to another user, the SSL VPN gateway terminates the connection for that user and releases the IPv4 address.
· Use the auto-allocate number option to enable the SSL VPN gateway to automatically bind the specified number of free addresses in the IPv4 access address pool to the user.
The IPv4 addresses to be bound to an SSL VPN user must meet the following requirements:
· If an IPv4 access address pool is specified for the SSL VPN policy group authorized to the user, the IPv4 addresses must exist in the address pool.
· If no address pool is specified for the SSL VPN policy group, the IPv4 addresses must exist in the address pool specified for the SSL VPN context of the user.
You can bind the same IPv4 address to different SSL VPN users only when the SSL VPN contexts of the users are associated with different VPN instances.
If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Bind IPv4 addresses 10.1.1.5, 10.1.1.10 through 10.1.1.20, and 10.1.1.30 to SSL VPN user user1.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] user user1
[Sysname-sslvpn-context-ctx-user-user1] ip-tunnel bind address 10.1.1.5,10.1.1.10-10.1.1.20,10.1.1.30
Related commands
user
ip-tunnel dns-server
Use ip-tunnel dns-server to specify an IPv4 DNS server for IP access.
Use undo ip-tunnel dns-server to restore the default.
Syntax
ip-tunnel dns-server { primary | secondary } ip-address
undo ip-tunnel dns-server { primary | secondary }
Default
No IPv4 DNS servers are specified for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
primary: Specifies the primary DNS server.
secondary: Specifies the secondary DNS server.
ip-address: Specifies the IPv4 address of the DNS server. It cannot be a multicast, broadcast, or loopback address.
Examples
# Specify the primary DNS server 1.1.1.1 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel dns-server primary 1.1.1.1
ip-tunnel interface
Use ip-tunnel interface to specify an SSL VPN AC interface for IP access in an SSL VPN context.
Use undo ip-tunnel interface to restore the default.
Syntax
ip-tunnel interface sslvpn-ac interface-number
undo ip-tunnel interface
Default
No SSL VPN AC interface is specified for IP access in an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
sslvpn-ac interface-number: Specifies the number of an SSL VPN AC interface. The interface must have been created.
Usage guidelines
The SSL VPN gateway uses the specified SSL VPN AC interface to communicate with SSL VPN users in IP access mode. It uses the SSL VPN AC interface to forward packets sent by the user to remote servers and to forward the servers' replies back to the user.
Examples
# Specify SSL VPN AC 100 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel interface sslvpn-ac 100
Related commands
interface sslvpn-ac
ip-tunnel ipv6 access-route
Use ip-tunnel ipv6 access-route to specify the IPv6 routes to be issued to clients.
Use undo ip-tunnel ipv6 access-route to restore the default.
Syntax
ip-tunnel ipv6 access-route { ipv6-address prefix-length | ipv6-route-list ipv6-list-name }
undo ip-tunnel ipv6 access-route
Default
No IPv6 routes to be issued to clients are specified.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address prefix-length: Configures an IPv6 route to be issued to a client. The ipv6-address argument specifies the destination address of the IPv6 route. It can only be a unicast or anycast address and cannot be a multicast, loopback, or link local unicast address. The prefix-length argument specifies the prefix length of the IPv6 route, in the range of 0 to 128.
ipv6-route-list ipv6-list-name: Issues routes in the specified IPv6 route list to clients. The list-name argument specifies the IPv6 route list name, a case-insensitive string of 1 to 31 characters. The specified IPv6 route list must have been created by using the ipv6-route-list command.
Usage guidelines
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway issues the configured IPv6 route or the specified list of IPv6 routes to the client. The client adds the IPv6 routes, using the VNIC as the output interface. Packets from the client to the internal servers match the IPv6 routes, and therefore are sent to the SSL VPN gateway through the VNIC.
To issue multiple IPv6 routes to a client, use the ipv6-route-list ipv6-list-name option. To issue an IPv6 route to a client, use the ipv6-address prefix-length option.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In the view of policy group pg1, configure the SSL VPN gateway to issue routes in IPv6 route list ipv6rtlist to a client.
<Sysname> system-view
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ipv6-route-list ipv6rtlist
[Sysname-sslvpn-context-ctx1-ipv6-route-list-ipv6rtlist] include ipv6 1234::100 64
[Sysname-sslvpn-context-ctx1-ipv6-route-list-ipv6rtlist] quit
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel ipv6 access-route ipv6-route-list ipv6rtlist
Related commands
ipv6-route-list
ip-tunnel ipv6 access-route force-all
Use ip-tunnel ipv6 access-route force-all to configure force forwarding of all IPv6 traffic of a client to the SSL VPN gateway.
Use undo ip-tunnel ipv6 access-route force-all to restore the default.
Syntax
ip-tunnel ipv6 access-route force-all
undo ip-tunnel ipv6 access-route force-all
Default
Force forwarding of IPv6 traffic to the SSL VPN gateway is not configured.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
force-all: Forces all IPv6 traffic to be sent to the SSL VPN gateway.
Usage guidelines
After you execute this command, the SSL VPN gateway issues a default IPv6 route to the SSL VPN client. The default IPv6 route uses the VNIC as the output interface and has the highest priority among all default IPv6 routes on the client. Packets for destinations not in the IPv6 routing table are sent to the SSL VPN gateway through the VNIC. The SSL VPN gateway monitors the SSL VPN client in real time. It does not allow the client to delete the default IPv6 route or add a default IPv6 route with a higher priority.
Examples
# In SSL VPN policy group pg1, configure force forwarding of all IPv6 traffic of a client to the SSL VPN gateway.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel ipv6 access-route force-all
ip-tunnel ipv6 address-pool (SSL VPN context view)
Use ip-tunnel ipv6 address-pool to specify an IPv6 address pool for IP access in an SSL VPN context.
Use undo ip-tunnel ipv6 address-pool to restore the default.
Syntax
ip-tunnel ipv6 address-pool ipv6-pool-name prefix prefix-length
undo ip-tunnel ipv6 address-pool
Default
No IPv6 address pool is specified for IP access in an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-pool-name: Specifies an IPv6 address pool by its name, a case-insensitive string of 1 to 31 characters.
prefix prefix-length: Specifies the prefix length or mask of the IPv6 address pool. The value range for the mask length is 1 to 127.
Usage guidelines
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway allocates an IPv6 address to the client from either of the following address pools:
· IPv6 address pool specified for the policy group authorized to the client.
· IPv6 address pool specified for the SSL VPN context. This address pool is used only if no address pool is specified for the policy group authorized to the client.
If no free address is available in the IPv6 address pool or the IPv6 address pool does not exist, address allocation to the client will fail and the client's IP access request will be rejected.
If you specify a nonexistent IPv6 address pool, the pool is effective for address allocation after it is created.
You can specify only one IPv6 address pool for an SSL VPN context. If you execute this command multiple times, the most recent configuration takes effect.
For IP access users to access the SSL VPN gateway correctly, make sure the addresses in the IPv6 address pool do not conflict with the addresses used on the device.
Examples
# Specify IPv6 address pool pool1 with the prefix length of 48 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx1] ip-tunnel ipv6 address-pool pool1 prefix 48
ip-tunnel ipv6 address-pool (SSL VPN policy group view)
Use ip-tunnel ipv6 address-pool to specify an IPv6 address pool for IP access in an SSL VPN policy group.
Use undo ip-tunnel ipv6 address-pool to restore the default.
Syntax
ip-tunnel ipv6 address-pool ipv6-pool-name prefix prefix-length
undo ip-tunnel ipv6 address-pool
Default
No IPv6 address pool is specified for IP access in an SSL VPN policy group.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-pool-name: Specifies an IPv6 address pool by its name, a case-insensitive string of 1 to 31 characters.
prefix prefix-length: Specifies the prefix length or mask of the IPv6 address pool. The value range for the mask length is 1 to 127.
Usage guidelines
When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway allocates an IPv6 address to the client from either of the following address pools:
· IPv6 address pool specified for the policy group authorized to the client.
· IPv6 address pool specified for the SSL VPN context. This address pool is used only if no address pool is specified for the policy group authorized to the client.
If no free address is available in the IPv6 address pool or the address pool does not exist, address allocation to the client will fail and the client's IP access request will be rejected.
If you specify a nonexistent address pool, the pool is effective for address allocation after it is created.
You can specify only one IPv6 address pool for an SSL VPN policy group. If you execute this command for an SSL VPN policy group multiple times, the most recent configuration takes effect.
For IP access users to access the SSL VPN gateway correctly, make sure the addresses in the IPv6 address pool do not conflict with the addresses used on the device.
Examples
# Specify IPv6 address pool pool1 for IP access in SSL VPN policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel ipv6 address-pool pool1 prefix 48
Related commands
sslvpn ipv6 address-pool
ip-tunnel ipv6 bind address
Use ip-tunnel ipv6 bind address to bind IPv6 addresses to an SSL VPN user.
Use undo ip-tunnel ipv6 bind address to restore the default.
Syntax
ip-tunnel ipv6 bind address { ipv6-address-list | auto-allocate number }
undo ip-tunnel ipv6 bind address
Default
An SSL VPN user is not bound to IPv6 addresses.
Views
SSL VPN user view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address-list: Specifies an IPv6 address list, a string of 1 to 459 characters, which can contain hexadecimal digits, colons (:), commas (,), and hyphens (-). The IPv6 address list specifies comma-separated IPv6 address items. Each item specifies an IPv6 address or a range of IPv6 addresses in the form of start IPv6 address-end IPv6 address. For example, 1234::10,1234::100-1234::200. The IPv6 address list can contain a maximum of 10000 addresses, which can be unicast or anycast addresses and cannot be unspecified, multicast, or loopback addresses.
auto-allocate number: Enables the SSL VPN gateway to automatically bind the specified number of free IPv6 addresses to the user. The value range for the number argument is 1 to 10.
Usage guidelines
When an SSL VPN user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway must assign an IPv6 address to the user. This command allows you to specify the IPv6 addresses that can be assigned to a user.
You can bind IPv6 addresses to an SSL VPN user as follows:
· Use the ipv6-address-list argument to bind a list of IPv6 addresses to the user.
When the user accesses the SSL VPN gateway in IP access mode, the SSL VPN gateway assigns a bound IPv6 address to the user.
If an IPv6 address has been assigned to another user, the SSL VPN gateway terminates the connection for that user and releases the IPv6 address.
· Use the auto-allocate number option to enable the SSL VPN gateway to automatically bind the specified number of free addresses in the IPv6 access address pool to the user.
The IPv6 addresses to be bound to an SSL VPN user must meet the following requirements:
· If an IPv6 access address pool is specified for the SSL VPN policy group authorized to the user, the IPv6 addresses must exist in the IPv6 address pool.
· If no IPv6 address pool is specified for the SSL VPN policy group, the IPv6 addresses must exist in the IPv6 address pool specified for the SSL VPN context of the user.
You can bind the same IPv6 address to different SSL VPN users only when the SSL VPN contexts of the users are associated with different VPN instances.
If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Bind IPv6 addresses 1234::10, 1234::100 through 1234::200, and 1234::20 to SSL VPN user user1.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] user user1
[Sysname-sslvpn-context-ctx-user-user1] ip-tunnel ipv6 bind address 1234::10,1234::100-1234::200,1234::20
Related commands
user
ip-tunnel ipv6 dns-server
Use ip-tunnel ipv6 dns-server to specify an IPv6 DNS server for IP access.
Use undo ip-tunnel ipv6 dns-server to restore the default.
Syntax
ip-tunnel ipv6 dns-server { primary | secondary } ipv6-address
undo ip-tunnel ipv6 dns-server { primary | secondary }
Default
No IPv6 DNS servers are specified for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
primary: Specifies the primary DNS server.
secondary: Specifies the secondary DNS server.
ip-address: Specifies the IPv6 address of the DNS server. It can only be a unicast or anycast address and cannot be an unspecified, multicast, or loopback address.
Examples
# Specify the primary DNS server 1234::100 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx1] ip-tunnel ipv6 dns-server primary 1234::100
ip-tunnel keepalive
Use ip-tunnel keepalive to set the keepalive interval for IP access.
Use undo ip-tunnel keepalive to restore the default.
Syntax
ip-tunnel keepalive seconds
undo ip-tunnel keepalive
Default
The keepalive interval is 30 seconds for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
seconds: Specifies the keepalive interval in the range of 0 to 600 seconds. If the interval is set to 0 seconds, a client does not send keepalive messages to the SSL VPN gateway.
Usage guidelines
A client sends keepalive messages to the SSL VPN gateway to maintain sessions between them.
If an SSL VPN gateway does not receive any data or keepalive messages from a client during the session idle timeout time, it terminates the session with the client.
Set the keepalive interval to be shorter than the session idle timeout timer configured by the timeout idle command.
Examples
# Set the keepalive interval to 50 seconds for SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel keepalive 50
ip-tunnel log
Use ip-tunnel log to enable logging for IP address allocations and releases, IP access connection close events, or IP access packet drop events.
Use undo ip-tunnel log to disable logging for IP address allocations and releases, IP access connection close events, or IP access packet drop events.
Syntax
ip-tunnel log { address-alloc-release | connection-close | packet-drop }
undo ip-tunnel log { address-alloc-release | connection-close | packet-drop }
Default
Logging is disabled for IP access connection close events or IP access packet drop events.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
address-alloc-release: Enables logging for IP address allocations and releases for the VNIC of the IP access client.
connection-close: Enables logging for IP access connection close events.
packet-drop: Enables logging for IP access packet drop events.
Usage guidelines
If logging is enabled for IP address allocations and releases for the VNIC of the IP access client, the SSL VPN gateway generates logs when the VNIC's IP address is allocated or released.
If logging for IP access connection close events is enabled, the SSL VPN gateway generates logs when the connections established for SSL VPN IP access users are closed.
If logging for IP access packet drop events is enabled, the SSL VPN gateway generates logs when packets for SSL VPN IP access users are dropped.
The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for IP access connection close events.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-tunnel log connection-close
Related commands
sslvpn context
ip-tunnel rate-limit
Use ip-tunnel rate-limit to set a rate limit for IP access upstream or downstream traffic.
