Step-by-Step Configuration of H3C SSL VPN · Step-by-Step Configuration of H3C SSL VPN Hangzhou H3C Technologies Co., Ltd. 3/30 Overview H3C Security Socket Layer (SSL) Virtual Private

Step-by-Step Configuration of H3C SSL VPN

Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/30


Keywords: SSL, VPN, HTTPS, Web, TCP, IP

Abstract: This document describes the SSL VPN features, application guide as well as the configuration

example.

Acronyms:

Acronym Full spelling

SSL Security Socket Layer

VPN Virtual Private Network

HTTPS Hypertext Transfer Protocol Secure

TCP Transfer Control Protocol

IP Internet Protocol



Table of Contents

Overview···························································································································································3 Features ·····················································································································································3 Benefits ······················································································································································3

Application Guide············································································································································4 Application Scenarios·································································································································4 Network Requirements·······························································································································4 Configuration Procedure ····························································································································5

CLI Configuration on SSL VPN ··········································································································5 Configuration on Super Administrator Web Page (Supported by SecBlade SSL VPN Only) ············5 Configuration on Domain Administrator Web Page ···········································································5 Configuration on SSL VPN User Web Page ······················································································5

Configuration Example ···································································································································7 Network Diagram ·······································································································································7 SSL VPN CLI Configuration·······················································································································8

SecBlade SSL VPN CLI Configuration·······························································································8 SecPath SSL VPN CLI Configuration·································································································9

SSL VPN Function Configuration·············································································································10 Logging in to the SSL VPN System··································································································10 Configuring Web Services················································································································13 Configuring TCP Services ················································································································14 Configuring IP Services····················································································································16 Configuring Resources·····················································································································21 Configuring Users·····························································································································23 Logging in as an SSL VPN User ······································································································25

References ·····················································································································································30



Overview H3C Security Socket Layer (SSL) Virtual Private Network (VPN) system falls into two categories: H3C SecPath SSL VPN and H3C SecBlade SSL VPN. The configuration in this document is applicable to both categories unless otherwise noted.

Features Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols, ensuring confidentiality and reliability. SSL protocol consists of handshake protocol, record protocol, and alert protocol.

As VPN is much cheaper and more flexible to use than leased lines, more and more companies are establishing VPNs over public networks such as the Internet, so as to allow employees working at home or traveling on business, employees of branch offices, and partners to access the internal networks.

SSL VPN is an emerging VPN technology based on Secure HTTP (HTTPS, that is, SSL-supported HTTP). It works between the transport layer and the application layer, and can establish secure connections for communications at the application layer. SSL VPN has been widely used for secure, remote Web-based access.

SSL VPN is used for granular access control of network resources. It supports three resource access methods: Web access, TCP access, and IP access. Using role-based right management, SSL VPN can restrict user access to resources according to user identity. In addition, it incorporates the user host security checking feature, implementing dynamic user access rights assignment. SSL VPN gateways support Web management. An administrator can configure and manage the SSL VPN system through a Web browser.

H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a new generation of professional SSL VPN devices for enterprises. They can function as ingress gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are for small- to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized enterprises.

Benefits Compared with conventional VPN, SSL VPN features high security and more granular control of security. Requiring no user configuration and no client installation, it is simple to deploy and very easy to use.



Application Guide

Application Scenarios With the popularity of SOHO and mobile offices, the structure of applications is switching from client/server (C/S) to Web-based browser/server (B/S). SSL VPN is used to help employees, customers, and partners to access the intranet and the internal applications remotely in a easy and secure way.

Network Requirements In two-arm mode, the SSL VPN acts as an ingress gateway between the intranet and the Internet, protecting the intranet. Since it is located on the key path for communication in between, its performance and stability impact a lot on the data transfer. Figure 1 shows the network diagram for SSL VPN in two-arm mode

Figure 1 Network diagram for SSL VPN in two-arm mode

Authentication servers

Intranet

IP networkIP networkMobile user

Desktop PC user

Internet LAN

CA serverLog server

SSL VPN

In one-arm mode, the SSL VPN functions as a proxy gateway to process the packets between the internal server and the external. It is not located on the key path for communication, and thus will not cause any single point of failure. Figure 2 shows the network diagram for SSL VPN in one-arm mode.



Figure 2 Network diagram for SSL VPN in one -arm mode

Authentication servers

Intranet

IP networkIP networkMobile user

Desktop PC user

Internet LAN

CA serverLog server

SSL VPN

Configuration Procedure

CLI Configuration on SSL VPN

Perform the following configuration on the SSL VPN:

1) Enable the Web server. 2) Enable the SSL VPN services.

