Configuring SCVPN

This section describes how to configure a SCVPN server.

Creating a SCVPN Instance

To create a SCVPN instance, take the following steps:

On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.

Click New or click Create a SSL VPN on the Task tab in the right auxiliary pane.

In the Welcome page of the SSL VPN Configuration dialog, type the name of the SSL VPN instance into the SSL VPN name box.

Click Next. In the User page, specify the AAA server whose users need to be authenticated.

Select the AAA server name from the AAA server drop-down list.
Type the domain name into the Domain box. The domain name is used to distinguish the AAA server.
Click Add.
Repeat the above steps to add more AAA servers. To delete an AAA server, select the AAA server you want to delete from the list, and click Delete.

Click Next. In the Interface page, configure the SCVPN server interface, tunnel interface, and address pool.

Option	Description
Access interface	Specifies the SCVPN server interface. This interface is used to listen to the request from SCVPN client. The options are: Interface 1: Select the interface from the drop-down list. Interface 2: Select the interface from the drop-down list. This interface is needed when the optimal path detection function is enabled. Service port: Specifies the SCVPN service port number.
Tunnel interface and address pool	Tunnel interface	Specifies the tunnel interface used to bind to the SCVPN tunnel. Tunnel interface transmits traffic to/from SCVPN tunnel. The options are: Tunnel interface: Use one of the following ways to specify the tunnel interface: Select the configured tunnel interface from the drop-down list. Click New from the drop-down list, and in the Interface Configuration dialog, configure a new tunnel interface. Select a configured tunnel interface from the drop-down list, and then click Modify to edit the selected tunnel interface in the Interface Configuration dialog. For more information about creating/editing tunnel interfaces, see Configuring an Interface. Zone: Shows the zone of the selected tunnel interface. IP address: Shows the IP address of the selected tunnel interface. Netmask: Shows the netmask of the selected tunnel interface.
Address pool	Specifies the SCVPN address pool. The options are: Address pool: Use one of the following ways to specify the address pool: Select a configured address pool from the drop-down list. Select New from the drop-down list, and in the Address Pool Configuration dialog, create a new address pool. Select a configured address pool from the drop-down list, and then click Modify to edit the selected address pool in the Address Pool Configuration dialog. For more information about creating/editing address pools, see Configuring a SCVPN Address Pool. Start IP: Shows the start IP of the selected address pool. End IP: Shows the end IP of the selected address pool. Netmask: Shows the natmask of the selected address pool.

Option

Description

Access interface

Specifies the SCVPN server interface. This interface is used to listen to the request from SCVPN client. The options are:

Interface 1: Select the interface from the drop-down list.
Interface 2: Select the interface from the drop-down list. This interface is needed when the optimal path detection function is enabled.
Service port: Specifies the SCVPN service port number.

Tunnel interface and address pool

Tunnel interface

Specifies the tunnel interface used to bind to the SCVPN tunnel. Tunnel interface transmits traffic to/from SCVPN tunnel. The options are:

Tunnel interface: Use one of the following ways to specify the tunnel interface:
- