step-by-step configuration of h3c ssl vpn · step-by-step configuration of h3c ssl vpn hangzhou h3c...

of 30/30
Step-by-Step Configuration of H3C SSL VPN Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/30 Step-by-Step Configuration of H3C SSL VPN Keywords: SSL, VPN, HTTPS, Web, TCP, IP Abstract: This document describes the SSL VPN features, application guide as well as the configuration example. Acronyms: Acronym Full spelling SSL Security Socket Layer VPN Virtual Private Network HTTPS Hypertext Transfer Protocol Secure TCP Transfer Control Protocol IP Internet Protocol

Post on 29-Sep-2020

12 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/30

    Step-by-Step Configuration of H3C SSL VPN

    Keywords: SSL, VPN, HTTPS, Web, TCP, IP

    Abstract: This document describes the SSL VPN features, application guide as well as the configuration

    example.

    Acronyms:

    Acronym Full spelling

    SSL Security Socket Layer

    VPN Virtual Private Network

    HTTPS Hypertext Transfer Protocol Secure

    TCP Transfer Control Protocol

    IP Internet Protocol

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 2/30

    Table of Contents

    Overview···························································································································································3 Features ·····················································································································································3 Benefits ······················································································································································3

    Application Guide············································································································································4 Application Scenarios·································································································································4 Network Requirements·······························································································································4 Configuration Procedure ····························································································································5

    CLI Configuration on SSL VPN ··········································································································5 Configuration on Super Administrator Web Page (Supported by SecBlade SSL VPN Only) ············5 Configuration on Domain Administrator Web Page ···········································································5 Configuration on SSL VPN User Web Page ······················································································5

    Configuration Example ···································································································································7 Network Diagram ·······································································································································7 SSL VPN CLI Configuration·······················································································································8

    SecBlade SSL VPN CLI Configuration·······························································································8 SecPath SSL VPN CLI Configuration·································································································9

    SSL VPN Function Configuration·············································································································10 Logging in to the SSL VPN System··································································································10 Configuring Web Services················································································································13 Configuring TCP Services ················································································································14 Configuring IP Services····················································································································16 Configuring Resources·····················································································································21 Configuring Users·····························································································································23 Logging in as an SSL VPN User ······································································································25

    References ·····················································································································································30

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 3/30

    Overview H3C Security Socket Layer (SSL) Virtual Private Network (VPN) system falls into two categories: H3C SecPath SSL VPN and H3C SecBlade SSL VPN. The configuration in this document is applicable to both categories unless otherwise noted.

    Features Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols, ensuring confidentiality and reliability. SSL protocol consists of handshake protocol, record protocol, and alert protocol.

    As VPN is much cheaper and more flexible to use than leased lines, more and more companies are establishing VPNs over public networks such as the Internet, so as to allow employees working at home or traveling on business, employees of branch offices, and partners to access the internal networks.

    SSL VPN is an emerging VPN technology based on Secure HTTP (HTTPS, that is, SSL-supported HTTP). It works between the transport layer and the application layer, and can establish secure connections for communications at the application layer. SSL VPN has been widely used for secure, remote Web-based access.

    SSL VPN is used for granular access control of network resources. It supports three resource access methods: Web access, TCP access, and IP access. Using role-based right management, SSL VPN can restrict user access to resources according to user identity. In addition, it incorporates the user host security checking feature, implementing dynamic user access rights assignment. SSL VPN gateways support Web management. An administrator can configure and manage the SSL VPN system through a Web browser.

    H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a new generation of professional SSL VPN devices for enterprises. They can function as ingress gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are for small- to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized enterprises.

    Benefits Compared with conventional VPN, SSL VPN features high security and more granular control of security. Requiring no user configuration and no client installation, it is simple to deploy and very easy to use.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 4/30

    Application Guide

    Application Scenarios With the popularity of SOHO and mobile offices, the structure of applications is switching from client/server (C/S) to Web-based browser/server (B/S). SSL VPN is used to help employees, customers, and partners to access the intranet and the internal applications remotely in a easy and secure way.