By default, the Web server and SSL VPN services are enabled by default on the SSL VPN system, and thus you do not need to perform the configuration manually.

Configuration on Super Administrator Web Page (Supported by SecBlade SSL VPN Only)

Super administrator: Managers of the entire system. A super administrator can create domains, initialize the administrator passwords of domains, assign resource groups to domains, and specify whether a domain administrator can create new resources.

Configuration on Domain Administrator Web Page

Domain administrator: Managers of SSL VPN domains. A domain administrator can create and delete local users, user groups, resources, resource groups, and security policies for the domain, controlling the access rights of users in the domain.

Configuration on SSL VPN User Web Page

SSL VPN user: Users accessing network resources through the SSL VPN system. An SSL VPN user must pass authentication to log into the SSL VPN system. After authentication, an SSL VPN user can access the SSL VPN gateway, and the SSL VPN system will assign the user access rights based on the security status of the user and the user group to which the user belongs.



The Web page operation steps will be detailed in the configuration example later.

H3C SecBlade SSL VPN defines three roles: super administrator, domain administrator, and SSL VPN users. Figure 3 depicts the details between administrators, users, user groups, resources, and resource groups.

Figure 3 Details between roles and resources

There is a default domain of the system called root domain. All users in the root domain are super administrators, whose responsibilities include managing devices, creating common domains, creating resources, and assigning resources to common domains. In addition, the super administrators can specify whether a domain administrator can create new resources. (Supported by SecBlade SSL VPN only)

The domain administrators create and maintain local users, user groups, resources, resource groups. One resource can be assigned to multiple resource groups and one resource group can contain multiple resources. So do the user and user group. Assigning resources groups to user groups defines which users in the specified groups can visit these resources. Similarly, one resource group can be assigned to multiple user groups and one user group can contain multiple resource groups.



The root domain and super administrator configuration is only supported on the SecBlade SSL VPN.

SecPath SSL VPN supports only one domain while SecBlade SSL VPN supports multiple domains. For the maximum number of common domains, refer to the product specifications.

At present, SecBlade SSL VPN devices have three models, applicable to S7500E/S9500 switches and SR6600 routers. The difference is that the SSL VPN card for S7500E switches uses four GE interfaces to communicate with the S7500E backplane, while that for S9500/SR6600 uses one 10-GE interface to communicate with the S9500/SR6600 backplane. Software functions of the two models have no differences. The following SecBlade SSL VPN related sections all take the SSL VPN card for S7500E as an example.

Configuration Example

Network Diagram Figure 4 Network diagram for configuring SecBlade SSL VPN in one-arm mode



Figure 5 Network diagram for configuring SecPath SSL VPN in two-arm mode

SSL VPN CLI Configuration

SecBlade SSL VPN CLI Configuration

Configuration on S7500E

[S7503E]vlan 100 //*Perform the port configuration

according to Figure 4.*//

[S7503E-vlan100]port GigabitEthernet 3/0/1


[S7503E-vlan100]quit

[S7503E]interface vlan 100

[S7503E-Vlan-interface100]ip address 172.1.1.3 24

[S7503E-Vlan-interface100]quit

[S7503E]vlan 200


[S7503E-vlan200]quit

[S7503E]inter vlan 200

[S7503E-Vlan-interface200]ip address 172.2.1.1 24

[S7503E-Vlan-interface200]quit

[S7503E]ip route-static 10.5.1.0 24 172.1.1.2 //* Configure a static route from the

internal network to the virtual network segment, specifying the SSL VPN card as the next

hop.*//

[S7503E]ip route-static 0.0.0.0 0 172.1.1.1 //*Configure a default route to the

external network.*//

[S7503E]ip route-static 192.168.0.0 16 172.2.1.2

[S7503E]ip route-static 10.0.0.0 8 172.2.1.2

[S7503E]interface g3/0/1

[S7503E-GigabitEthernet3/0/1]speed 1000

[S7503E-GigabitEthernet3/0/1]duplex full //* Configure the interface connected

with the back plane to work in forced mode and make sure the interface is up.*//



[S7503E-GigabitEthernet3/0/1]quit

Configuration on the SecBlade SSL VPN

[H3C]interface GigabitEthernet 0/0/0

[H3C-GigabitEthernet0/0/0]ip address 172.1.1.2 24

[H3C-GigabitEthernet0/0/0]quit

[H3C]ip route-static 0.0.0.0 0 172.1.1.3

[H3C]ntp-service unicast-server 172.1.1.3 //*Specify the NTP server. The SSL VPN

card does not support the local clock and the device time defaults to year 2000, so

without this configuration, the certificate will expire. *//

Routing Configuration on the NAT-in Node

[H3C]ip route-static 10.5.1.0 24 172.2.1.1 //*Configure a route to the virtual

network segment.*//

[H3C]ip route-static 172.1.1.0 24 172.2.1.1

Service configuration on the SecBlade SSL VPN

[H3C] svpn service enable //*Enable the SSL VPN services*//

[H3C] web server enable // *Enable the Web server*//

By default, the Web server and SSL VPN services are enabled by default on the SSL VPN system, and thus you do not need to perform the configuration manually.

