Configuring a SCVPN

This section describes how to configure a SCVPN server.

Creating a SCVPN Instance

To create a SCVPN instance, take the following steps:

  1. On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.
  2. Click New or click Create a SSL VPN on the Task tab in the right auxiliary pane.
  3. In the Welcome page of the SSL VPN Configuration dialog, type the name of the SSL VPN instance into the SSL VPN name box.
  4. Click Next. In the User page, specify the AAA server that is used for user authentication.
    1. Select an AAA server from the AAA server drop-down list.
    2. Type the domain name into the Domain box. The domain name is used to distinguish the AAA server.
    3. Click Add.
    4. Repeat the above steps to add more AAA servers. To delete an AAA server, select the AAA server you want to delete from the list, and click Delete.
  5. Click Next. In the Interface page, configure the SCVPN server interface, tunnel interface, and address pool.
    Option Description
    Access interface

    Specifies the SCVPN server interface. This interface is used to listen to the request from SCVPN client. The options are:

    • Interface 1: Select the interface from the drop-down list.
    • Interface 2: Select the interface from the drop-down list. This interface is needed when the optimal path detection function is enabled.
    • Service port: Specifies the SCVPN service port number.
    Tunnel interface and address pool

    Tunnel interface

    Specifies the tunnel interface used to bind to the SCVPN tunnel. Tunnel interface transmits traffic to/from SCVPN tunnel. The options are:

    • Tunnel interface: Use one of the following ways to specify the tunnel interface:
      • Select the configured tunnel interface from the drop-down list.
      • Click New from the drop-down list, and in the Interface Configuration dialog, configure a new tunnel interface.
      • Select a configured tunnel interface from the drop-down list, and then click Modify to edit the selected tunnel interface in the Interface Configuration dialog.
      For more information about creating/editing tunnel interfaces, see Configuring an Interface.
    • Zone: Shows the zone of the selected tunnel interface.
    • IP address: Shows the IP address of the selected tunnel interface.
    • Netmask: Shows the netmask of the selected tunnel interface.
    Address pool

    Specifies the SCVPN address pool. The options are:

    • Address pool: Use one of the following ways to specify the address pool:
      • Select a configured address pool from the drop-down list.
      • Select New from the drop-down list, and in the Address Pool Configuration dialog, create a new address pool.
      • Select a configured address pool from the drop-down list, and then click Modify to edit the selected address pool in the Address Pool Configuration dialog.

      For more information about creating/editing address pools, see Configuring a SCVPN Address Pool.

    • Start IP: Shows the start IP of the selected address pool.
    • End IP: Shows the end IP of the selected address pool.
    • Netmask: Shows the natmask of the selected address pool.
  6. Click Next. In the Policy/Route page, configure the policy rules and tunnel routes.
    Option Description
    Policy Select The following policy rules are created by system automatically. And the policy rules in the list will be created automatically. You can also create or edit the policy rules in the Policy page (Configure > Security > Policy). For more information about policy rules, see Configuring a Policy Rule.
    Tunnel route

    Specifies the routes from SCVPN tunnel to the specific network segments. SCVPN clients access the specified network segments through the routes assigned by SCVPN server. Take the following steps:

    1. Type the destination IP address, the netmask of the destination IP address, and the metric value into the IP, Netmask, and Metric boxes respectively.
    2. Click Add.
    3. Repeat the above steps to add more routes. To delete a tunnel route, select the route you want to delete from the list, and then click Delete.
  7. If necessary, click Advanced to configure the advanced functions, including parameter, client/USB key, host security, SMS authentication, and optimized path. For the detailed information, see Step 11 to 15.
  8. Click Parameters, and in the Parameters page, configure the parameters of security kit, client connection, and the advanced options.
    Option Description
    Security kit SSL version: Specifies the SSL version. The system supports SSLv3 and TLSv1. Any indicates both of the versions.
    Trust domain: Specifies the trust domain.
    Encryption: Specifies the encryption algorithm of the SCVPN tunnel. The default value is 3DES. NULL indicates no encryption.
    Hash: Specifies the hash algorithm of the SCVPN tunnel. The default value is SHA-1. NULL indicates no hash.
    Compression: Specifies the compression algorithm of the SCVPN tunnel. By default, no compression.
    Client connection Idle time: Time that a client keeps online without any traffic with the server. After waiting for the idle time, the server will disconnect the connection with the client. The value range is 15 to 120 minutes. The default value is 30.
    Multiple login: This function permits one client to sign in at more than one place simultaneously. Select the Enable check box to enable the function. Type the login time into the Login times box. The value range is 0 to 99999999. The value of 0 indicates no login time limitation.
    Advanced Anti-Replay: The anti-replay function is used to prevent replay attacks. The default value is 32.