Use undo ip-tunnel rate-limit to remove the rate limit set for IP access upstream or downstream traffic.
Syntax
ip-tunnel rate-limit { downstream | upstream } { kbps | pps } value
undo ip-tunnel rate-limit { downstream | upstream }
Default
No rate limit is set for IP access upstream or downstream traffic.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
downstream: Specifies the IP access downstream traffic, which is sent by internal servers to IP access users.
upstream: Specifies the IP access upstream traffic, which is sent by IP access users to internal servers.
kbps: Sets the unit of measurement for the rate limit to kilobits per second.
pps: Sets the unit of measurement for the rate limit to packets per second.
value: Sets the rate limit value, in the range of 1000 to 100000000.
Usage guidelines
You can set a rate limit for IP access upstream and downstream traffic, respectively. If you set the rate limit for the same traffic direction multiple times, the most recent configuration takes effect.
If the IP access upstream or downstream traffic exceeds the rate limit, subsequent upstream or downstream traffic will be discarded.
Examples
# In SSL VPN context ctx1, set the rate limit to 10000 pps for IP access upstream traffic.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-tunnel rate-limit upstream pps 10000
ip-tunnel web-resource auto-push
Use ip-tunnel web-resource auto-push to enable automatic pushing of accessible resources to IP access users through the Web page.
Use undo ip-tunnel web-resource auto-push to disable automatic pushing of accessible resources to IP access users through the Web page.
Syntax
ip-tunnel web-resource auto-push
undo ip-tunnel web-resource auto-push
Default
Automatic pushing of accessible resources to IP access users through the Web page is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature enables automatic pushing of accessible resources to a user through the Web page after the user logs in to the SSL VPN gateway through the IP access client (iNode client).
This feature is available only for users that use the iNode client in Windows. You can install the iNode client by using one of the following methods:
· Log in to the SSL VPN gateway from a Web browser, and then download and install the iNode client that comes with the device.
· Install the iNode client downloaded from the official website. Select the iNode installation package for VPN gateway generation when customizing the iNode client. If you do not select this option, the user will be automatically logged out because the SSL VPN gateway cannot detect that the iNode client is logged in.
Examples
# Enable automatic pushing of accessible resources to IP access users through the Web page in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-tunnel web-resource auto-push
ip-tunnel wins-server
Use ip-tunnel wins-server to specify an IPv4 WINS server for IP access.
Use undo ip-tunnel wins-server to restore the default.
Syntax
ip-tunnel wins-server { primary | secondary } ip-address
undo ip-tunnel wins-server { primary | secondary }
Default
No IPv4 WINS servers are specified for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
primary: Specifies the primary WINS server.
secondary: Specifies the secondary WINS server.
ip-address: Specifies the IPv4 address of the WINS server. It cannot be a multicast, broadcast, or loopback address.
Examples
# Specify the primary WINS server 1.1.1.1 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel wins-server primary 1.1.1.1
ipv6 address
Use ipv6 address to configure an IPv6 address and a port number for an SSL VPN gateway.
Use undo ipv6 address to restore the default.
Syntax
ipv6 address ipv6-address [ port port-number ]
undo ipv6 address
Default
No IPv6 address is configured for an SSL VPN gateway.
Views
SSL VPN gateway view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-address: Specifies an IPv6 address for the SSL VPN gateway, a 16-byte hexadecimal string separated by colons.
port port-number: Specifies a port number for the SSL VPN gateway. The port number is 443 (the default value) or in the range of 1025 to 65535.
Usage guidelines
A remote user uses the IPv6 address and port number configured by this command to access an SSL VPN gateway.
The specified IPv6 address must be the address of an interface on the gateway device and is reachable from clients and internal servers.
Do not use the management address of the device as the IPv6 address of the SSL VPN gateway.
The IPv6 address and port number of an SSL VPN gateway cannot both be the same as those of the HTTPS server on the device. Otherwise, you can access only the SSL VPN Web interface but cannot access the device management Web interface by using those IPv6 address and port number.
If you execute this command multiple times, the most recent configuration takes effect.
An SSL VPN gateway can use an IPv4 address, an IPv6 address, but not both. If you configure both IPv4 and IPv6 addresses, the most recent configuration takes effect. (The IPv4 address is configured by using the ip address command.)
Examples
# Configure the IPv6 address of SSL VPN gateway gw1 as 200::1 and the port number as 8000.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] ipv6 address 200::1 port 8000
Related commands
display sslvpn gateway
ip address
ipv6 range
Use ipv6 range to specify an IPv6 address range for an SSL VPN SNAT address pool.
Use undo ipv6 range to restore the default.
Syntax
ipv6 range start-ipv6-address end-ipv6-address
undo ipv6 range
Default
No IPv6 address range is specified for an SSL VPN SNAT address pool.
Views
SSL VPN SNAT address pool view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
start- ipv6-address end- ipv6-address: Specifies the start and end IPv6 addresses. The end IPv6 address must be greater than or equal to the start IPv6 address.
Usage guidelines
The addresses in the address range are equally assigned to all security modules. The number of addresses in the address range must be greater than or equal to the number of security modules.
A SNAT address pool can have a maximum of 65535 IPv6 addresses. No overlapping IPv6 addresses are allowed in different SNAT address pools.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify IPv6 address range 1234::100 to 1234::200 for SNAT address pool spool1.
<Sysname> system-view
[Sysname] sslvpn snat-pool spool1
[Sysname-sslvpn-snatpool-spool1] ipv6 range 1234::100 1234::200
ipv6-route-list
Use ipv6-route-list to create an IPv6 route list for an SSL VPN context and enter its view, or enter the view of an existing IPv6 route list.
Use undo ipv6-route-list to delete an IPv6 route list.
Syntax
ipv6-route-list ipv6-list-name
undo ipv6-route-list ipv6-list-name
Default
No IPv6 route lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-list-name: Specifies a name for the IPv6 route list, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can add IPv6 routes to an IPv6 route list. The IPv6 routes can be issued to IP access clients for them to access internal servers behind the SSL VPN gateway.
You cannot delete an IPv6 route list that is used by a policy group. To delete the IPv6 route list, execute the undo ip-tunnel access-route ipv6 command to remove the configuration and then execute the undo ipv6-route-list command.
Examples
# In SSL VPN context ctx1, create an IPv6 route list named ipv6rtlist and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ipv6-route-list ipv6rtlist
[Sysname-sslvpn-context-ctx1-ipv6-route-list-ipv6rtlist]
Related commands
ip-tunnel ipv6 access-route
local-port
Use local-port to configure a port forwarding instance for a port forwarding item.
Use undo local-port to remove the configuration.
Syntax
local-port local-port-number local-name local-name remote-server remote-server remote-port remote-port-number [ description text ]
undo local-port
Default
A port forwarding item does not contain a port forwarding instance.
Views
Port forwarding item view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
local-port-number: Specifies a local port number in the range of 1 to 65535. The specified port number must be different from the port numbers of any existing services on the SSL VPN client.
local-name local-name: Specifies a local address or a local host name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.). To specify an IPv4 address, use an address in the network segment 127.0.0.0/8. To specify an IPv6 address, enclose the IPv6 address in brackets. For example, local-name [1234::5678].
remote-server remote-server: Specifies the IP address or domain name of a TCP service on an internal server. The remote-server argument is a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.). To specify an IPv6 address, enclose the IPv6 address in brackets. For example, remote-server [1234::5678].
remote-port remote-port-number: Specifies the port number of the TCP service on the internal server, in the range of 1 to 65535.
description text: Specifies a description, a case-sensitive string of 1 to 63 characters.
Usage guidelines
A port forwarding instance maps a TCP service on an internal server to a local address and port number on an SSL VPN client.
For example, for an SSL VPN client to use local address 127.0.0.1 and port 80 to access the internal HTTP server 192.168.0.213, perform the following tasks:
1. Create a port forwarding item (tcp1 in this example).
2. Configure a port forwarding instance for the port forwarding item.
local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80
The port forwarding instance will be displayed together with the port forwarding item name on the SSL VPN Web page. In this example, tcp1 (127.0.0.1:80 -> 192.168.0.213) will be displayed.
If you map a TCP service to a local host name, the TCP access client software will add the IP address corresponding to the host name to the host file hosts. When the client logs out, the software restores the original host file. The host file hosts is in the directory C:\Windows\System32\drivers\etc of the client host.
You can configure only one port forwarding instance for a port forwarding item. If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect.
Examples
# Configure a port forwarding instance for port forwarding item pfitem1. The port forwarding instance maps IP address 192.168.0.213 and port 80 of the internal HTTP server to local address 127.0.0.1 and port 80.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-port-forward-item-pfitem1] local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80 description http
Related commands
port-forward-item
log resource-access enable
Use log resource-access enable to enable resource access logging.
Use undo log resource-access enable to disable resource access logging.
Syntax
log resource-access enable [ brief | filtering ] *
undo log resource-access enable
Default
Resource access logging is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
brief: Records brief resource access information. If you specify this keyword, only the address and port number of the accessed resource will be recorded. If you do not specify this keyword, a large amount of information including webpage formatting information will be recorded.
filtering: Enables resource access log filtering. With this keyword specified, the device generates only one log for accesses of the same user to the same resource in a minute. If this keyword is not specified, the device generates a log for each resource access.
Usage guidelines
This feature logs resource accesses of SSL VPN users. The logs are sent to the information center of the device.
With the information center, you can set log message filtering and output rules, including output destinations.
The information center can output SSL VPN resource access logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.
To view SSL VPN resource access logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.
For more information about configuring the information center, see Network Management and Monitoring Configuration Guide.
If you execute the log resource-access enable command multiple times, the most recent configuration takes effect.
Examples
# Enable resource access logging.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] log resource-access enable
log user-login enable
Use log user-login enable to enable logging for user login and logoff events.
Use undo log user-login enable to disable logging for user login and logoff events.
Syntax
log user-login enable
undo log user-login enable
Default
Logging for user login and logoff events is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature logs user login and logoff events. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for user logins and logouts.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] log user-login enable
login-message
Use login-message to configure the welcome message to be displayed on the SSL VPN login page.
Use undo log login-message to restore the default.
Syntax
login-message { chinese chinese-message | english english-message }
undo login-message { chinese | english }
Default
The login welcome message is Welcome to SSL VPN.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
chinese chinese-message: Configures a login welcome message for the Chinese Web interface, a case-sensitive string of 1 to 255 characters.
english english-message: Configures a login welcome message for the English Web interface, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the login welcome message as hello.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] login-message english hello
logo
Use logo to specify a logo to be displayed on SSL VPN webpages.
Use undo logo to restore the default.
Syntax
logo { file file-name | none }
undo logo
Default
The logo displayed on SSL VPN webpages is H3C.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
file file-name: Specifies a logo file by its name, a case-insensitive string of 1 to 255 characters. The file must be a .gif, .jpg, or .png file, and its size cannot exceed 100 KB. As a best practice, use a file whose image resolution is 110*30 pixels.
none: Specifies that no logo is displayed.
Usage guidelines
The specified logo file must exist on the local device.
After you specify a logo file, the logo is displayed on SSL VPN webpages even if the file is deleted.
Examples
# Specify the logo in file flash:/mylogo.gif as the logo displayed on SSL VPN webpages.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] logo file flash:/mylogo.gif
max-onlines
Use max-onlines to set the maximum number of concurrent logins for each account.
Use undo max-onlines to restore the default.
Syntax
max-onlines number
undo max-onlines
Default
The maximum number of concurrent logins for each account is 32.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
number: Specifies the maximum number, in the range of 0 to 1048575. Value 0 indicates that the number of concurrent logins for each account is not limited.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the maximum number of concurrent logins for each account to 50.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] max-onlines 50
max-users
Use max-users to set the maximum number of sessions for an SSL VPN context.
Use undo max-users to restore the default.
Syntax
max-users max-number
undo max-users
Default
An SSL VPN context supports a maximum of 1048575 sessions.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
max-number: Specifies the maximum number of sessions, in the range of 1 to 1048575
Usage guidelines
If the limit is reached, new users cannot access the SSL VPN gateway.
Examples
# Set the maximum number of sessions to 500 for SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] max-users 500
Related commands
display sslvpn context
message-server
Use message-server to specify a message server for mobile clients.
Use undo message-server to restore the default.
Syntax
message-server address { host-name | ipv4-address } port port-number
undo message-server
Default
No message server is specified for mobile clients.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
address: Specifies the host name or IPv4 address of the message server.
host-name: Specifies the host name of the message server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).
ipv4-address: Specifies the IPv4 address of the message server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.
port port-number: Specifies the port number of the message server, in the range of 1025 to 65535.
Usage guidelines
A message server provides services for mobile clients. The SSL VPN gateway issues the message server information to the clients, and the clients can access the message server.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the IP address of the message server as 10.10.1.1 and the port number as 8000 for context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] message-server address 10.10.1.1 port 8000
Related commands
sslvpn context
mobile-num
Use mobile-num to specify the mobile number for receiving SMS messages.
Use undo mobile-num to restore the default.
Syntax
mobile-num number
undo mobile-num
Default
No mobile number is specified for receiving SMS messages.
Views
SSL VPN user view
Predefined user roles
network-admin
context-admin
Parameters
number: Specifies the mobile number, a string of 1 to 31 digits.
Usage guidelines
Non-default vSystems do not support this command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the mobile number as 111111 for user user1 to receive SMS messages.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] user user1
[Sysname-sslvpn-context-ctx1-user-user1] mobile-num 111111
mobile-num-binding enable
Use mobile-num-binding enable to enable mobile number binding.
Use undo mobile-num-binding enable to disable mobile number binding.
Syntax
mobile-num-binding enable
undo mobile-num-binding enable
Default
Mobile number binding is disabled.
Views
SMS gateway authentication view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
After SMS gateway authentication is enabled, a user must complete authentication through SMS messages to log in to the SSL VPN gateway.
· If the mobile number binding feature is enabled, the SSL VPN gateway displays Please enter mobile number for the user at the first login of the user. The user will use the entered mobile number to receive SMS messages for authentication. The SSL VPN gateway will bind the mobile number to the user and will not ask the user for the mobile number in subsequent logins.