The SecBlade SSL VPN is applicable for S7500E/S9500 switches and SR6600 routers, and typically resides on the internal network, thus one-arm mode is adopted.

If no NAT-IN node is present, you need to perform route configurations on the nodes in the internal network to ensure that there are routes to the virtual network segment (10.5.1.0/24).

The above configuration of the GE interface of SecBlade SSL VPN for S7500E is also applicable to the 10-GE interface of the SecBlade SS VPN for S9500/SR6600.

SecPath SSL VPN CLI Configuration

Basic Configuration

[H3C] interface Ethernet0/0

[H3C-Ethernet0/0] ip address 192.168.96.22 255.255.255.0

[H3C-Ethernet0/0] quit

[H3C] interface Ethernet0/1

[H3C-Ethernet0/1] ip address 155.1.1.1 255.0.0.0

[H3C-Ethernet0/1] quit

[H3C] ip route-static 0.0.0.0 0 155.1.1.1 preference 60



SVPN Configuration

[H3C] svpn service enable //*Enable the SSL VPN services*//

[H3C] web server enable //*Enable the Web server*//

Note that the Web server and SSL VPN service are start on the SSL VPN system by default, and thus you do not need to perform the configuration manually.

SSL VPN Function Configuration

Logging in to the SSL VPN System

Logging in as a super administrator (supported on SecBlade SSL VPN only)

1) In the address bar, type https://155.1.1.1:444 where 155.1.1.1:444 is the address of the SSL VPN interface that connects to the external network. Press Enter to enter the SSL VPN login page. Note that the security alert dialog box as shown in Figure 6 will appear. In this case, select Yes.

Figure 6 Security alert

Use the default super administrator account "administrator" to log in to the SSL VPN system with the local authentication method. Type administrator in the username and password text boxes, select Super administrator from the Identity drop-down list, and click Login, as shown in Figure 7.



Figure 7 SSL VPN login page

2) Create domain h3c and initialize the password of the domain administrator.

Select Domain from the navigation tree to enter the domain policy configuration page. Click Add to enter the page for creating a domain and click Configure to edit the existing domains.

Figure 8 Create a domain policy

Creating domain h3c will create a default domain administrator with the account name administrator at the same time. Specify the password for the default domain administrator, 123456 in this example. On the page, you can also configure the timeout time as 30 minutes and the maximum concurrent online users as 100. In the Authorized Resource area, you can assign existing resource groups to the domain and specify to allow domain administrator to add resources.



3) After completing the configuration, select Domain > Configuration Management to enter the configuration management page. Click Save to save your configuration, otherwise, the configuration will be lost after system reboot.

Figure 9 Configuration management

For the same purpose, a domain administrator should go to the configuration management page to save the configuration that has been made.

Logging in as a domain administrator

The following describes configurations in a common domain.

1) Log in to the SecBlade SSL VPN system as a domain administrator.

Type https://155.1.1.1:444 (the same as that for super administrator's login page) in the address bar. On the login page, type the username administrator, and password 1234567 configured by the super administrator, select Administrator from the Identity drop-down list, and then click Login to enter the domain h3c of SSL VPN system in a local authentication method.

Figure 10 Login page for a domain administrator



In a domain, users that belong to the administrators group are the administrators of the domain. A domain administrator is also a common user. If you are a domain administrator but log in as a common user, you enter the interface for common users, but the resources that you can access are those specified for the administrators group.

2) Log in to the SecPath SSL VPN system as a domain administrator.

Enter https://155.1.1.1/admin in the address bar to enter the login page. Type the default domain administrator username and password, which are both administrator, and click Login.

Figure 11 Log in as a domain administrator

Configuring Web Services

Configuring Web proxy service

A remote Web server provides services through Web pages. SSL VPN provides secure links between users and the Web servers and it can block accesses from unauthorized users.

Select Resource > Web Site from the navigation tree to enter the Web proxy configuration page. Click Add to enter the page for creating Web proxy server resources.