    Network Requirements In two-arm mode, the SSL VPN acts as an ingress gateway between the intranet and the Internet, protecting the intranet. Since it is located on the key path for communication in between, its performance and stability impact a lot on the data transfer. Figure 1 shows the network diagram for SSL VPN in two-arm mode

    Figure 1 Network diagram for SSL VPN in two-arm mode

    Authentication servers

    Intranet

    IP networkIP networkMobile user

    Desktop PC user

    Internet LAN

    CA serverLog server

    SSL VPN

    In one-arm mode, the SSL VPN functions as a proxy gateway to process the packets between the internal server and the external. It is not located on the key path for communication, and thus will not cause any single point of failure. Figure 2 shows the network diagram for SSL VPN in one-arm mode.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 5/30

    Figure 2 Network diagram for SSL VPN in one -arm mode

    Authentication servers

    Intranet

    IP networkIP networkMobile user

    Desktop PC user

    Internet LAN

    CA serverLog server

    SSL VPN

    Configuration Procedure

    CLI Configuration on SSL VPN

    Perform the following configuration on the SSL VPN:

    1) Enable the Web server. 2) Enable the SSL VPN services.

    By default, the Web server and SSL VPN services are enabled by default on the SSL VPN system, and thus you do not need to perform the configuration manually.

    Configuration on Super Administrator Web Page (Supported by SecBlade SSL VPN Only)

    Super administrator: Managers of the entire system. A super administrator can create domains, initialize the administrator passwords of domains, assign resource groups to domains, and specify whether a domain administrator can create new resources.

    Configuration on Domain Administrator Web Page

    Domain administrator: Managers of SSL VPN domains. A domain administrator can create and delete local users, user groups, resources, resource groups, and security policies for the domain, controlling the access rights of users in the domain.

    Configuration on SSL VPN User Web Page

    SSL VPN user: Users accessing network resources through the SSL VPN system. An SSL VPN user must pass authentication to log into the SSL VPN system. After authentication, an SSL VPN user can access the SSL VPN gateway, and the SSL VPN system will assign the user access rights based on the security status of the user and the user group to which the user belongs.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 6/30

    The Web page operation steps will be detailed in the configuration example later.

    H3C SecBlade SSL VPN defines three roles: super administrator, domain administrator, and SSL VPN users. Figure 3 depicts the details between administrators, users, user groups, resources, and resource groups.

    Figure 3 Details between roles and resources

    There is a default domain of the system called root domain. All users in the root domain are super administrators, whose responsibilities include managing devices, creating common domains, creating resources, and assigning resources to common domains. In addition, the super administrators can specify whether a domain administrator can create new resources. (Supported by SecBlade SSL VPN only)

    The domain administrators create and maintain local users, user groups, resources, resource groups. One resource can be assigned to multiple resource groups and one resource group can contain multiple resources. So do the user and user group. Assigning resources groups to user groups defines which users in the specified groups can visit these resources. Similarly, one resource group can be assigned to multiple user groups and one user group can contain multiple resource groups.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 7/30

    The root domain and super administrator configuration is only supported on the SecBlade SSL VPN.

    SecPath SSL VPN supports only one domain while SecBlade SSL VPN supports multiple domains. For the maximum number of common domains, refer to the product specifications.

    At present, SecBlade SSL VPN devices have three models, applicable to S7500E/S9500 switches and SR6600 routers. The difference is that the SSL VPN card for S7500E switches uses four GE interfaces to communicate with the S7500E backplane, while that for S9500/SR6600 uses one 10-GE interface to communicate with the S9500/SR6600 backplane. Software functions of the two models have no differences. The following SecBlade SSL VPN related sections all take the SSL VPN card for S7500E as an example.

    Configuration Example

    Network Diagram Figure 4 Network diagram for configuring SecBlade SSL VPN in one-arm mode

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 8/30

    Figure 5 Network diagram for configuring SecPath SSL VPN in two-arm mode

    SSL VPN CLI Configuration

    SecBlade SSL VPN CLI Configuration

    Configuration on S7500E

    [S7503E]vlan 100 //*Perform the port configuration

    according to Figure 4.*//

    [S7503E-vlan100]port GigabitEthernet 3/0/1

    [S7503E-vlan100]port GigabitEthernet 4/0/1

    [S7503E-vlan100]quit

    [S7503E]interface vlan 100

    [S7503E-Vlan-interface100]ip address 172.1.1.3 24

    [S7503E-Vlan-interface100]quit

    [S7503E]vlan 200

    [S7503E-vlan200]port GigabitEthernet 4/0/13

    [S7503E-vlan200]quit

    [S7503E]inter vlan 200

    [S7503E-Vlan-interface200]ip address 172.2.1.1 24

    [S7503E-Vlan-interface200]quit

    [S7503E]ip route-static 10.5.1.0 24 172.1.1.2 //* Configure a static route from the