· If the mobile number binding feature is disabled, the SSL VPN gateway will use the mobile number specified in SSL VPN user view for authentication of the user. If no mobile number is specified in SSL VPN user view, the login will fail.
If a mobile number is specified in SSL VPN user view, the mobile number binding feature does not take effect for the user. The SMS gateway always sends SMS messages to the specified mobile number for authentication of the user.
Examples
# Enable mobile number binding in SMS gateway authentication view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth sms-gw
[Sysname-sslvpn-context-ctx-sms-auth-sms-gw] mobile-num-binding enable
Related commands
mobile-num
mtu
Use mtu to set the MTU of an SSL VPN AC interface.
Use undo mtu to restore the default.
Syntax
mtu size
undo mtu
Default
The default MTU is 1500 bytes.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
context-admin
Parameters
size: Specifies an MTU value in the range of 100 to 64000 bytes.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Set the MTU of interface SSL VPN AC 1000 to 1430 bytes.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] mtu 1430
new-content
Use new-content to specify the new content used to replace the old content.
Use undo new-content to restore the default.
Syntax
new-content string
undo new-content
Default
The new content used to replace the old content is not specified.
Views
Rewrite rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
string: Specifies the new content, a case-sensitive string of 1 to 256 characters.
Usage guidelines
During file content rewriting, the new content will replace the old content specified by using the old-content command.
If the new content contains spaces, enclose the content in double quotation marks.
Examples
# Specify the new content in rewrite rule rule1 of file policy fp.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite-rule rule1
[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1] new-content sslvpn_rewrite_htmlcode(d)
Related commands
old-content
notify-message
Use notify-message to configure a notification message to be displayed on a webpage.
Use undo notify-message to restore the default.
Syntax
notify-message { login-page | resource-page } { chinese chinese-message | english english-message }
undo notify-message { login-page | resource-page } { chinese | english }
Default
No notification message is configured.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
login-page: Specifies the SSL VPN gateway login page.
resource-page: Specifies the SSL VPN gateway resource page.
chinese chinese-message: Specifies the notification message to be displayed on the Chinese Web interface, a case-sensitive string of 1 to 255 characters.
english english-message: Specifies the notification message to be displayed on the English Web interface, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Execute this command to configure a notification message displayed on the SSL VPN login page or resource page. The message is generally used to notify users to change their passwords.
In an SSL VPN context, if you execute this command multiple times for the same page of the same language, the most recent configuration takes effect.
Examples
# In SSL VPN context ctx1, specify the notification message on the SSL VPN gateway login page as Please change the password after login.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] notify-message login-page english Please change the password after login
old-content
Use old-content to specify the old file content to be rewritten.
Use undo old-content to restore the default.
Syntax
old-content string
undo old-content
Default
The old file content to be rewritten is not specified.
Views
Rewrite rule view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
string: Specifies the old content, a case-sensitive string of 1 to 256 characters.
Usage guidelines
During file content rewriting, the old file content will be replaced by the new content specified by using the new-content command.
If the old content contains spaces, enclose the content in double quotation marks.
In the same file policy, the old content specified in different rewrite rules must be unique.
Examples
# Specify the content to be rewritten in rewrite rule rule1 of file policy fp.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite-rule rule1
[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1] old-content "a.b.c.innerHTML = d;"
Related commands
new-content
password-authentication enable
Use password-authentication enable to enable username/password authentication.
Use undo password-authentication enable to disable username/password authentication.
Syntax
password-authentication enable
undo password-authentication enable
Default
Username/password authentication is enabled for an SSL VPN context.
Views
SSL VPN context
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Disable username/password authentication for SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] undo password-authentication enable
Related commands
certificate-authentication enable
display sslvpn context
password-box hide
Use password-box hide to hide the password input box on the SSL VPN Web login page.
Use undo password-box hide to display the password input box on the SSL VPN Web login page.
Syntax
password-box hide
undo password-box hide
Default
The password input box is displayed on the SSL VPN Web login page.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
If you want users to log in to the SSL VPN webpage by using authentication methods other than the username/password method, hide the password input box and configure the intended authentication methods.
After the password input box is hidden on the SSL VPN Web login page, only SSL VPN users with empty passwords can log in through the username/password authentication method.
Examples
# Hide the password input box on the SSL VPN Web login page.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] password-box hide
password-changing enable (SSL VPN context view)
Use password-changing enable to enable SSL VPN users to modify passwords.
Use undo password-changing enable to disable SSL VPN users from modifying passwords.
Syntax
password-changing enable
undo password-changing enable
Default
SSL VPN users are allowed to modify passwords.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The password modification feature allows you to determine whether SSL VPN users in the SSL VPN context can modify their login passwords.
If you enable this feature, SSL VPN users that log in to the SSL VPN Web interface can modify the login password on the personal settings page. If you disable this feature, the modify password function will be hidden on the SSL VPN Web interface, so users cannot modify their passwords.
An SSL VPN user is able to modify the password only when password modification is enabled in both SSL VPN user view and SSL VPN context view.
Examples
# Enable password modification for SSL VPN users in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] password-changing enable
Related commands
display sslvpn context
password-changing enable (SSL VPN user view)
password-changing enable (SSL VPN user view)
Use password-changing enable to enable an SSL VPN user to modify the password.
Use undo password-changing enable to disable an SSL VPN user from modifying the password.
Syntax
password-changing enable
undo password-changing enable
Default
An SSL VPN user is allowed to modify the password.
Views
SSL VPN user view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The password modification feature allows you to determine whether the specified SSL VPN user can modify the login password.
If you enable this feature, a user that logs in to the SSL VPN Web interface can modify the login password on the personal settings page. If you disable this feature, the modify password function will be hidden on the SSL VPN Web interface, so a user cannot modify the password.
Examples
# Enable password modification for SSL VPN user user1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] user user1
[Sysname-sslvpn-context-ctx1-user-user1] password-changing enable
Related commands
password-changing enable (SSL VPN context view)
password-complexity-message
Use password-complexity-message to configure a password complexity message.
Use undo password-complexity-message to restore the default.
Syntax
password-complexity-message { chinese chinese-message | english english-message }
undo password-complexity-message { chinese | english }
Default
No password complexity message is configured.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
chinese chinese-message: Specifies the password complexity message to be displayed on the Chinese Web interface, a case-sensitive string of 1 to 255 characters.
english english-message: Specifies the password complexity message to be displayed on the English Web interface, a case-sensitive string of 1 to 255 characters.
Usage guidelines
The password complexity message will be displayed on the SSL VPN password modification page to notify users of password complexity requirements.
In an SSL VPN context, if you execute this command multiple times for the same language, the most recent configuration takes effect.
Examples
# In SSL VPN context ctx1, specify the password complexity message as The password must contain uppercase and lowercase letters.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] password-complexity-message english The password must contain uppercase and lowercase letters
policy-group
Use policy-group to create an SSL VPN policy group and enter its view, or enter the view of an existing SSL VPN policy group.
Use undo policy-group to delete a policy group.
Syntax
policy-group group-name
undo policy-group group-name
Default
No SSL VPN policy groups exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
group-name: Specifies a name for the policy group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
An SSL VPN policy group contains a set of rules for resource access authorization.
You can configure multiple SSL VPN policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not authorize the user to use a policy group, the user can access only the resources allowed by the default policy group.
Examples
# Create a policy group named pg1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1]
Related commands
default-policy-group
port-forward
Use port-forward to create a port forwarding list for an SSL VPN context and enter its view, or enter the view of an existing port forwarding list.
Use undo port-forward to delete a port forwarding list.
Syntax
port-forward port-forward-name
undo port-forward port-forward-name
Default
No port forwarding lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-forward-name: Specifies a name for the port forwarding list, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Port forwarding lists provide TCP access services for SSL VPN users.
In port forwarding list view, you can use the port-forward-item command to create port forwarding items. Each port forwarding item defines an accessible TCP service provided on an internal server.
You can assign a port forwarding list to a policy group by using the resources port-forward command. After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the port forwarding list assigned to the group. The user can access the TCP services provided by the port forwarding list.
Examples
# Create port forwarding list pflist1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward pflist1
[Sysname-sslvpn-context-ctx1-port-forward-pflist1]
Related commands
local-port
resources port-forward
port-forward-item
Use port-forward-item to create a port forwarding item and enter its view, or enter the view of an existing port forwarding item.
Use undo port-forward-item to delete a port forwarding item.
Syntax
port-forward-item item-name
undo port-forward-item item-name
Default
No port forwarding items exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
item-name: Specifies a name for the port forwarding item, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A port forwarding item defines an accessible TCP service provided on an internal server. It contains the following settings:
· A port forwarding instance.
A port forwarding instance is configured by using the local-port command. It makes an internal TCP service accessible through a local address and port number on the SSL VPN client.
· (Optional.) A resource link.
A resource link is configured by using the execution command.
After you configure a resource link for a port forwarding item, the port forwarding item name will be displayed on the SSL VPN Web page as a link. You can click the link to access the resource directly.
Make sure the resource link matches the TCP service specified by the port forwarding instance.
After you create a port forwarding item, you can assign it to a port forwarding list by using the resources port-forward-item command.
Examples
# Create a port forwarding item named pfitem1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-port-forward-item-pfitem1]
Related commands
execution
local-port
resources port-forward-item
prevent-cracking freeze-ip
Use prevent-cracking freeze-ip to configure IP address freezing parameters for cracking prevention.
Use undo prevent-cracking freeze-ip to restore the default.
Syntax
prevent-cracking freeze-ip login-failures login-failures freeze-time freeze-time
undo prevent-cracking freeze-ip
Default
The maximum number of consecutive login failures allowed for an IP address is 64, and the period of time to freeze an IP address is 30 seconds.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
login-failures login-failures: Specifies the maximum number of consecutive login failures allowed for an IP address before freezing it to prevent cracking.
freeze-time freeze-time: Specifies the period of time to freeze an IP address, in the range of 30 to 1800 seconds.
Usage guidelines
Non-default vSystems do not support this command.
The cracking prevention feature reduces the risk of brute-force cracking of user login information by limiting the number of login attempts from the same IP address.
If the number of consecutive login failures of the same IP address reaches the maximum number specified by this command, the IP address will be frozen for the specified period. During the freeze period, the IP address is prohibited from logging in to the SSL VPN context. When the freeze period expires, the frozen IP address will be unfrozen automatically.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In SSL VPN context ctx1, configure the device to freeze an IP address if it consecutively fails login for 100 times and set the freeze period of time to 60 seconds.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] prevent-cracking freeze-ip login-failures 100 freeze-time 60
Related commands
display sslvpn prevent-cracking frozen-ip
prevent-cracking freeze-ip enable
Use prevent-cracking freeze-ip enable to enable IP address freezing for cracking prevention.
Use undo prevent-cracking freeze-ip enable to disable IP address freezing for cracking prevention.
Syntax
prevent-cracking freeze-ip enable
undo prevent-cracking freeze-ip enable
Default
IP address freezing for cracking prevention is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
Examples
# In SSL VPN context ctx1, enable IP address freezing for cracking prevention.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] prevent-cracking freeze-ip enable
Related commands
display sslvpn prevent-cracking frozen-ip
pevent-cracking unfreeze-ip
Use prevent-cracking unfreeze-ip to unfreeze IP addresses frozen for cracking prevention.
Syntax
prevent-cracking unfreeze-ip { all | { ipv4 | ipv6 } ip-address }
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
all: Specifies all frozen IP addresses.
ipv4: Specifies a frozen IPv4 address.
ipv6: Specifies a frozen IPv6 address.
ip-address: IP address to be unfrozen.
Usage guidelines
Non-default vSystems do not support this command.
Unfrozen IP addresses are allowed to log in to the SSL VPN context again.
Examples
# In SSL VPN context ctx1, unfreeze all frozen IP addresses.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] prevent-cracking unfreeze-ip all
Related commands
display sslvpn prevent-cracking frozen-ip
pevent-cracking verify-code
Use prevent-cracking verify-code to configure code verification parameters for cracking prevention.
Use undo prevent-cracking verify-code to restore the default.
Syntax
prevent-cracking verify-code login-failures login-failures
undo prevent-cracking verify-code
Default
A maximum of five consecutive login failures are allowed for an IP address.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
login-failures login-failures: Specifies the maximum number of consecutive login failures allowed for an IP address, in the range of 1 to 63.
Usage guidelines
Non-default vSystems do not support this command.
The cracking prevention feature reduces the risk of brute-force cracking of user login information by limiting the number of login attempts from the same IP address.
If the number of consecutive login failures of an IP address exceeds the maximum number specified by this command, code verification is performed to prevent cracking. An SSL VPN user using the IP address must enter a correct verification code to log in to the SSL VPN context.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In SSL VPN context ctx1, configure the device to perform code verification if an IP address consecutively fails login for more than 10 times.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] prevent-cracking verify-code login-failures-times 10
pevent-cracking verify-code enable
Use prevent-cracking verify-code enable to enable code verification for cracking prevention.
Use undo prevent-cracking verify-code enable to disable code verification for cracking prevention.
Syntax
prevent-cracking verify-code enable
undo prevent-cracking verify-code enable
Default
Code verification for cracking prevention is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
Examples
# In SSL VPN context ctx1, enable code verification for cracking prevention.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] prevent-cracking verify-code enable
rate-limit
Use rate-limit to set a rate limit for SSL VPN session upstream or downstream traffic.
Use undo rate-limit to remove the rate limit set for SSL VPN session upstream or downstream traffic.
Syntax
rate-limit { downstream | upstream } value
undo rate-limit { downstream | upstream }
Default
No rate limit is set for SSL VPN session upstream or downstream traffic.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
downstream: Specifies the SSL VPN downstream traffic, which is sent by internal servers to SSL VPN users.
upstream: Specifies the SSL VPN upstream traffic, which is sent by SSL VPN users to internal servers.
value: Sets the rate limit for the specified traffic, in the range of 1000 to 100000000 kbps.
Usage guidelines
You can set a rate limit for SSL VPN session upstream and downstream traffic, respectively. If you set the rate limit for the same traffic direction multiple times, the most recent configuration takes effect.