Figure 12 Create a Web proxy server resource

The Website Name can be an IP address or a domain name. When a domain name is configured, configure a DNS server through command lines.

The Site Matching Pattern supports fuzzy match. Use asterisks (*) for fuzzy match and verticals bars (|) to separate matching conditions. For example, if you want to specify the Web pages of sports.sina.com and news.sina.com, you can type only *.sina.com in the text box.

After the resource is created successfully, the Web proxy server list as shown below appears.

Figure 13 Web proxy server list

Configuring TCP Services

Configuring remote access service

Remote access service is a set of services. At the user log in to the SSL VPN system, ActiveX SSL VPN client is downloaded and started automatically. SSL VPN uses the SSL encryption technology to



encrypt data that are formerly transmitted on the Internet in plain text, ensuring the security of data transmission.

Select Resource > TCP Application from the navigation tree to enter the remote access service configuration page. Click Add to enter the page for adding a remote access service resource.

Figure 14 Add a remote access service resource page

The format of the command line configuration is telnet local host, where local host must be the same with that in the Local Host text box. The local host specifies the local listening port. It can be a local loopback address in the range of 127.0.0.2 to 127.0.0.254 or a character string when the host file is configurable.

After the remote access service resource is created successfully, the remote access service list page appears.

Figure 15 Remote access service resource list

Configuring Windows Desktop Sharing Service

Select Resource > TCP Application from the navigation tree and then select the Desktop Sharing tab to enter the desktop sharing configuration page. Then click Add to create desktop sharing resources.



Figure 16 Add a Windows desktop sharing resource

After the desktop sharing resource is created successfully, the desktop sharing resource list page appears.

Figure 17 Desktop sharing resource list

The configuration examples of the TCP applications of Outlook mail service, Notes mail service, and other TCP services, refer to H3C SSL VPN Configuration Examples.

Configuring IP Services

SSL VPN supports accessing all applications above the IP layer. After you assign specific resources to a user, the user can simply log into SSL VPN to access the resources, without considering the type and configuration of the application. The ActiveX SSL VPN client program will be automatically downloaded and started up. SSL VPN ensures the client-server communication security.

Configuring global settings

Select Resource > IP Network from the navigation tree to enter the global IP network configuration page.



Global configuration page of the SecBlade SSL VPN is shown below.

Figure 18 Global configuration

Table 1 describes the global configuration times.

Table 1 global configuration items

Item Description

Start IP Required

Specify the start IP address of the network segment that can be assigned to the client’s virtual network card.

End IP Required

Specify the end IP address of the network segment that can be assigned to the client’s virtual network card.

Subnet Mask Required

Specify the subnet mask of the virtual network cards’ IP address.

Gateway IP Required

IP address of the default gateway.

Heartbeat Interval Required

Set the interval for sending heartbeat packets to the gateway. Failing to send a heartbeat packet indicates that the network is disconnected.

Client Reachable Required

Enable/disable the communication between different clients.



Item Description

WINS Address Optional

Type the WINS server address of the internal server cluster for domain name resolution.

DNS Address Optional

Type the DNS server address for domain name resolution.

Access only VPN

Optional

After enabling the IP network access service, select this checkbox to allow users to access the VPN only. If the check box is not selected, users are allowed to visit the both the Internet and VPN.

User Page's Network Segments Display Type

Optional

Display the user network service as description information or an IP address.

1) Global configuration page of the SecPath SSL VPN is shown below.

Figure 19 Global configuration



Table 2 describes the global configuration times.

Table 2 Global configuration items

Item Description

Start IP Required

Specify the start IP address of the network segment that can be assigned to the client’s virtual network card.

End IP Required

Specify the end IP address of the network segment that can be assigned to the client’s virtual network card.

Subnet Mask Required

Specify the subnet mask of the virtual network cards’ IP address.

Gateway IP Required

IP address of the virtual gateway.

Internal Interfaces

Required

Specify the interface of the gateway that connects to the internal network. With the internal interface and auto NAT configured, NAT configuration is performed on the internal interface automatically and you do not need to specify the static routes on the other internal network devices to the virtual network segment.

Heartbeat Interval Required

Set the interval for sending heartbeat packets to the gateway. Failing to send a heartbeat packet indicates that the network is disconnected.

Client Reachable Required

Enable/disable the communication between different clients.

WINS Server Optional

Type the WINS server address of the internal server cluster for domain name resolution.

DNS Server Optional

Type the DNS server address for domain name resolution.

Access VPN Only

Optional

After selecting to enable the IP network access service, select whether to allow the user to access only the VPN. If the check box is not selected, users are allowed to visit the both the Internet and VPN.