    internal network to the virtual network segment, specifying the SSL VPN card as the next

    hop.*//

    [S7503E]ip route-static 0.0.0.0 0 172.1.1.1 //*Configure a default route to the

    external network.*//

    [S7503E]ip route-static 192.168.0.0 16 172.2.1.2

    [S7503E]ip route-static 10.0.0.0 8 172.2.1.2

    [S7503E]interface g3/0/1

    [S7503E-GigabitEthernet3/0/1]speed 1000

    [S7503E-GigabitEthernet3/0/1]duplex full //* Configure the interface connected

    with the back plane to work in forced mode and make sure the interface is up.*//

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 9/30

    [S7503E-GigabitEthernet3/0/1]quit

    Configuration on the SecBlade SSL VPN

    [H3C]interface GigabitEthernet 0/0/0

    [H3C-GigabitEthernet0/0/0]ip address 172.1.1.2 24

    [H3C-GigabitEthernet0/0/0]quit

    [H3C]ip route-static 0.0.0.0 0 172.1.1.3

    [H3C]ntp-service unicast-server 172.1.1.3 //*Specify the NTP server. The SSL VPN

    card does not support the local clock and the device time defaults to year 2000, so

    without this configuration, the certificate will expire. *//

    Routing Configuration on the NAT-in Node

    [H3C]ip route-static 10.5.1.0 24 172.2.1.1 //*Configure a route to the virtual

    network segment.*//

    [H3C]ip route-static 172.1.1.0 24 172.2.1.1

    Service configuration on the SecBlade SSL VPN

    [H3C] svpn service enable //*Enable the SSL VPN services*//

    [H3C] web server enable // *Enable the Web server*//

    By default, the Web server and SSL VPN services are enabled by default on the SSL VPN system, and thus you do not need to perform the configuration manually.

    The SecBlade SSL VPN is applicable for S7500E/S9500 switches and SR6600 routers, and typically resides on the internal network, thus one-arm mode is adopted.

    If no NAT-IN node is present, you need to perform route configurations on the nodes in the internal network to ensure that there are routes to the virtual network segment (10.5.1.0/24).

    The above configuration of the GE interface of SecBlade SSL VPN for S7500E is also applicable to the 10-GE interface of the SecBlade SS VPN for S9500/SR6600.

    SecPath SSL VPN CLI Configuration

    Basic Configuration

    [H3C] interface Ethernet0/0

    [H3C-Ethernet0/0] ip address 192.168.96.22 255.255.255.0

    [H3C-Ethernet0/0] quit

    [H3C] interface Ethernet0/1

    [H3C-Ethernet0/1] ip address 155.1.1.1 255.0.0.0

    [H3C-Ethernet0/1] quit

    [H3C] ip route-static 0.0.0.0 0 155.1.1.1 preference 60

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 10/30

    SVPN Configuration

    [H3C] svpn service enable //*Enable the SSL VPN services*//

    [H3C] web server enable //*Enable the Web server*//

    Note that the Web server and SSL VPN service are start on the SSL VPN system by default, and thus you do not need to perform the configuration manually.

    SSL VPN Function Configuration

    Logging in to the SSL VPN System

    Logging in as a super administrator (supported on SecBlade SSL VPN only)

    1) In the address bar, type https://155.1.1.1:444 where 155.1.1.1:444 is the address of the SSL VPN interface that connects to the external network. Press Enter to enter the SSL VPN login page. Note that the security alert dialog box as shown in Figure 6 will appear. In this case, select Yes.

    Figure 6 Security alert

    Use the default super administrator account "administrator" to log in to the SSL VPN system with the local authentication method. Type administrator in the username and password text boxes, select Super administrator from the Identity drop-down list, and click Login, as shown in Figure 7.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 11/30

    Figure 7 SSL VPN login page

    2) Create domain h3c and initialize the password of the domain administrator.

    Select Domain from the navigation tree to enter the domain policy configuration page. Click Add to enter the page for creating a domain and click Configure to edit the existing domains.