If the SSL VPN session upstream or downstream traffic exceeds the rate limit, subsequent upstream or downstream traffic will be discarded.
Examples
# In SSL VPN context ctx1, set the rate limit to 10000 kbps for SSL VPN session upstream traffic.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] rate-limit upstream 10000
redirect-resource
Use redirect-resource to specify the Web resource to which SSL VPN users are redirected after login.
Use undo redirect-resource to restore the default.
Syntax
redirect-resource { shortcut | url-item } resource-name
undo redirect-resource
Default
After logging in to the SSL VPN gateway, a user directly enters the SSL VPN resource list page, and no webpage redirection is performed.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
shortcut: Specifies a shortcut resource.
url-item: Specifies a URL item resource.
resource-name: Specifies the resource name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
By default, a user directly enters the SSL VPN resource list page after logging in to the SSL VPN gateway. You can use this command to redirect a user to a specific webpage after the user logs in to the SSL VPN gateway.
If a policy group authorized to a user contains a redirect resource, the SSL VPN gateway first opens the SSL VPN resource list page for the user. After a while, it redirects the user to the webpage specified in the redirect resource.
If multiple policy groups are authorized to a user, the device searches the policy groups for a redirect resource in authorization time order (first authorized first searched). If a redirect resource is found, the device stops searching and redirects the user to the redirect resource. If no redirect resource is found, no redirection will be performed.
In an SSL VPN policy group view, if you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify URL item url1 as the redirect resource of SSL VPN policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] redirect-resource url-item url1
Related commands
display sslvpn policy-group
reset counters interface sslvpn-ac
Use reset counters interface sslvpn-ac to clear SSL VPN AC interface statistics.
Syntax
reset counters interface [ sslvpn-ac [ interface-number ] ]
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears statistics for all interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command clears statistics for all existing SSL VPN AC interfaces.
Usage guidelines
Use this command to clear old statistics so you can observe new traffic statistics on an SSL VPN AC interface.
Examples
# Clear statistics for SSL VPN AC 1000.
<Sysname> reset counters interface sslvpn-ac 1000
Related commands
display interface sslvpn-ac
reset sslvpn ip-tunnel statistics
Use reset sslvpn ip-tunnel statistics to clear packet statistics for IP access users.
Syntax
reset sslvpn ip-tunnel statistics [ context context-name [ session session-id ] ]
Views
User view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command clear packet statistics for IP access users in all SSL VPN contexts.
session session-id: Specifies a session by its ID in the range of 1 to 4294967295. If you do not specify a session, this command clears packet statistics for all IP access users in the specified SSL VPN context.
Usage guidelines
To view the SSL VPN sessions in different SSL VPN contexts, execute the display sslvpn session command.
If you do not specify any parameters, this command clear packets statistics for all IP access users in all SSL VPN contexts.
Examples
# Clear the IP access packet statistics in all SSL VPN contexts.
<Sysname> reset sslvpn ip-tunnel statistics
# Clear the IP access packet statistics in SSL VPN context ctx1.
<Sysname> reset sslvpn ip-tunnel statistics context ctx1
# Clear the IP access packet statistics of session 1 in SSL VPN context ctx.
<Sysname> reset sslvpn ip-tunnel statistics context ctx1 session 1
Related commands
display sslvpn ip-tunnel statistics
display sslvpn session
resources port-forward
Use resources port-forward to assign a port forwarding list to an SSL VPN policy group.
Use undo resources port-forward to remove the configuration.
Syntax
resources port-forward port-forward-name
undo resources port-forward
Default
An SSL VPN policy group does not contain a port forwarding list.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
port-forward-name: Specifies the name of an existing port forwarding list. A port forwarding list name is a case-insensitive string of 1 to 31 characters.
Usage guidelines
After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the port forwarding list assigned to the group. The user can access the TCP services provided by the port forwarding list.
Examples
# Assign port forwarding list pflist1 to SSL VPN policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources port-forward pflist1
Related commands
local-port
port-forward
resources port-forward-item
Use resources port-forward-item to assign a port forwarding item to a port forwarding list.
Use undo resources port-forward-item to remove a port forwarding item from a port forwarding list.
Syntax
resources port-forward-item item-name
undo resources port-forward-item item-name
Default
A port forwarding list does not contain any port forwarding items.
Views
Port forwarding list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
item-name: Specifies a port forwarding item by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Before you assign a port forwarding item to a port forwarding list, make sure the port forwarding item has been created by using the port-forward-item command.
You can assign multiple port forwarding items to a port forwarding list.
Examples
# Create a port forwarding item named pfitem1, and then assign it to port forwarding list pflist1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-port-forward-item-pfitem1] quit
[Sysname-sslvpn-context-ctx1] port-forward pflist1
[Sysname-sslvpn-context-ctx1-port-forward-pflist1] resources port-forward-item pfitem1
Related commands
port-forward-item
resources shortcut
Use resources shortcut to assign a shortcut to a shortcut list.
Use undo resources shortcut to remove a shortcut from a shortcut list.
Syntax
resources shortcut shortcut-name
undo resources shortcut shortcut-name
Default
A shortcut list does not contain any shortcuts.
Views
Shortcut list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
shortcut-name: Specifies a shortcut by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can assign multiple shortcuts to a shortcut list.
Examples
# Assign shortcut list1 to shortcut list shortcut1.
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] quit
[Sysname-sslvpn-context-ctx1] shortcut-list list1
[Sysname-sslvpn-context-ctx1-shortcut-list-list1] resources shortcut shortcut1
resources shortcut-list
Use resources shortcut-list to assign a shortcut list to an SSL VPN policy group.
Use undo resources shortcut-list to restore the default.
Syntax
resources shortcut-list list-name
undo resources shortcut-list
Default
An SSL VPN policy group does not contain a shortcut list.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
list-name: Specifies a shortcut list by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can assign only one shortcut list to an SSL VPN policy group. After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the shortcut list assigned to the group. The user can click a shortcut to access the associated resource.
If you execute this command for an SSL VPN policy group multiple times, the most recent configuration takes effect.
Examples
# Assign shortcut list list1 to SSL VPN policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut-list list1
[Sysname-sslvpn-context-ctx1-shortcut-list-list1] quit
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources shortcut-list list1
resources snat-pool
Use resources snat-pool to specify a SNAT address pool for an SSL VPN context.
Use undo resources snat-pool to remove the configuration.
Syntax
resources snat-pool snat-pool-name [ type { address-split | port-split } ]
undo resources snat-pool
Default
No SNAT address pool is specified for an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
snat-pool-name: Specifies a SNAT address pool by its name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_). The specified SNAT address pool must have been created.
type: Specifies the SNAT address pool split type. If you do not specify this keyword, the SNAT address pool split type is address-split.
address-split: Specifies the address-split type. Non-default vSystems do not support this keyword.
port-split: Specifies the port-split type.
Usage guidelines
After a SNAT address pool is specified for an SSL VPN context, address management entries and OpenFlow flow entries are issued to the VPN instance associated with the SSL VPN context.
The SNAT address pool split type specified in this command must be the same as the actual split type of the specified SNAT address pool.
Examples
# Specify SNAT address pool spool for context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] resources snat-pool spool
resources uri-acl
Use resources uri-acl to specify a URI ACL for URL resource filtering in a URL item.
Use undo resources uri-acl to remove the URI ACL configuration from a URL item.
Syntax
resources uri-acl uri-acl-name
undo resources uri-acl
Default
No URI ACL is specified for URL resource filtering in a URL item.
Views
URL item view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.
Usage guidelines
The specified URI ACL will be used to filter the accessible resources under the URL specified in the URL item.
Examples
# Specify URI ACL abc in URL item serverA.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item serverA
[Sysname-sslvpn-context-ctx1-url-item-serverA] resources uri-acl abc
Related commands
uri-acl
resources url-item
Use resources url-item to assign a URL item to a URL list.
Use undo resources url-item to remove a URL item from a URL list.
Syntax
resources url-item url-item-name
undo resources url-item url-item-name
Default
A URL list does not contain any URL items.
Views
URL list view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
url-item-name: Specifies a URL item by its name, a case-insensitive string of 1 to 31 characters. The specified URL item must already exist.
Usage guidelines
You can assign multiple URL items to a URL list.
Examples
# Assign URL item serverA to URL list list1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-list list1
[Sysname-sslvpn-context-ctx1-url-list-list1] resources url-item serverA
Related commands
resources url-list
Use resources url-list to assign a URL list to an SSL VPN policy group.
Use undo resources url-list to remove the configuration.
Syntax
resources url-list url-list-name
undo resources url-list url-list-name
Default
An SSL VPN policy group does not contain a URL list.
Views
SSL VPN policy group view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
url-list-name: Specifies an existing URL list by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
In Web access mode, a remote user can use a Web browser to access URL resources in the URL list assigned to the authorized SSL VPN policy group.
Examples
# Assign URL list url1 to SSL VPN policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources url-list url1
Related commands
policy-group
sslvpn context
url-list
resources-file
Use resources-file to specify a file for SSL VPN users to download on the SSL VPN resource page.
Use undo resources-file to restore the default.
Syntax
resources-file { chinese chinese-filename | english english-filename }
undo resources-file { chinese | english }
Default
No file is provided for SSL VPN users to download.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
chinese chinese-filename: Specifies the name of the file to be provided on the Chinese Web interface, a case-sensitive string of 1 to 31 characters.
english english-filename: Specifies the name of the file to be provided on the English Web interface, a case-sensitive string of 1 to 31 characters.
Usage guidelines
Non-default vSystems do not support this command.
Before executing this command, you must upload the file for users to download to the file system on the device in advance. The specified file name must be the absolute path of the file.
In an SSL VPN context, if you execute this command multiple times for the same language, the most recent configuration takes effect.
Examples
# In SSL VPN context ctx1, specify the file for users to download on the SSL VPN resource page as flash:/sslvpnhelp.pdf.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] resources-file english flash:/sslvpnhelp.pdf
rewrite server-response-message
Use rewrite server-response-message to rewrite a server reply message.
Use undo rewrite server-response-message to restore the default.
Syntax
rewrite server-response-message server-response-message { chinese chinese-message | english english-message }
undo rewrite server-response-message server-response-message { chinese | english }
Default
No server reply message is rewritten.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
server-response-message: Specifies the original server reply message to be rewritten, a case-sensitive string of 1 to 127 characters. If this message contains spaces, enclose the message in double quotation marks.
chinese chinese-message: Specifies the new server reply message to be displayed on the Chinese Web interface, a case-sensitive string of 1 to 127 characters.
english english-message: Specifies the new server reply message to be displayed on the English Web interface, a case-sensitive string of 1 to 127 characters.
Usage guidelines
If a server reply message (for example, an authentication, authorization, or accounting reply message) is hard to understand, execute this command to rewrite the server reply message. You can obtain server reply messages from the server to determine which messages should be rewritten.
If you execute this command multiple times to rewrite the same original server reply message in the same language, the most recent configuration takes effect.
Examples
# In SSL VPN context ctx1, rewrite the server reply message Success to User identity authentication succeeded.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] rewrite server-response-message Success english User identity authentication succeeded
rewrite-rule
Use rewrite-rule to create a rewrite rule and enter its view, or enter the view of an existing rewrite rule.
Use undo rewrite-rule to delete a rewrite rule.
Syntax
rewrite-rule rule-name
undo rewrite-rule rule-name
Default
No rewrite rules exist.
Views
File policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
rule-name: Specifies a rule name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can configure multiple rewrite rules in a file policy.
Examples
# Create a rewrite rule named rule1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite-rule rule1
[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1]
rule
Use rule to create a rule for a URI ACL.
Use undo rule to remove a rule from a URI ACL.
Syntax
rule [ rule-id ] { deny | permit } uri uri-pattern-string
undo rule rule-id
Default
No URL ACL rules exist in a URI ACL
Views
URI ACL view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
deny: Denies matching packets to pass.
permit: Allows matching packets to pass.
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. The numbering step is 5 for automatic numbering of rule IDs. An automatically assigned rule ID takes the nearest multiple of 5 higher than the current highest rule ID. For example, if the current highest rule ID is 28, the rule is numbered 30.
uri uri-pattern-string: Specifies a URI pattern. The URI pattern can contain a maximum of 256 characters in the format of protocol://host:port/path, where protocol and host are required. See Table 14 for descriptions of the fields in a URI pattern.
Table 14 URI field descriptions
|
Field |
Description |
|
protocol |
Protocol name. Options are: · http. · https. · tcp. · udp. · icmp. · ip. |
|
host |
Domain name or address of a host. · Valid host address formats: ¡ IPv4 or IPv6 address. For example, 192.168.1.1. ¡ IPv4 or IPv6 address range in the format of start address-end address. For example, 3.3.3.1-3.3.3.200. ¡ IPv4 address with a mask length or IPv6 address with a prefix length. For example 2.2.2.2/24. ¡ A combination of the preceding host address formats separated by comma (,). For example, 192.168.1.1,3.3.3.1-3.3.3.200,2.2.2.2/24. · Valid domain name formats: ¡ Fully qualified domain name. For example, www.domain.example.com ¡ Domain name with the following wildcard characters: |
|
port |
Port number. If no port number is specified, the default port number of the protocol is used. Valid formats for this field: · Single port number. For example, 1002. · Port number range in the format of start port-end port. For example, 8080-8088. · A combination of the preceding formats separate by comma (,). For example, 1002,90,8080-8088. |
|
path |
String that identifies a directory or file on the host. The path is a sequence of fields separated by forward or backward slashes. The following wildcard characters are supported: · Asterisk (*)—Matches zero or more characters. For example, /path1/*. · Question mark (?)—Matches one character. For example, /path?/. · Percent sign (%)—Matches one or more characters in a field of the path. For example, /path1/%/. |
Usage guidelines
You can add multiple rules to a URI ACL. The device matches a packet against the rules in ascending order of rule ID. The match process stops once a matching rule is found.
Examples
# Add a rule to URI ACL uriacla.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] uri-acl uriacla
[Sysname-sslvpn-context-abc-uri-acl-uriacla] rule 1 permit uri https://*.example.com:80,443,2000-5000/path/
self-service imc address
Use self-service imc address to specify an IMC server for password modification.