    DF bit: Specifies whether to permit packet fragmentation on the device forwarding the packets. The actions include:

    • Set - Permits packet fragmentation.
    • Copy - Copies the DF value from the destination of the packet. It is the default value.
    • Clear - Forbids packet fragmentation.
    Port (UDP): Specifies the UDP port number for the SCVPN connection.
  9. Click Client, and in the Client page, configure the options of client authentication.
    Option Description
    Client configuration

    Redirect URL: This function redirects the client to the specified redirected URL after successful authentication. Type the redirected URL into the box. The value range is 1 to 255 characters. HTTP (http://) and HTTPS (https://) URLs are supported. Based on the type of the URL, the corresponding fixed format of URL is required. Take the HTTP type as the example:

    • For the UTF-8 encoding page - The format is URL+username=$USER&password=$PWD, e.g., http://www.abc.com/oa/login.do?username=$USER&password=$PWD
    • For the GB2312 page - The format is URL+username=$GBUSER&password=$PWD, e.g., http://www.abc.com/oa/login.do?username=$GBUSER&password=$PWD
    • Other pages: - Type the URL directly, e.g., http://www.abc.com
    English title: Specifies the English description for the redirect URL. The value range is 1 to 31 bytes. This title will appear as a client menu item for the English operating system PC.
    Chinese title: Specifies the Chinese description for the redirect URL. The value range is 1 to 63 bytes. This title will appear as a client menu item for the Chinese operating system PC.
    Digital Certificate authentication

    Authentication: Select the Enable check box to enable the Digital Certificate authentication function. There are two options available: Username/Password + Digital Certificate and Digital Certificate only.

    • Username/Password + Digital Certificate - To pass the authentication, you need to have the correct file certificate, or the USB Key that stores the correct digital certificate, and also type the correct username and password. The USB Key certificater users also need to type the USB Key password.
    • Digital Certificate only - To pass the authentication, you need to have the correct file certificate, or the USB Key that stores the correct digital certificate. The USB Key certificater users also need to type the USB Key password. No username or user's password is required.

    Note: When Digital Certificate only is selected:

    • The system can map corresponding roles for the authenticated users based on the CN or OU field of the USB Key certificate. For more information about the role mapping based on CN or OU, see Configuring a Role Mapping Rule.
    • The system does not allow the local user to change the password.
    • The system does not support SMS authentication.
    • The client will not re-connect automatically if the USB Key is removed.
    Download URL: When USB Key authentication is enabled, you can download the UKey driver from this URL.

    To configure the trust domain and the subject & username checking function, take the following steps:

    1. From the Trust domain drop-down list, select the PKI trust domain that contains the CA (Certification Authority) certificate. If only the certificate submitted by the client is matched to any CA certificate of the trust domain, the authentication will succeed.
    2. If necessary, select the Subject & username checking check box to enable the subject & username check function. After enabling it, when the user is authenticated by the USB Key certificate, the system will check whether the subject CommonName in the CA certificate of the PKI trust domain is the same as the name of the login user.
    3. Click Add. The configured trust domain and Subject & username checking status will be displayed in the list below.
    4. Repeat the above steps to add more trust domains. To delete a trust domain, select the trust domain you want to delete from the list, and click Delete.
  10. Click Host Security, and in the Host security check page, configure the host check and host binding functions.
    Option Description
    Host Check

    Creates a host check rule (binding host check profile to the host check rule) to perform the host check function. Take the following steps:

    1. Specify the role to which the host check rule will be applied. Select the role from the Role drop-down list. Default indicates the rule will take effect to all the roles.
    2. Specify the guest role. Select the role from the Guest role drop-down list. The user will get the access permission of the guest role when the host check fails. If Null is selected, the system will disconnect the connection when the host check fails.
    3. Specify the host check profile. Select the profile from the Host checking name drop-down list.
    4. Specify the check period. The system will check the status of the host automatically according to the host check profile in each period. Type the period value into the Periodic checking box. The value range is 5 to 1440 minutes. The default value is 30.
    5. Click Add.
    6. Repeat the above steps to create more rules. To delete a rule, select the rule you want to delete from the list and click Delete.

    Note: You must create the host check profile first before creating the host check rule here. For more information about host check profile, see Introduction to Host Check.
    Host binding Select the Enable host binding check box to enable the function. By default, one user can only log in on one host. You can change the login status by configuring the following options.

    • Allow one user to login through multiple hosts.
    • Allow multiple users to login on one host.
    • Automatically add the user-host ID entry into the binding list at the first login.

    Note: To use the host binding function, you still have to configure it in the host binding configuration page. For more information about host binding, see Introduction to Host Binding.
  11. Click SMS Authentication, and in the SMS authentication page, configure the SMS authentication function.
    1. Select the Enable SMS authentication check box to enable the function.
    2. Specify the lifetime of the SMS authentication code. Type the lifetime value into the Lifetime of SMS auth code box. The SCVPN connection will be disconnected under the following two situations: no SMS authentication code is provided before the lifetime ends; no new request code is submitted before the lifetime ends.
    3. If necessary, under SMS test, specify a mobile phone number in the box, and then click Send to check whether the device works normally.
  12. Click Optimal Path, and in the optimal path page, configure the optimal path detection function.
    Function Description
    Optimal Path Detection

    Optimal path detection can automatically detect which ISP service is better, giving remote users a better user experience. To configure the function, take the following steps:

    1. Specify the detecting method by the Tunnel detection mode option. The options are:
      • No detection - Do not detect.
      • Client - The client selects the optimal path automatically by sending UDP probe packets.
      • The device - When the client connect the server directly without any NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted IP addresses of the egress interfaces to the client --> the client selects the optimal path. When the client connects the server through a NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted NAT IP addresses of the external interfaces to the client --> the client selects the optimal path.
    2. If necessary, in the NA mapping address and port section, specify the mapped public IPs and ports of the server referenced in the DNAT rules of the DNT device. When the client connects to the server through the DNAT device, the NAT device will translate the destination address of the client to the server's egress interface address. Type the IP address of the NAT device's external interface and the HTTPS port number (You are not recommended to specify the HTTPS port as 443, because 443 is the default HTTPS port of WebUI management). You can configure up to 4 IPs.
  13. Click OK to save the settings.

Editing a SCVPN Instance

To edit a SCVPN instance, take the following steps:

  1. On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.
  2. Select the SCVPN instance you want to edit from the list and click Edit.
  3. In the SSL VPN Configuration dialog, modify according to your need.

Deleting a SCVPN Instance

To edit a SCVPN instance, take the following steps:

  1. On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.
  2. Select the SCVPN instance you want to delete from the list and click Delete.

Viewing Online Users

To view the SCVPN online users, take the following steps:

  1. On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.
  2. You can get the detailed information of the online users in the online user list.
    • Name: Shows the name of the online user.
    • Type: Shows the type of the online user.
    • Login time: Shows the time when the user logs in.
    • Public IP: Shows the public IP of the online user.
    • Private IP: Shows the IP allocated by the SCVPN server.
    • Client version: Shows the client version of the online user.
    • Action: Click Kick off to disconnect the SCVPN connection.
  3. To search a specific user, type the user name into the Online user box, and then click Search.

Related Topics:

SCVPN Configuration Example 1 (User/Password Authentication)

SCVPN Configuration Example 2 (USB KEY Authentication)

Host Checking Configuration Example

URL Redirect Configuration Example