    Figure 8 Create a domain policy

    Creating domain h3c will create a default domain administrator with the account name administrator at the same time. Specify the password for the default domain administrator, 123456 in this example. On the page, you can also configure the timeout time as 30 minutes and the maximum concurrent online users as 100. In the Authorized Resource area, you can assign existing resource groups to the domain and specify to allow domain administrator to add resources.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 12/30

    3) After completing the configuration, select Domain > Configuration Management to enter the configuration management page. Click Save to save your configuration, otherwise, the configuration will be lost after system reboot.

    Figure 9 Configuration management

    For the same purpose, a domain administrator should go to the configuration management page to save the configuration that has been made.

    Logging in as a domain administrator

    The following describes configurations in a common domain.

    1) Log in to the SecBlade SSL VPN system as a domain administrator.

    Type https://155.1.1.1:444 (the same as that for super administrator's login page) in the address bar. On the login page, type the username administrator, and password 1234567 configured by the super administrator, select Administrator from the Identity drop-down list, and then click Login to enter the domain h3c of SSL VPN system in a local authentication method.

    Figure 10 Login page for a domain administrator

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 13/30

    In a domain, users that belong to the administrators group are the administrators of the domain. A domain administrator is also a common user. If you are a domain administrator but log in as a common user, you enter the interface for common users, but the resources that you can access are those specified for the administrators group.

    2) Log in to the SecPath SSL VPN system as a domain administrator.

    Enter https://155.1.1.1/admin in the address bar to enter the login page. Type the default domain administrator username and password, which are both administrator, and click Login.

    Figure 11 Log in as a domain administrator

    Configuring Web Services

    Configuring Web proxy service

    A remote Web server provides services through Web pages. SSL VPN provides secure links between users and the Web servers and it can block accesses from unauthorized users.

    Select Resource > Web Site from the navigation tree to enter the Web proxy configuration page. Click Add to enter the page for creating Web proxy server resources.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 14/30

    Figure 12 Create a Web proxy server resource

    The Website Name can be an IP address or a domain name. When a domain name is configured, configure a DNS server through command lines.

    The Site Matching Pattern supports fuzzy match. Use asterisks (*) for fuzzy match and verticals bars (|) to separate matching conditions. For example, if you want to specify the Web pages of sports.sina.com and news.sina.com, you can type only *.sina.com in the text box.

    After the resource is created successfully, the Web proxy server list as shown below appears.

    Figure 13 Web proxy server list

    Configuring TCP Services

    Configuring remote access service

    Remote access service is a set of services. At the user log in to the SSL VPN system, ActiveX SSL VPN client is downloaded and started automatically. SSL VPN uses the SSL encryption technology to

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 15/30

    encrypt data that are formerly transmitted on the Internet in plain text, ensuring the security of data transmission.

    Select Resource > TCP Application from the navigation tree to enter the remote access service configuration page. Click Add to enter the page for adding a remote access service resource.

    Figure 14 Add a remote access service resource page

    The format of the command line configuration is telnet local host, where local host must be the same with that in the Local Host text box. The local host specifies the local listening port. It can be a local loopback address in the range of 127.0.0.2 to 127.0.0.254 or a character string when the host file is configurable.

    After the remote access service resource is created successfully, the remote access service list page appears.

    Figure 15 Remote access service resource list

    Configuring Windows Desktop Sharing Service

    Select Resource > TCP Application from the navigation tree and then select the Desktop Sharing tab to enter the desktop sharing configuration page. Then click Add to create desktop sharing resources.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 16/30

    Figure 16 Add a Windows desktop sharing resource

    After the desktop sharing resource is created successfully, the desktop sharing resource list page appears.

    Figure 17 Desktop sharing resource list

    The configuration examples of the TCP applications of Outlook mail service, Notes mail service, and other TCP services, refer to H3C SSL VPN Configuration Examples.

    Configuring IP Services

    SSL VPN supports accessing all applications above the IP layer. After you assign specific resources to a user, the user can simply log into SSL VPN to access the resources, without considering the type and configuration of the application. The ActiveX SSL VPN client program will be automatically downloaded and started up. SSL VPN ensures the client-server communication security.

    Configuring global settings

    Select Resource > IP Network from the navigation tree to enter the global IP network configuration page.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 17/30

    Global configuration page of the SecBlade SSL VPN is shown below.