Use undo self-service imc address to restore the default.
Syntax
self-service imc address { ip-address | ipv6 ipv6-address } port port-number [ vpn-instance vpn-instance-name ]
undo self-service imc address
Default
No IMC server is specified for password modification.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ip-address: Specifies the IPv4 address of the IMC server, in dotted decimal notation.
ipv6 ipv6-address: Specifies the IPv6 address of the IMC server, in colon-separated hexadecimal notation. The IPv6 address can only be a unicast or anycast address and cannot be an unspecified, multicast, loopback, or link local address.
port port-number: Specifies the port number of the IMC server, in the range of 1 to 65535.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IMC server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. Do not specify this option if the IMC server is on the public network.
Usage guidelines
Password modification allows users to modify login passwords by themselves, and it is supported for local users and users authenticated by an IMC server.
Execute this command only when IMC authentication users need to modify the SSL VPN login passwords. After a user passes the identity authentication, the user can modify the password on the SSL VPN Web page. The new password is sent to the IMC server specified by this command for verification. If the verification succeeds, the user will use the new password for next logins.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the IMC server at IPv4 address 192.168.10.1 and port 443 in VPN instance vpn1 for password modification of users in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] self-service imc address 192.168.10.1 port 443 vpn-instance vpn1
server-address
Use server-address to specify an IMC server for SMS authentication.
Use undo server-address to restore the default.
Syntax
server-address { ip-address | ipv6 ipv6-address } port port-number [ vpn-instance vpn-instance-name ]
undo server-address
Default
No IMC server is specified for SMS authentication.
Views
IMC SMS authentication view
Predefined user roles
network-admin
context-admin
Parameters
ip-address: Specifies the IPv4 address of the IMC server, in dotted decimal notation.
ipv6 ipv6-address: Specifies the IPv6 address of the IMC server, in colon-separated hexadecimal notation. The IPv6 address can only be a unicast or anycast address and cannot be an unspecified, multicast, loopback, or link local address.
port port-number: Specifies the port number of the IMC server, in the range of 1 to 65535.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IMC server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. Do not specify this option if the IMC server is on the public network.
Usage guidelines
Non-default vSystems do not support this command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In IMC SMS authentication view, specify an IMC server (with IP address 192.168.151.1 and port 2000) in VPN instance vpn1 for SMS authentication of users.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth imc
[Sysname-sslvpn-context-ctx1-sms-auth-imc] server-address 192.168.151.1 port 2000 vpn-instance vpn1
service enable (SSL VPN context view)
Use service enable to enable an SSL VPN context.
Use undo service enable to disable an SSL VPN context.
Syntax
service enable
undo service enable
Default
An SSL VPN context is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Enable SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] service enable
Related commands
display sslvpn context
service enable (SSL VPN gateway view)
Use service enable to enable an SSL VPN gateway.
Use undo service enable to disable an SSL VPN gateway.
Syntax
service enable
undo service enable
Default
An SSL VPN gateway is disabled.
Views
SSL VPN gateway view
Predefined user roles
network-admin
context-admin
vsys-admin
Examples
# Enable SSL VPN gateway gw1.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] service enable
Related commands
display sslvpn gateway
session-connections
Use session-connections to set the maximum number of connections allowed per session.
Use undo session-connections to restore the default.
Syntax
session-connections number
undo session-connections
Default
A maximum of 64 connections are allowed per session.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
number: Set the maximum number of connections allowed per session. The value can be 0 or in the range of 10 to 1000. Value 0 indicates that the number of connections per session is not limited.
Usage guidelines
If the number of connections in a session has reached the maximum, new connection requests for the session will be rejected with a 503 Service Unavailable message.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the maximum number of connections allowed per session to 10.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] session-connections 10
shortcut
Use shortcut to create a shortcut and enter its view, or enter the view of an existing shortcut.
Use undo shortcut to delete a shortcut.
Syntax
shortcut shortcut-name
undo shortcut shortcut-name
Default
No shortcuts exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
shortcut-name: Specifies a shortcut name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
After you create a shortcut, use the execution command to configure a resource link for it. Users can then click the shortcut name on the SSL VPN Web page to access the associated resource.
Examples
# Create a shortcut named shortcut1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1]
shortcut-list
Use shortcut-list to create a shortcut list and enter its view, or enter the view of an existing shortcut list.
Use undo shortcut-list to delete a shortcut list.
Syntax
shortcut-list list-name
undo shortcut-list list-name
Default
No shortcut lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
list-name: Specifies a name for the shortcut list, a case-insensitive string of 1 to 31 characters.
Examples
# Create a shortcut list named list1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut-list list1
[Sysname-sslvpn-context-ctx1-shortcut-list-list1]
shutdown
Use shutdown to shut down an SSL VPN AC interface.
Use undo shutdown to bring up an SSL VPN AC interface.
Syntax
shutdown
undo shutdown
Default
An SSL VPN AC interface is up.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
|
|
CAUTION: The shutdown command interrupts ongoing network services. Make sure you are fully aware of the impact of this command when you use it on a live network. |
Examples
# Shut down SSL VPN AC 1000.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] shutdown
sms-auth
Use sms-auth to create an SMS authentication view and enter its view, or enter the view of an existing SMS authentication view.
Use undo sms-auth to delete an SMS authentication view.
Syntax
sms-auth { imc | sms-gw }
undo sms-auth { imc | sms-gw }
Default
No SMS authentication views exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
imc: Specifies the IMC SMS authentication view.
sms-gw: Specifies the SMS gateway authentication view. Non-default vSystems do not support this keyword.
Examples
# Create and enter SMS gateway authentication view in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth sms-gw
[Sysname-sslvpn-context-ctx1-sms-auth-sms-gw]
Related commands
sms-auth type
sms-auth type
Use sms-auth type to specify an SMS authentication type and enable SMS authentication.
Use undo sms-auth type to restore the default.
Syntax
sms-auth type { imc | sms-gw }
undo sms-auth type
Default
SMS authentication is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
imc: Specifies IMC SMS authentication.
sms-gw: Specifies SMS gateway authentication. Non-default vSystems do not support this keyword.
Usage guidelines
After you enable SMS authentication, the device uses SMS verification codes to authenticate SSL VPN users. A user is allowed to log in to the SSL VPN gateway only when the user passes the SMS authentication.
The device supports the following types of SMS authentication:
· IMC SMS authentication.
SMS authentication for SSL VPN users is performed by an IMC server. You must configure the IP address and port number for the IMC server in IMC SMS authentication view.
· SMS gateway authentication.
SMS gateway authentication for SSL VPN users is performed by an SMS gateway. You must specify the SMS gateway, the verification code resend interval, and the verification code validity period in SMS gateway authentication view.
Examples
# Specify the SMS authentication type as SMS gateway authentication in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth type sms-gw
Related commands
display sslvpn context
sms-auth
sms-content
Use sms-content to configure the SMS content template.
Use undo sms-content to restore the default.
Syntax
sms-content string
undo sms-content
Default
The SMS content template is Hello, $$USER$$, the verification code is $$VERIFYCODE$$, and its validity period is $$VALIDTIME$$ minutes.
Views
SMS gateway authentication view
Predefined user roles
network-admin
context-admin
Parameters
string: Specifies the SMS content template, a case-sensitive string of 1 to 127 characters.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure the SMS content template that the SMS gateway uses to send SMS messages.
An SMS content template must contain the following variables:
· $$USERNAME$$—User name variable.
· $$VERIFYCODE$$—Verification code variable.
· $$VALIDTIME$$—Verification code validity period variable.
Examples
# In SMS gateway authentication view, configure the SMS content template as Hello, $$USER$$, the verification code is $$VERIFYCODE$$, and its validity period is $$VALIDTIME$$ in minutes.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth sms-gw
[Sysname-sslvpn-context-ctx1-sms-auth-sms-gw] sms-content Hello, $$USER$$, the verification code is $$VERIFYCODE$$, and its validity period is $$VALIDTIME$$ in minutes.
ssl client-policy
Use ssl client-policy to apply an SSL client policy to an SSL VPN context.
Use undo ssl client-policy to remove the application.
Syntax
ssl client-policy policy-name
undo ssl client-policy [ policy-name ]
Default
The default SSL client policy for SSL VPN is used. This policy supports the dhe_rsa_aes_128_cbc_sha, dhe_rsa_aes_256_cbc_sha, rsa_3des_ede_cbc_sha, rsa_aes_128_cbc_sha, and rsa_aes_256_cbc_sha cipher suites.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when you execute the undo ssl client-policy command, the device removes the application of all SSL client policies from an SSL VPN context.
Usage guidelines
You can apply only one SSL client policy to an SSL VPN context. For the applied SSL client policy to take effect, you must enable the SSL VPN context by using the service enable command. The SSL VPN gateway will use the parameters defined by the policy to establish SSL connections to HTTPS servers.
If you execute this command multiple times, the new configuration overwrites the previous configuration, but does not take effect. For the new configuration to take effect, disable the SSL VPN context and then re-enable it.
For information about configuring SSL client policies, see Security Configuration Guide.
Examples
# Apply SSL client policy abc to SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ssl client-policy abc
ssl server-policy
Use ssl server-policy to apply an SSL server policy to an SSL VPN gateway.
Use undo ssl server-policy to remove the application.
Syntax
ssl server-policy policy-name
undo ssl server-policy [ policy-name ]
Default
An SSL VPN gateway uses the SSL server policy of its self-signed certificate.
Views
SSL VPN gateway view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies the name of an SSL server policy, a case-insensitive string of 1 to 31 characters. If you do not specify this argument when you execute the undo ssl server-policy command, the device removes the application of all SSL server policies from an SSL VPN context.
Usage guidelines
You can apply only one SSL server policy to an SSL VPN gateway. For the applied SSL server policy to take effect, you must enable the SSL VPN gateway by using the service enable command. The SSL VPN gateway will use the parameters defined by the policy to establish SSL connections to remote users.
If you execute this command multiple times, the new configuration overwrites the previous configuration but does not take effect. For the new configuration to take effect, disable the SSL VPN gateway and then enable the SSL VPN gateway. To disable and enable an SSL VPN gateway, use the undo service enable and service enable commands.
After you modify the content of the SSL server policy applied to an SSL VPN gateway, you must disable and then re-enable the gateway to validate the policy. To disable and enable an SSL VPN gateway, use the undo service enable and service enable commands.
Examples
# Apply SSL server policy CA_CERT to SSL VPN gateway gw1.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] ssl server-policy CA_CERT
Related commands
display sslvpn gateway
sslvpn context
Use sslvpn context to create an SSL VPN context and enter its view, or enter the view of an existing SSL VPN context.
Use undo sslvpn context to delete an SSL VPN context.
Syntax
sslvpn context context-name
undo sslvpn context context-name
Default
No SSL VPN contexts exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
context-name: Specifies an SSL VPN context name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
Usage guidelines
SSL VPN contexts contain different user sessions, accessible resources, and user authentication methods.
An SSL VPN gateway can be associated with multiple SSL VPN contexts. After a remote user logs in to an SSL VPN gateway, the user can access only the resources in the SSL VPN context to which the user belongs.
Examples
# Create an SSL VPN context named ctx1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1]
Related commands
display sslvpn context
sslvpn flow-redirect enable
Use sslvpn flow-redirect enable to enable flow redirection for SSL VPN IP access.
Use undo sslvpn flow-redirect enable to disable flow redirection for SSL VPN IP access.
Syntax
sslvpn flow-redirect enable
undo sslvpn flow-redirect enable
Default
Flow redirection for SSL VPN IP access is disabled. SSL VPN IP access flows are redirected based on hardware OpenFlow entries of the NAT module.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
This feature takes effect only in SSL VPN IP access mode.
This feature ensures that the forward and return packets of a data flow are processed on the same security module. If the return packets are forwarded to a different security module than the forward packets, this feature transparently forwards the return packets to the security module where the forward packets are processed.
By default, the device uses the hardware OpenFlow entries issued by the NAT module to ensure that the forward and return packets of an SSL VPN IP access data flow are forwarded to the same security module for processing. If NAT OpenFlow entry deployment is disabled (by using the undo nat outbound command), enable SSL VPN IP access flow redirection to ensure normal processing of the SSL VPN service.
This feature takes effect only if the session flow redirection feature is enabled. For more information about session flow redirection, see session management in Security Configuration Guide.
Examples
# Enable flow redirection for SSL VPN IP access.
<Sysname> system-view
[Sysname] sslvpn flow-redirect enable
Related commands
session flow-redirect enable
nat outbound (Layer 3—IP Services Command Reference)
sslvpn gateway
Use sslvpn gateway to create an SSL VPN gateway and enter its view, or enter the view of an existing SSL VPN gateway.
Use undo sslvpn gateway to delete an SSL VPN gateway.
Syntax
sslvpn gateway gateway-name
undo sslvpn gateway gateway-name
Default
No SSL VPN gateways exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
gateway-name: Specifies an SSL VPN gateway name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
Usage guidelines
An SSL VPN gateway resides between remote users and the enterprise network to ensure secure access of remote users to the enterprise internal network. The SSL VPN gateway establishes an SSL connection to a remote user, and then authenticates the user before allowing the user to access an internal server.
You must perform the following tasks in the view of an SSL VPN gateway:
· Execute the ip address command to configure an IP address and a port number for the SSL VPN gateway.
· Execute the ssl server-policy command to apply an SSL server policy to the SSL VPN gateway.
· Execute the service enable command to enable the SSL VPN gateway.
You cannot delete an SSL VPN gateway that has been associated with an SSL VPN context. To delete the SSL VPN gateway, execute the undo gateway command to remove the association and then execute the undo sslvpn gateway command.
Examples
# Create an SSL VPN context named gw1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1]
Related commands
display sslvpn gateway
sslvpn ip address-pool
Use sslvpn ip address-pool to create an IPv4 address pool.
Use undo sslvpn ip address-pool to delete an IPv4 address pool.