Auto NAT Optional

Enable or disable automatic NAT on the internal network interface.

IP Networks Display Mode

Optional

Display the user network service as description information or an IP address.



Configuring a host resource

Select Resource > IP Network from the navigation tree and then select the Host Configuration tab to enter the host configuration page. Click Add and the page as shown in Figure 20 appears. Configure the resource name and then the configuration items in the Accessible Network Service and Shortcut tab pages. Click Apply.

Figure 20 Configure accessible network service

Figure 21 Create shortcuts



Each time you have made configuration in the Editing Area in the two tab pages, click Add to save your configuration. Shortcuts of ping, FTP, and file sharing operations can be created for IP services.

Configuring Resources

Configuring a resource group

Select Resource > Resource Group to enter the resource group configuration page. Click Add to create a new resource group.

Type Web as the group name, and add the resource tech to the group. Type tcp as the group name, and add the resources telnet110 and remote_desktop to the group. Type ip as the group name, and add the resource tech_ip to the group.

Click Apply.

Figure 22 Create the resource group web



Figure 23 Create the resource group tcp

Figure 24 Create the resource group ip

After the resource groups are created successfully, the following page appears.



Figure 25 Resource group list

Configuring Users

Creating a user

Select User > Local User to enter the local user configuration page. Create a local user with the account name svpn, specify the password for the user, and assign the user to an existing user group.

Figure 26 Create a local user



After the user is created successfully, the user list page appears.

Figure 27 Local user list

Creating a user group and assigning resource groups to the user group

Select User > User Group to enter the user group configuration page. Click Add to create a new user group.

Type usergroup as the group name. Add the user svpn to the user group. Assign the resource groups web, tcp, and ip to the user group.

Click Apply.

Figure 28 Create a user group



Then the user svpn in the user group usergorup can access the resources in the resource groups of web, tcp, and ip.

Saving configuration file

As a domain administrator, after completing the configuration of resource, resource groups, user, and user group, you need to save the configuration. If not, the configuration will be lost after system reboot. To save the configuration, select Domain > Configuration Management, and on the page click Save.

Figure 29 Save the configuration

Logging in as an SSL VPN User

Verification on the Web service configuration

1) Log in to the SSL VPN system as an SSL VPN user.

On the login page, type the username svpn and its password (configured by the domain administrator), and click Login to log in to the system as user svpn.

2) The accessible Web resources for the user svpn are listed on the page.

Figure 30 Accessible Web resources

3) Visit the Web proxy service.



To visit the website tech, click the tech link and the corresponding page appears with the URL being https://155.1.1.1/sslvpn/proxy /1275152384/.

Verification on the TCP service configuration

1) The TCP client is enabled automatically after the user svpn logs in to the SSL VPN system. The

icon appears in the system tray and you can double-click the icon to open the client.

Figure 31 TCP access information



2) Click Information to open the page displaying the port status.

Figure 32 TCP listing ports

3) You can click the TCP Applications from the navigation tree to view the accessible TCP resources for you.

Figure 33 TCP resources

4) Click telnet110 in the TCP application list and you can successfully telnet to a device.

Figure 34 Telnet a device



Verification on the IP service configuration

1) The IP client is enabled automatically after you log in as user svpn to the SSL VPN system. The

icon appears in the system tray and you can double-click the icon to open the client and view

the IP access information.

Figure 35 IP access information

2) You can click the IP Networks from the navigation tree to view the accessible resources for you.

Figure 36 Accessible resources and shortcuts

3) Click the shortcut ping h3c-security and you can ping the device successfully.



Figure 37 Ping operation

4) Click the shortcut ftp h3c-security and you can access the FTP server through FTP successfully.

Figure 38 Access the FTP server through FTP

5) Check if an IP address is obtained for the virtual network card and if an entry of a route to the destination resource is added to the routing table

Figure 39 IP address of the virtual network card



Figure 40 Route to the destination IP resource

References H3C SecPath SSL VPN Administrator Manual

H3C SecPath SSL VPN User Manual

H3C SSL VPN Configuration Examples

Super Administrator Manual, Administrator Manual, and User Manual in H3C SecBlade SSL VPN Card User Manual

Copyright © 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C

Technologies Co., Ltd.

The information in this document is subject to change without notice.

Documents

Step-by-Step Configuration of H3C SSL VPN · Step-by-Step Configuration of H3C SSL VPN Hangzhou H3C Technologies Co., Ltd. 3/30 Overview H3C Security Socket Layer (SSL) Virtual Private