    Figure 18 Global configuration

    Table 1 describes the global configuration times.

    Table 1 global configuration items

    Item Description

    Start IP Required

    Specify the start IP address of the network segment that can be assigned to the client’s virtual network card.

    End IP Required

    Specify the end IP address of the network segment that can be assigned to the client’s virtual network card.

    Subnet Mask Required

    Specify the subnet mask of the virtual network cards’ IP address.

    Gateway IP Required

    IP address of the default gateway.

    Heartbeat Interval Required

    Set the interval for sending heartbeat packets to the gateway. Failing to send a heartbeat packet indicates that the network is disconnected.

    Client Reachable Required

    Enable/disable the communication between different clients.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 18/30

    Item Description

    WINS Address Optional

    Type the WINS server address of the internal server cluster for domain name resolution.

    DNS Address Optional

    Type the DNS server address for domain name resolution.

    Access only VPN

    Optional

    After enabling the IP network access service, select this checkbox to allow users to access the VPN only. If the check box is not selected, users are allowed to visit the both the Internet and VPN.

    User Page's Network Segments Display Type

    Optional

    Display the user network service as description information or an IP address.

    1) Global configuration page of the SecPath SSL VPN is shown below.

    Figure 19 Global configuration

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 19/30

    Table 2 describes the global configuration times.

    Table 2 Global configuration items

    Item Description

    Start IP Required

    Specify the start IP address of the network segment that can be assigned to the client’s virtual network card.

    End IP Required

    Specify the end IP address of the network segment that can be assigned to the client’s virtual network card.

    Subnet Mask Required

    Specify the subnet mask of the virtual network cards’ IP address.

    Gateway IP Required

    IP address of the virtual gateway.

    Internal Interfaces

    Required

    Specify the interface of the gateway that connects to the internal network. With the internal interface and auto NAT configured, NAT configuration is performed on the internal interface automatically and you do not need to specify the static routes on the other internal network devices to the virtual network segment.

    Heartbeat Interval Required

    Set the interval for sending heartbeat packets to the gateway. Failing to send a heartbeat packet indicates that the network is disconnected.

    Client Reachable Required

    Enable/disable the communication between different clients.

    WINS Server Optional

    Type the WINS server address of the internal server cluster for domain name resolution.

    DNS Server Optional

    Type the DNS server address for domain name resolution.

    Access VPN Only

    Optional

    After selecting to enable the IP network access service, select whether to allow the user to access only the VPN. If the check box is not selected, users are allowed to visit the both the Internet and VPN.

    Auto NAT Optional

    Enable or disable automatic NAT on the internal network interface.

    IP Networks Display Mode

    Optional

    Display the user network service as description information or an IP address.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 20/30

    Configuring a host resource

    Select Resource > IP Network from the navigation tree and then select the Host Configuration tab to enter the host configuration page. Click Add and the page as shown in Figure 20 appears. Configure the resource name and then the configuration items in the Accessible Network Service and Shortcut tab pages. Click Apply.

    Figure 20 Configure accessible network service

    Figure 21 Create shortcuts

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 21/30

    Each time you have made configuration in the Editing Area in the two tab pages, click Add to save your configuration. Shortcuts of ping, FTP, and file sharing operations can be created for IP services.

    Configuring Resources

    Configuring a resource group

    Select Resource > Resource Group to enter the resource group configuration page. Click Add to create a new resource group.

    Type Web as the group name, and add the resource tech to the group. Type tcp as the group name, and add the resources telnet110 and remote_desktop to the group. Type ip as the group name, and add the resource tech_ip to the group.

    Click Apply.

    Figure 22 Create the resource group web

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 22/30

    Figure 23 Create the resource group tcp

    Figure 24 Create the resource group ip

    After the resource groups are created successfully, the following page appears.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 23/30

    Figure 25 Resource group list

    Configuring Users

    Creating a user

    Select User > Local User to enter the local user configuration page. Create a local user with the account name svpn, specify the password for the user, and assign the user to an existing user group.

    Figure 26 Create a local user

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 24/30

    After the user is created successfully, the user list page appears.

    Figure 27 Local user list

    Creating a user group and assigning resource groups to the user group

    Select User > User Group to enter the user group configuration page. Click Add to create a new user group.

    Type usergroup as the group name. Add the user svpn to the user group. Assign the resource groups web, tcp, and ip to the user group.