Syntax
sslvpn ip address-pool pool-name start-ip-address end-ip-address
undo sslvpn ip address-pool pool-name
Default
No IPv4 address pools exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
pool-name: Specifies a name for the address pool, a case-insensitive string of 1 to 31 characters.
start-ip-address end-ip-address: Specifies the start IP address and end IP address for the pool. The end IP address must be greater than the start IP address. The start IP address and end IP address cannot be a multicast, broadcast, or loopback address.
Usage guidelines
The created IPv4 address pools are used for address allocation to SSL VPN IP access clients. You can specify an IPv4 address pool for an SSL VPN context or an SSL VPN policy group. An SSL VPN gateway uses the specified IPv4 address pools to assign IPv4 addresses to IP access clients.
Examples
# Create an IPv4 address pool named pool1 and specify the address range as 10.1.1.1 to 10.1.1.254.
<Sysname> system-view
[Sysname] sslvpn ip address-pool pool1 10.1.1.1 10.1.1.254
Related commands
ip-tunnel address-pool (SSL VPN context view)
ip-tunnel address-pool (SSL VPN policy group view)
sslvpn ip-client download-path
Use sslvpn ip-client download-path to specify a download path for Windows, Mac, and Linux IP access clients.
Use undo sslvpn ip-client download-path to restore the default.
Syntax
sslvpn ip-client download-path { { common | kylin | uos
} { linux-arm | linux-loongarch | linux-mips | linux-x86 } url url | mac url url | windows { local | official | url url } }
undo sslvpn ip-client download-path { { common | kylin | uos } { linux-arm | linux-loongarch | linux-mips | linux-x86 } | mac | windows }
Default
For Mac and Linux IP access clients, the download path is the official website.
For Windows, if the device has packaged the IP access client, the download path is the root directory of the device. If the device has not packaged with the IP access client, the download path is the official website.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
common: Specifies the common operating system.
kylin: Specifies the Kylin operating system.
uos: Specifies the UOS operating system
linux-arm: Specifies the ARM Linux operating system.
linux-loongarch: Specifies the LoongArch Linux operating system.
linux-mips: Specifies the MIPS Linux operating system.
linux-x86: Specifies the x86 Linux operating system.
mac: Specifies the Mac operating system.
url url: Specifies a URL for downloading IP access clients with different operating systems, a case-insensitive string of 1 to 255 characters.
windows local: Specifies the local device for downloading the Windows IP access client.
windows official: Specifies the official website for downloading the Windows IP access client.
windows url url: Specifies a URL for downloading the Windows IP access client, a case-insensitive string of 1 to 255 characters.
Usage guidelines
IP access clients to be downloaded by SSL VPN users are typically stored on the device. However, IP access clients cannot be deployed on a device with small storage space.
To resolve this issue, you can specify the official website or a custom URL as the download path for IP access clients. In this way, the device can save the storage space and SSL VPN users can download IP access clients successfully. The device supports specifying a download path for Windows, Mac, and Linux IP access clients.
Examples
# Specify the download path for the Windows IP access client is URL https://www.example.com/download/client.exe.
<Sysname> system-view
[Sysname] sslvpn ip-client download-path windows url https://www.example.com/download/client.exe
sslvpn ipv6 address-pool
Use sslvpn ipv6 address-pool to create an IPv6 address pool.
Use undo sslvpn ipv6 address-pool to delete an IPv6 address pool.
Syntax
sslvpn ipv6 address-pool ipv6-pool-name start-ipv6-address end-ipv6-address
undo sslvpn ipv6 address-pool ipv6-pool-name
Default
No IPv6 address pools exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ipv6-pool-name: Specifies a name for the IPv6 address pool, a case-insensitive string of 1 to 31 characters.
start-ipv6-address end-ipv6-address: Specifies the start IPv6 address and end IPv6 address for the pool. The end IPv6 address must be greater than the start IPv6 address. The specified IPv6 addresses can only be unicast or anycast addresses and cannot be unspecified, multicast, loopback, or link local addresses.
Usage guidelines
The created IPv6 address pools are used for address allocation to SSL VPN IP access clients. You can specify an IPv6 address pool for an SSL VPN context or an SSL VPN policy group. An SSL VPN gateway uses the specified IPv6 address pools to assign IPv6 addresses to IP access clients.
Examples
# Create an IPv6 address pool named pool1 and specify the address range as 1234::100 to 1234::200.
<Sysname> system-view
[Sysname] sslvpn ipv6 address-pool pool1 1234::100 1234::200
Related commands
ip-tunnel ipv6 address-pool (SSL VPN context view)
ip-tunnel ipv6 address-pool (SSL VPN policy group view)
sslvpn log enable
Use sslvpn log enable to enable the SSL VPN global logging feature.
Use undo sslvpn log enable to disable the SSL VPN global logging feature.
Syntax
sslvpn log enable
undo sslvpn log enable
Default
The SSL VPN global logging feature is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
This feature logs the following global events:
· SSL VPN access failures because of not associating SSL VPN contexts with gateways.
· SSL VPN access failures because of not enabling SSL VPN contexts.
The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable the SSL VPN global logging feature.
<Sysname> system-view
[Sysname] sslvpn log enable
sslvpn snat-pool
Use sslvpn snat-pool to create a SNAT address pool and enter its view.
Use undo sslvpn snat-pool to delete a SNAT address pool.
Syntax
sslvpn snat-pool pool-name [ type { address-split | port-split } ]
undo sslvpn snat-pool pool-name
Default
No SNAT address pools exist.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
pool-name: Specifies the SNAT address pool name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
type: Specifies the SNAT address pool split type. If you do not specify this keyword, the SNAT address pool split type is address-split.
address-split: Specifies the address-split type. Non-default vSystems do not support this keyword.
port-split: Specifies the port-split type.
Usage guidelines
After you create a SNAT address pool, you can specify an address range for the pool.
SNAT address pools are used for the SSL VPN gateway to direct traffic to corresponding security modules for processing.
The SSL VPN gateway assigns addresses in the pools to security modules and uses the addresses to generate route entries and OpenFlow flow entries.
When the TCP or Web access service establishes a connection to a remote server, SSL VPN gateway associates the security module of the service with an assigned address. The SSL VPN gateway uses this address as the source address of the request sent to the server. The server uses this address as the destination address of the reply packet sent to the gateway.
After receiving the reply packet from the server, the SSL VPN gateway uses the destination address to find a matching OpenFlow flow entry and route entry. The SSL VPN gateway uses the matching entries to find the corresponding security engine and forward the packet of the server to that security engine for processing.
When multiple security engines are deployed, the security engines might encounter address conflicts. Splitting the SNAT address pool can resolve the address conflict issue. A SNAT address pool supports the following split types:
· Address-split—The addresses in the SNAT address pool are equally divided for the security engines. The address ranges for the security engines do not overlap each other.
· Port-split—The SNAT address range for each security engine is the same. The ports are equally divided for the security engines. The port ranges for the security engines do not overlap.
You cannot repeat the sslvpn snat-pool command to modify the SNAT address pool split type. Instead, you must first delete the current SNAT address pool by using the undo sslvpn snat-pool command, and then use the sslvpn snat-pool command to create the SNAT address pool with a new split type.
If the SNAT address pools overlap in the default vSystem and non-default vSystems in the same Context (virtual device), configure all these SNAT address pools to use the port-split type to avoid traffic direction errors.
Examples
# Create SNAT address pool spool1 and enter SNAT address pool view.
<Sysname> system-view
[Sysname] sslvpn snat-pool spool1
[Sysname-sslvpn-snatpool-spool1]
sslvpn webpage-customize
Use sslvpn webpage-customize to specify a webpage template for SSL VPN webpage customization.
Use undo sslvpn webpage-customize to restore the default.
Syntax
sslvpn webpage-customize template-name
undo sslvpn webpage-customize
Default
SSL VPN uses the system default webpages.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
template-name: Specifies a webpage template by its name, a string of 1 to 31 characters. The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), quotation mark ("), question mark (?), left angle bracket (<), and right angle bracket (>).
Usage guidelines
Non-default vSystems do not support this command.
This command allows you to set the global SSL VPN webpage template. Both predefined and user-defined webpage templates are available.
You can upload and download webpage templates through the SSL VPN Web interface.
To view all webpage templates in the system, use the display sslvpn webpage-customize template command.
In an SSL VPN context, the webpage template specified for the SSL VPN context takes precedence over the global SSL VPN webpage template. To specify a webpage template for an SSL VPN context, use the webpage-customize command in SSL VPN context view.
Examples
# Use webpage template template1 to customize SSL VPN webpages.
<Sysname> system-view
[Sysname] sslvpn webpage-customize template1
Related commands
display sslvpn webpage-customize template
webpage-customize
sso auto-build code
Use sso auto-build code to specify a character encoding method for SSO login requests that are built automatically.
Use undo sso auto-build code to restore the default.
Syntax
sso auto-build code { gb18030 | utf-8 }
undo sso auto-build code
Default
UTF-8 encoding is used for automatically built SSO login requests.
Views
URL item view
Predefined user roles
network-admin
context-admin
Parameters
gb18030: Specifies GB18030 encoding.
utf-8: Specifies UTF-8 encoding.
Usage guidelines
Non-default vSystems do not support this command.
Encoding a login request is to convert the login request into a binary string for transmission. The SSL VPN gateway supports GB18030 and UTF-8 encoding methods. Specify an encoding method according to the decoding method used by the internal server.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In URL item servera, set the encoding method to GB18030 for automatically built SSO login requests.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item servera
[Sysname-sslvpn-context-ctx1-url-item-servera] sso auto-build code gb18030
Related commands
sso auto-build custom-login-parameter
sso auto-build login-parameter-field
sso auto-build request-method
sso method
sso auto-build custom-login-parameter
Use sso auto-build custom-login-parameter to configure a custom login parameter for automatic building of SSO login requests.
Use undo sso auto-build custom-login-parameter to restore the default.
Syntax
sso auto-build custom-login-parameter name parameter-name value value [ encrypt ]
undo sso auto-build custom-login-parameter name parameter-name
Default
No custom parameter is configured for automatic building of SSO login requests.
Views
URL item view
Predefined user roles
network-admin
context-admin
Parameters
name parameter-name: Specifies the parameter name, a case-sensitive string of 1 to 63 characters.
value value: Specifies the attribute value, a case-sensitive string of 1 to 255 characters.
encrypt: Enables attribute value encryption through an encryption file. The encryption file is specified by the sso auto-build encrypt-file command.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure a custom login parameter (attribute name and value) if the auto-build SSO method is enabled.
The SSL VPN gateway will use the custom login parameter and other auto-build login parameters (configured by using the sso auto-build login-parameter command) to build login requests automatically.
Examples
# In URL item servera, configure a custom login parameter for auto-build SSO. Configure the parameter's name as commit and the value as login.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item servera
[Sysname-sslvpn-context-ctx1-url-item-servera] sso auto-build custom-login-parameter name commit value login
Related commands
sso auto-build code
sso auto-build encrypt-file
sso auto-build login-parameter
sso auto-build request-method
sso method
sso auto-build encrypt-file
Use sso auto-build encrypt-file to specify an encryption file to encrypt login parameters in automatically built SSO login requests.
Use undo timeout idle to restore the default.
Syntax
sso auto-build encrypt-file filename
undo sso auto-build encrypt-file
Default
No encryption file is specified for SSO login in the auto-build method.
Views
URL item view
Predefined user roles
network-admin
context-admin
Parameters
filename: Specifies an encryption file by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to specify an encryption file to encrypt the values of the parameters in automatically built SSO login requests. Encryption files are files that contain encryption functions written in JavaScript, and these files must be uploaded to the file management system of the device in advance.
If the encryption file to be used is the root directory of the device, you do not need to specify the file path when you execute this command. If the encryption file to be used is in a non-root directory of the device, you must specify the absolute path of the file when you execute this command.
You must write encryption functions in the following template:
function sslvpn_sso_encrypt(code)
{
//Encryption code
}
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In URL item servera, specify encryption file test.js to encrypt the values of the parameters in automatically built SSO login requests.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item servera
[Sysname-sslvpn-context-ctx1-url-item-servera] sso auto-build encrypt-file test.js
Related commands
sso auto-build custom-login-parameter
sso auto-build login-parameter-field
sso method
sso auto-build login-parameter
Use sso auto-build login-parameter to configure a login parameter for automatic building of SSO login requests.
Use undo sso auto-build login-parameter to restore the default.
Syntax
sso auto-build login-parameter { cert-fingerprint | cert-serial | cert-title | custom-password | custom-username | login-name | login-password | mobile-num | user-group } name parameter-name [ encrypt ]
undo sso auto-build login-parameter { cert-fingerprint | cert-serial | cert-title | custom-password | custom-username | login-name | login-password | mobile-num | user-group }
Default
No login parameters are configured for automatic building of SSO login requests.
Views
URL item view
Predefined user roles
network-admin
context-admin
Parameters
login-name: Uses the SSL VPN login username as the value of the SSO login parameter.
login-password: Uses the SSL VPN login password as the value of the SSO login parameter.
cert-title: Uses the certificate title as the value of the SSO login parameter.
cert-serial: Uses the certificate serial number as the value of the SSO login parameter.
cert-fingerprint: Uses the certificate fingerprint as the value of the SSO login parameter.
mobile-num: Uses the mobile phone number as the value of the SSO login parameter.
user-group: Uses the user group name as the value of the SSO login parameter.
custom-username: Uses the customized username as the value of the SSO login parameter.
custom-password: Uses the customized password as the value of the SSO login parameter.
name parameter-name: Specifies an attribute name for the SSO login parameter, a case-sensitive string of 1 to 63 characters.
encrypt: Enables attribute value encryption through an encryption file. The encryption file is specified by the sso auto-build encrypt-file command.
Usage guidelines
Non-default vSystems do not support this command.
Use this command to configure a login parameter (attribute name and value) if the auto-build SSO method is enabled by using the sso method auto-build command. The attribute name is the parameter name used by the SSL VPN gateway to log in to the internal server. The parameter value used to log in to the internal server is the actual value abstracted according to the parameter value keyword specified in the command. For example, if you specify the login-name keyword for a parameter, the parameter value carried in the login request is the actual SSL VPN login username.
You can configure different values for the same attribute name, and configure different attribute names with the same value.
The SSL VPN gateway will use the login parameters configured by this command and custom login parameters (configured by the sso auto-build custom-login-parameter command) to build login requests automatically.
Upon receiving a login request, the internal server searches for the parameter values according to the parameter names to determine whether the login user is legitimate.
Examples
# In URL item servera, configure a login parameter for auto-build SSO. Configure the parameter's value keyword as cert-title and attribute name as login.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item servera
[Sysname-sslvpn-context-ctx1-url-item-servera] sso auto-build login-parameter cert-title name login encrypt
Related commands
sso auto-build code
sso auto-build custom-login-parameter
sso auto-build encrypt-file
sso auto-build request-method
sso method
sso auto-build request-method
Use sso auto-build request-method to specify the HTTP request method for automatically built SSO login requests.
Use undo sso auto-build request-method to restore the default.
Syntax
sso auto-build request-method { get | post }
undo sso auto-build request-method
Default
The GET request method is used for automatically built SSO login requests.
Views
URL item view
Predefined user roles
network-admin
context-admin
Parameters
get: Specifies the GET request method.
post: Specifies the POST request method.
Usage guidelines
Non-default vSystems do not support this command.
This command specifies the HTTP request method used by the SSL VPN gateway to send HTTP requests to the internal server for SSO login. Specify the HTTP request method according to the internal server settings.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In URL item servera, set the HTTP request method to POST for auto-build SSO login.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item servera
[Sysname-sslvpn-context-ctx1-url-item-servera] sso auto-build request-method post
Related commands
sso auto-build code
sso auto-build custom-login-parameter
sso auto-build login-parameter-field
sso method
sso basic custom-username-password enable
Use sso basic custom-username-password enable to enable using a custom username and password for SSO login through basic authentication.
Use undo sso basic custom-username-password enable to restore the default.
Syntax
sso basic custom-username-password enable
undo sso basic custom-username-password enable
Default
SSL VPN login username and password are used for SSO login through basic authentication.
Views
URL item view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
Execute this command if you specify basic authentication for SSO login. The custom username and password are configured in the SSL VPN Web interface.
Examples
# In URL item servera, enable using the custom username and password for SSO login through basic authentication.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item servera
[Sysname-sslvpn-context-ctx1-url-item-servera] sso basic custom-username-password enable
Related commands
sso method
sso method
Use sso method to enable SSO and specify the SSO method.
Use undo sso method to restore the default.
Syntax
sso method { auto-build | basic }
undo sso method
Default
SSL VPN SSO login is disabled.
Views
URL item view
Predefined user roles
network-admin
context-admin
Parameters
auto-build: Automatically builds login requests to implement SSO.
basic: Performs basic authentication automatically to implement SSO.
Usage guidelines
Non-default vSystems do not support this command.
SSO allows a user to use one set of login credentials (such as username and password) to access multiple trusted systems. With SSO, after users log in to the SSL VPN gateway in Web access mode, they can gain access to internal servers without entering the login credentials for the internal servers. The device supports the following methods for SSO login:
· Auto-build method
Use a packet capture tool to obtain internal server login requests, and then configure SSO login settings based on the login requests to automatically build login requests to the internal servers. SSO login settings include the HTTP request method, login request encoding method, login parameters, and login data encryption file.
· Basic authentication
Basic authentication is a simple HTTP authentication scheme, which requires a Web client to enter a username and password to access the server. The server authenticates the client based on the username and password.
To implement SSO in the basic authentication method, the SSL VPN gateway acts as a Web client and automatically enters a username and password to perform HTTP basic authentication. The entered username and password can be SSL VPN username and password or a custom username and password.
The basic authentication SSO method is applicable only for logging in to the internal servers that support basic authentication.
Examples
# In URL item servera, specify the SSO method as basic authentication.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item servera
[Sysname-sslvpn-context-ctx1-url-item-servera] sso method basic
Related commands
sso auto-build code
sso auto-build custom-login-parameter
sso auto-build login-parameter
sso auto-build request-method
sso basic custom-username-password enable
sso encrypt file
timeout idle
Use timeout idle to set the idle timeout timer for SSL VPN sessions.
Use undo timeout idle to restore the default.
Syntax
timeout idle minutes
undo timeout idle
Default
The idle timeout timer is 30 minutes for SSL VPN sessions.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
seconds: Specifies the idle timeout timer in the range of 1 to 1440 minutes.
Usage guidelines
If the idle time of an SSL VPN session exceeds the specified idle timeout time, the session is terminated.
Examples
# Set the idle timeout timer to 50 minutes for SSL VPN sessions.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] timeout idle 50
Related commands
display sslvpn policy-group
title
Use title to configure a title to be displayed on SSL VPN webpages.
Use undo title to restore the default.
Syntax
title { chinese chinese-title | english english-title }
undo title { chinese | english }
Default
The title is SSL VPN.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
chinese chinese-title: Configures a title in Chinese, a case-sensitive string of 1 to 255 characters.
english english-title: Configures a title in English, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the title as SSL VPN service for company A.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] title english SSL VPN service for company A
uri-acl
Use uri-acl to create a URI ACL and enter its view, or enter the view of an existing URI ACL.
Use undo uri-acl to delete a URI ACL.
Syntax
uri-acl uri-acl-name
undo uri-acl uri-acl-name
Default
No URI ACLs exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
uri-acl-name: Specifies a name for the URI ACL, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A URI ACL is a set of rules that permit or deny access to resources. You can use URI ACLs for IP, TCP, and Web access filtering of SSL VPN users.
You can create multiple URI ACLs in an SSL VPN context.
Examples
# Create a URI ACL named uriacla and enter its view.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] uri-acl uriacla
[Sysname-sslvpn-context-abc-uri-acl-uriacla]
url (file policy view)
Use url to specify the URL of the Web page file to be rewritten in a file policy.
Use undo url to restore the default.
Syntax
url url
undo url
Default
No file URL is specified in a file policy.
Views
File policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
url: Specifies the complete file path, a case-insensitive string of 1 to 256 characters.
Usage guidelines
A file policy can be used to modify only the Web page file whose URL is the same as the URL configured in the policy.
A file URL is in the format of scheme://user:password@host:port/path. Table 15 describes the fields in the file URL.
Table 15 URL field descriptions
|
Field |
Description |
|
scheme |
Protocol type. Options include http and https. |
|
user:password |
Username and password used to access the file. |
|
host |
Host name or IP address of the server where the file resides. To specify an IPv6 address, enclose the IPv6 address in brackets. For example, https://[1234::5678]:8080/a.html. |
|
port |
Port number on which the server listens for resource access requests. If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS. |
|
path |
Local path of the file on the server. |
You can specify only one file URL in a file policy. In the same SSL VPN context, the URL specified for each file policy must be unique.
Examples
# Specify a file URL for file policy fp.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] url https://192.168.1.1:8080/js/test.js
url (URL item view)
Use url to specify a URL in a URL item.
Use undo url to remove the URL from a URL item.
Syntax
url url
undo url
Default
No URL is specified in a URL item.
Views
URL item view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
url: Specifies a URL, a case-insensitive string of 1 to 253 characters in the format of protocol://host:port/path.
Usage guidelines
Table 16 describes the fields in a URL.
Table 16 URL field descriptions
|
Field |
Description |
|
protocol |
Protocol name. Options are: · http. · https. If you do not specify a protocol name, the default protocol (HTTP) is used. |
|
host |
Domain name or IP address of a host. To specify an IPv6 address, enclose the IPv6 address in brackets. For example. https://[1234::5678]:8080. |
|
port |
Port number. If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS. |
|
path |
Path to the resource on the host. |
You can specify only one URL in a URL item. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify www.example.com as the URL in URL item serverA.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item serverA
[Sysname-sslvpn-context-ctx1-url-item-serverA] url www.example.com
url-item
Use url-item to create a URL item and enter its view, or enter the view of an existing URL item.
Use undo url-item to delete a URL item.
Syntax
url-item url-item-name
undo url-item url-item-name
Default
No URL items exist in an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
url-item-name: Specifies a name for the URL item, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can create multiple URL items in an SSL VPN context. Each URL item contains an accessible resource URL and can be assigned to a URL list in the SSL VPN context.
A URL item that has been assigned to a URL list cannot be deleted.
Examples
# Create a URL item named serverA and enter URL item view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item serverA
[Sysname-sslvpn-context-ctx1-url-item-serverA]
url-list
Use url-list to create a URL list and enter its view, or enter the view of an existing URL list.
Use undo url-list to delete a URL list.
Syntax
url-list name
undo url-list name
Default
No URL lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
name: Specifies a name for the URL list, a case-insensitive string of 1 to 31 characters.
Examples
# Create a URL list named url1 and enter URL list view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-list url1
[Sysname-sslvpn-context-ctx1-url-list-url1]
Related commands
sslvpn context
url-mapping
Use url-mapping to configure URL mapping in a URL item.
Use undo url-mapping to restore the default.
Syntax
url-mapping { domain-mapping domain-name | port-mapping gateway gateway-name [ virtual-host virtual-host-name ] } [ rewrite-enable ]
undo url-mapping
Default
The normal rewriting method is used.
Views
URL item view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
domain-mapping domain-name: Specifies the domain name mapping method. This method maps the URL to a domain name, a case-insensitive string of 1 to 127 characters which can contain letters, digits, underscores (_), hyphens (-), and dots (.). The specified domain cannot be the same as the domain name of the SSL VPN gateway.
port-mapping gateway gateway-name: Specifies the port mapping method. This method maps the URL to a gateway name and an optional virtual host name. The gateway-name argument specifies the gateway name, a case-insensitive string of 1 to 31 characters which can contain letters, digits, and underscores (_). The specified SSL VPN gateway name must be the name of an existing SSL VPN gateway.
virtual-host virtual-host-name: Specifies the virtual host name, a case-insensitive string of 1 to 127 characters which can contain letters, digits, underscores (_), hyphens (-), and dots (.). Do not specify a virtual host name if you want to use the SSL VPN gateway exclusively for the URL item.
rewrite-enable: Enables the SSL VPN gateway to rewrite the absolute URLs in the resource access response returned from the internal server. These absolute URLs are generally the URLs linked to other servers from the internal server. If you do not specify this keyword, these absolute URLs are not accessible. Enable this rewriting feature as a best practice to improve user experience.
Usage guidelines
The SSL VPN gateway rewrites the resource URLs in resource access responses that contain HTML, XML, CSS, or JavaScript files before sending the URLs to the requesting users. By default, the normal rewriting method is used for the URL rewriting. You can also configure the SSL VPN gateway to use the domain mapping or port mapping method.
Normal rewriting might cause problems such as missed URL rewriting and rewriting errors, resulting in SSL VPN clients not being able to access the internal resources. Use domain mapping or port mapping as a best practice. For more information about these mapping methods, see SSL VPN configuration in Security Configuration Guide.
When configuring the domain mapping method, make sure the SSL VPN client can resolve the mapped domain name (through DNS or the Hosts file) into the IP address of the SSL VPN gateway.
When configuring the port mapping method, you can specify an SSL VPN gateway exclusively for a URL item by specifying the gateway name without a virtual host name. To share an SSL VPN gateway with other URL items or SSL VPN contexts, specify the SSL VPN gateway name together with a virtual host name.
If you execute this command for a URL item multiple times, the most recent configuration takes effect.
Examples
# Create URL item serverA and specify www.server.example.com as the resource URL. Map the resource URL to domain name www.domain.example.com and enable URL rewriting.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item serverA
[Sysname-sslvpn-context-ctx1-url-item-serverA] url www.server.example.com
[Sysname-sslvpn-context-ctx1-url-item-serverA] url-mapping domain-mapping www.domain.example.com rewrite-enable
# Create URL item serverB and specify www.server.example.com as the resource URL. Map the resource URL to gateway gw1 with virtual host name host1 and enable URL rewriting.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-item serverB
[Sysname-sslvpn-context-ctx1-url-item-serverB] url www.server.example.com
[Sysname-sslvpn-context-ctx1-url-item-serverB] url-mapping port-mapping gateway gw1 virtual-host host1 rewrite-enable
Related commands
url-item
url-masking enable
Use url-masking enable to enable URL masking.
Use undo url-masking enable to disable URL masking.
Syntax
url-masking enable
undo url-masking enable
Default
URL masking is disabled.
Views
SSL VPN context view
URL item view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
The URL masking feature hides the real Web access resource URLs configured in an SSL VPN context by converting the URLs into coded strings.
If URL masking is enabled in an SSL VPN context, all the Web resources in the context are enabled with URL masking. In this case, if you want to disable URL masking, you must use the undo url-masking enable command in the SSL VPN context view for all the Web resources.
You can enable or disable URL masking for a single URL in URL item view only when URL masking is disabled in SSL VPN context view.
Examples
# Enable URL masking for the Web resource URL in a URL item.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] url-item urlitem
[Sysname-sslvpn-context-ctx-url-item-urlitem] url-masking enable
# Enable URL masking for all Web resource URLs in an SSL VPN context.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] url-masking enable
user
Use user to create an SSL VPN user and enter SSL VPN user view, or enter the view of an existing SSL VPN user.
Use undo user to delete an SSL VPN user.
Syntax
user username
undo user username
Default
No SSL VPN users exist.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
username: Specifies the SSL VPN username, a case-sensitive string of 1 to 63 characters. The username cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), and right angle bracket (>).
Usage guidelines
You can create multiple SSL VPN users in an SSL VPN context.
Examples
# Create SSL VPN user user1 and enter SSL VPN user view.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] user user1
[Sysname-sslvpn-context-ctx-user-user1]
verification-code send-interval
Use verification-code send-interval to set the SMS verification code resend interval.
Use undo verification-code send-interval to restore the default.
Syntax
verification-code send-interval seconds
undo verification-code send-interval
Default
The SMS verification code resend interval is 60 seconds.
Views
SMS gateway authentication view
Predefined user roles
network-admin
context-admin
Parameters
seconds: Specifies the verification code resend interval, in the range of 0 to 3600 seconds.
Usage guidelines
Non-default vSystems do not support this command.
This interval is the minimum amount of time that a user must wait before the user can re-obtain the SMS verification code.