    Click Apply.

    Figure 28 Create a user group

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 25/30

    Then the user svpn in the user group usergorup can access the resources in the resource groups of web, tcp, and ip.

    Saving configuration file

    As a domain administrator, after completing the configuration of resource, resource groups, user, and user group, you need to save the configuration. If not, the configuration will be lost after system reboot. To save the configuration, select Domain > Configuration Management, and on the page click Save.

    Figure 29 Save the configuration

    Logging in as an SSL VPN User

    Verification on the Web service configuration

    1) Log in to the SSL VPN system as an SSL VPN user.

    On the login page, type the username svpn and its password (configured by the domain administrator), and click Login to log in to the system as user svpn.

    2) The accessible Web resources for the user svpn are listed on the page.

    Figure 30 Accessible Web resources

    3) Visit the Web proxy service.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 26/30

    To visit the website tech, click the tech link and the corresponding page appears with the URL being https://155.1.1.1/sslvpn/proxy /1275152384/.

    Verification on the TCP service configuration

    1) The TCP client is enabled automatically after the user svpn logs in to the SSL VPN system. The

    icon appears in the system tray and you can double-click the icon to open the client.

    Figure 31 TCP access information

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 27/30

    2) Click Information to open the page displaying the port status.

    Figure 32 TCP listing ports

    3) You can click the TCP Applications from the navigation tree to view the accessible TCP resources for you.

    Figure 33 TCP resources

    4) Click telnet110 in the TCP application list and you can successfully telnet to a device.

    Figure 34 Telnet a device

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 28/30

    Verification on the IP service configuration

    1) The IP client is enabled automatically after you log in as user svpn to the SSL VPN system. The

    icon appears in the system tray and you can double-click the icon to open the client and view

    the IP access information.

    Figure 35 IP access information

    2) You can click the IP Networks from the navigation tree to view the accessible resources for you.

    Figure 36 Accessible resources and shortcuts

    3) Click the shortcut ping h3c-security and you can ping the device successfully.

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 29/30

    Figure 37 Ping operation

    4) Click the shortcut ftp h3c-security and you can access the FTP server through FTP successfully.

    Figure 38 Access the FTP server through FTP

    5) Check if an IP address is obtained for the virtual network card and if an entry of a route to the destination resource is added to the routing table

    Figure 39 IP address of the virtual network card

  • Step-by-Step Configuration of H3C SSL VPN

    Hangzhou H3C Technologies Co., Ltd. www.h3c.com 30/30

    Figure 40 Route to the destination IP resource

    References H3C SecPath SSL VPN Administrator Manual

    H3C SecPath SSL VPN User Manual

    H3C SSL VPN Configuration Examples

    Super Administrator Manual, Administrator Manual, and User Manual in H3C SecBlade SSL VPN Card User Manual

    Copyright © 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

    No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C

    Technologies Co., Ltd.

    The information in this document is subject to change without notice.

    OverviewFeaturesBenefits

    Application GuideApplication ScenariosNetwork RequirementsConfiguration ProcedureCLI Configuration on SSL VPNConfiguration on Super Administrator Web Page (Supported by SecBlade SSL VPN Only)Configuration on Domain Administrator Web PageConfiguration on SSL VPN User Web Page

    Configuration ExampleNetwork DiagramSSL VPN CLI ConfigurationSecBlade SSL VPN CLI ConfigurationConfiguration on S7500EConfiguration on the SecBlade SSL VPNRouting Configuration on the NAT-in NodeService configuration on the SecBlade SSL VPN

    SecPath SSL VPN CLI ConfigurationBasic ConfigurationSVPN Configuration

    SSL VPN Function ConfigurationLogging in to the SSL VPN SystemLogging in as a super administrator (supported on SecBlade SSL VPN only)Logging in as a domain administrator

    Configuring Web ServicesConfiguring Web proxy service

    Configuring TCP ServicesConfiguring remote access serviceConfiguring Windows Desktop Sharing Service

    Configuring IP ServicesConfiguring global settings Configuring a host resource

    Configuring ResourcesConfiguring a resource group

    Configuring UsersCreating a userCreating a user group and assigning resource groups to the user groupSaving configuration file

    Logging in as an SSL VPN UserVerification on the Web service configurationVerification on the TCP service configurationVerification on the IP service configuration

    References