Examples
# In SMS gateway authentication view, set the verification code resend interval to 80 seconds.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth sms-gw
[Sysname-sslvpn-context-ctx1-sms-auth-sms-gw] verification-code send-interval 80
verification-code validity
Use verification-code validity to set the SMS verification code validity period.
Use undo verification-code validity to restore the default.
Syntax
verification-code validity minutes
undo verification-code validity
Default
The SMS verification code validity period is one minute.
Views
SMS gateway authentication view
Predefined user roles
network-admin
context-admin
Parameters
seconds: Specifies the verification code validity period, in the range of 1 to 1440 minutes.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# In SMS gateway authentication view, set the verification code validity period to 30 minutes.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-auth sms-gw
[Sysname-sslvpn-context-ctx1-sms-auth-sms-gw] verification-code validity 30
verify-code
Use verify-code enable to enable code verification.
Use undo verify-code enable to disable code verification.
Syntax
verify-code enable
undo verify-code enable
Default
Code verification is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
After code verification is enabled, a user must enter a correct verification code to log in to the SSL VPN webpage.
Examples
# Enable code verification.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] verify-code enable
vpn-instance (SSL VPN context view)
Use vpn-instance to associate an SSL VPN context with a VPN instance.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
An SSL VPN context is associated with the public network.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.
Usage guidelines
Non-default vSystems do not support this command.
After you associate an SSL VPN context with a VPN instance, the resources managed by the context belong to the VPN instance.
An SSL VPN context can be associated with only one VPN instance.
You can associate an SSL VPN context with a nonexistent VPN instance. The context does not take effect until the associated VPN instance is created.
If you change the VPN instance associated with an SSL VPN context, all user-to-IP address bindings configured for SSL VPN users in the SSL VPN context will be removed.
Examples
# Associate SSL VPN context context1 with VPN instance vpn1.
<Sysname> System-view
[Sysname] sslvpn context context1
[Sysname-sslvpn-context-context1] vpn-instance vpn1
vpn-instance (SSL VPN gateway view)
Use vpn-instance to specify a VPN instance for an SSL VPN gateway.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
An SSL VPN gateway belongs to the public network.
Views
SSL VPN gateway view
Predefined user roles
network-admin
context-admin
Parameters
vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.
Usage guidelines
Non-default vSystems do not support this command.
The VPN instance specified for an SSL VPN gateway is called a front VPN instance.
You can specify only one VPN instance for an SSL VPN gateway.
You can specify a nonexistent VPN instance for an SSL VPN gateway. The SSL VPN gateway does not take effect until the VPN instance is created.
Examples
# Specify VPN instance vpn1 for SSL VPN gateway gateway1.
<Sysname> system-view
[Sysname] sslvpn gateway gateway1
[Sysname-sslvpn-gateway-gateway1] vpn-instance vpn1
vrrp vrid
Use vrrp vrid to bind a VRRP group to an SSL VPN SNAT address pool.
Use undo vrrp to restore the default.
Syntax
vrrp vrid virtual-router-id
undo vrrp
Default
No VRRP group is bound to an SSL VPN SNAT address pool.
Views
SSL VPN SNAT address pool view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
virtual-router-id: Specifies a VRRP group by its virtual router ID, in the range of 1 to 255.
Usage guidelines
In an SSL VPN gateway VRRP group associated with the HA group, bind the VRRP group to an SNAT address pool if the address pool and the server-side interface belong to the same network segment. If you do not configure the binding, the SNAT address pool function will fail.
For more information about the HA group configuration, see RBM configuration in High Availability Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Bind VRRP group 1 to SNAT address pool spool1.
<Sysname> system-view
[Sysname] sslvpn snat-pool spool1
[Sysname-sslvpn-snatpool-spool1] vrrp vrid 1
web-access ip-client auto-activate
Use web-access ip-client auto-activate to enable automatic startup of the IP access client after Web login.
Use undo web-access ip-client auto-activate to disable automatic startup of the IP access client after Web login.
Syntax
web-access ip-client auto-activate
undo web-access ip-client auto-activate
Default
Automatic startup of the IP access client after Web login is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
vsys-admin
Usage guidelines
With this feature enabled, after a user logs in to the SSL VPN gateway through a Web browser, the IP access client on the user host will automatically connect to the gateway. If the IP access client software is not installed, the user will be prompted to install the software first.
For the IP access client to connect to the SSL VPN gateway correctly, make sure the IP access service and resources are configured on the SSL VPN gateway.
If an SSL VPN user has already logged in through an IP access client when this feature is enabled, the user cannot access the SSL VPN gateway directly through the Web browser. To access the SSL VPN gateway through the Web browser, the user must click Open Resource List in the IP access client.
Examples
# Enable automatic startup of the IP access client after Web login in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] web-access ip-client auto-activate
webpage-customize
Use webpage-customize to specify a webpage template for SSL VPN webpage customization.
Use undo webpage-customize to restore the default.
Syntax
webpage-customize template-name
undo webpage-customize
Default
The global SSL VPN webpage template is used.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
template-name: Specifies a webpage template by its name, a string of 1 to 31 characters. The name cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), quotation mark ("), question mark (?), left angle bracket (<), and right angle bracket (>).
Usage guidelines
Non-default vSystems do not support this command.
This command allows you to set the webpage template for an SSL VPN context. Both predefined and user-defined webpage templates are available.
You can upload and download webpage templates through the SSL VPN Web interface.
To view all webpage templates in the system, use the display sslvpn webpage-customize template command.
In an SSL VPN context, the webpage template specified for the SSL VPN context takes precedence over the global SSL VPN webpage template. To set the global SSL VPN webpage template, use the sslvpn webpage-customize command in system view.
If a user-defined webpage template is specified in an SSL VPN context, all other webpage customization settings are invalid for the SSL VPN context.
Examples
# Use webpage template template1 to customize SSL VPN webpages in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] webpage-customize template1
Related commands
display sslvpn webpage-customize template
sslvpn webpage-customize
wechat-work-authentication app-secret
Use wechat-work-authentication app-secret to specify the app secret key for WeChat Work (or WeCom) authentication.
Use undo wechat-work-authentication app-secret to restore the default.
Syntax
wechat-work-authentication app-secret app-secret
undo wechat-work-authentication app-secret
Default
No app secret key is specified for WeChat Work authentication.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
template-name: Specifies the app secret key, a case-insensitive string of 1 to 127 characters.
Usage guidelines
Non-default vSystems do not support this command.
Each app has an independent secret key to ensure data security. Make sure the app secret key is not leaked.
The app secret key and the company ID are used together to generate important credentials for the SSL VPN gateway to obtain user information from the WeChat Work API server.
To view this secret key on the WeChat Work management platform, select the target app on the App Management page.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the app secret key as hpLRFnu7OxedV5bNd9OD0Xi in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication app-secret hpLRFnu7OxedV5bNd9OD0Xi
Related commands
wechat-work-authentication corp-id
wechat-work-authentication authorize-field
Use wechat-work-authentication authorize-field to specify the name of the authorization policy group field.
Use undo wechat-work-authentication authorize-field to restore the default.
Syntax
wechat-work-authentication authorize-field authorize-field
undo wechat-work-authentication authorize-field
Default
No authorization policy group field name is specified for WeChat Work authentication.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
authorize-field: Specifies the name of the authorization policy group field, a case-insensitive string of 1 to 31 characters. Chinese characters are supported.
Usage guidelines
Non-default vSystems do not support this command.
The SSL VPN gateway uses the specified field name to obtain the authorization policy group name (the organization information of users) from the response of the WeChat Work API server.
Assume that the name of the authorization policy group field is group. If the response of the WeChat Work API server contains the field group:ziliao, the SSL VPN gateway obtains the user’s authorization policy group name, ziliao. Then, the gateway will check whether a local policy group named ziliao exists:
· If yes, the user is authorized to access the corresponding internal resources in this policy group.
· If no, the user is authorized to access internal resources in the default policy group.
For the SSL VPN gateway to successfully resolve the authorization policy group name from the response, make sure you specify the correct authorization policy group field name in this command. You can obtain the authorization policy group field name from WeChat Work before executing this command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the name of the authorization policy group field as group in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication authorize-field group
wechat-work-authentication corp-id
Use wechat-work-authentication corp-id to specify the company ID for WeChat Work authentication.
Use undo wechat-work-authentication corp-id to restore the default.
Syntax
wechat-work-authentication corp-id corp-id
undo wechat-work-authentication corp-id
Default
No company ID is specified for WeChat Work authentication.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
corp-id: Specifies the company ID, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Non-default vSystems do not support this command.
A company ID uniquely identifies a company on WeChat Work. The company ID and the secret key are used together to generate important credentials for the SSL VPN gateway to obtain user information from the WeChat Work API server.
To view the company ID on the WeChat Work management platform, go to My Company > Company Information.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the company ID as wxdd725338566d6ffe in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication corp-id wxdd725338566d6ffe
Related commands
wechat-work-authentication app-secret
wechat-work-authentication enable
Use wechat-work-authentication enable to enable WeChat Work authentication.
Use undo wechat-work-authentication enable to disable WeChat Work authentication.
Syntax
wechat-work-authentication enable
undo wechat-work-authentication enable
Default
WeChat Work authentication is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
After WeChat Work authentication is enabled, the device obtains user information of a company from WeChat Work and uses the user information for authentication and authorization. If the authentication and authorization succeed, the users can access the internal resources. This feature is transparent to the users in the company.
Examples
# Enable WeChat Work authentication in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpnc context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication enable
wechat-work-authentication open-platform-url
Use wechat-work-authentication open-platform-url to specify the WeChat open platform URL.
Use undo wechat-work-authentication open-platform-url to restore the default.
Syntax
wechat-work-authentication open-platform-url { pre-defined | user-defined user-defined-url }
undo wechat-work-authentication open-platform-url
Default
No WeChat open platform URL is specified.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
pre-defined: Specifies the predefined WeChat open platform URL, https://open.weixin.qq.com.
user-defined user-defined-url: Specifies the WeChat open platform URL as needed, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Non-default vSystems do not support this command.
In general, after receiving a response from the internal server, the SSL VPN gateway will check whether the HTTP header contains the Location field. If the Location field exists, the SSL VPN gateway will rewrite the URL in the Location field and forward the response to the SSL VPN client. The subsequent requests of the SSL VPN client must access the redirected URL.
In http://youdao.com/w/in particular cases/ - keyfrom=E2Ctranslation, the response from the internal server to the SSL VPN gateway might require the user to send an authentication request to WeChat Work again. In this case, the SSL VPN gateway must not rewrite the WeChat Work server URL in the Location field so that the client can access the WeChat Work server to complete authentication and authorization. If the SSL VPN gateway rewrites the WeChat Work server URL, the WeChat Work server cannot receive the request from the client and WeChat Work authentication fails.
This command specifies the URL in the Location field that will not be rewritten by the SSL VPN gateway. For WeChat Work authentication to operate correctly, set the URL as the WeChat open platform URL.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the predefined URL https://open.weixin.qq.com/ as the WeChat open platform URL in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication open-platform url pre-defined
wechat-work-authentication timeout
Use wechat-work-authentication timeout to specify the WeChat Work authentication timeout.
Use undo wechat-work-authentication timeout to restore the default.
Syntax
wechat-work-authentication timeout seconds
undo wechat-work-authentication timeout
Default
The WeChat Work authentication timeout is 15 seconds.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
seconds: Specifies the WeChat Work authentication timeout, in the range of 5 to 50 seconds.
Usage guidelines
Non-default vSystems do not support this command.
A WeChat Work authentication fails if the SSL VPN gateway does not receive the response from the WeChat Work API server within the timeout time after sending an HTTP request.
If the network delay is large, increase the timeout as a best practice to avoid misidentification of timeouts. If the network delay is small, reduce the timeout as a best practice for better identification of timeouts.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the WeChat Work authentication timeout as 20 seconds in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication timeout 20
wechat-work-authentication url
Use wechat-work-authentication url to specify the URL of the WeChat Work API server.
Use undo wechat-work-authentication url to restore the default.
Syntax
wechat-work-authentication url url
undo wechat-work-authentication url
Default
No WeChat Work API server URL is specified.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
url: Specifies the URL of the WeChat Work API server, a case-insensitive string of 1 to 255 characters.
Usage guidelines
Non-default vSystems do not support this command.
To use WeChat Work authentication, you must execute this command to specify the actual URL of the WeChat Work API server. The SSL VPN gateway interacts with the specified WeChat Work API server to obtain user information upon receiving a packet redirected from the WeChat Work server. Then, the SSL VPN gateway uses the obtained information for user authentication and authorization.
The SSL VPN gateway requires domain name resolution to resolve the specified URL into the IP address of the WeChat Work API server. For more information about domain name resolution, see DNS configuration in Layer 3—IP Services Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the URL of the WeChat Work API server as https://qyapi.weixin.qq.com in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication url https://qyapi.weixin.qq.com
wechat-work-authentication userid-field
Use wechat-work-authentication userid-field to specify the user ID field name used by the SSL VPN gateway to access the internal server.
Use undo wechat-work-authentication userid-field to restore the default.
Syntax
wechat-work-authentication userid-field userid-field
undo wechat-work-authentication userid-field
Default
No user ID field name is configured for the SSL VPN gateway to access the internal server.
Views
SSL VPN context view
Predefined user roles
network-admin
context-admin
Parameters
url: Specifies the user ID field name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Non-default vSystems do not support this command.
A user ID (user account) on WeChat Work uniquely identifies a user within a company. The SSL VPN gateway interacts with the WeChat Work API server to obtain user information, which contains the user ID of a user.
The SSL VPN gateway uses the specified user ID field name and the obtained user ID to construct the parameter to be carried in an access request sent to an internal server. For example, if you configure the user ID field name as login and the obtained user ID is zhangsan, the SSL VPN gateway will construct the parameter as login=zhangsan. When receiving the request from the SSL VPN gateway, the internal server abstracts the login field's value zhangsan as the user ID. To make sure the SSL VPN gateway can accurately encapsulate the parameter, you must obtain the user ID field name from the internal server in advance.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the user ID field name as login in SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] wechat-work-authentication userid-field login
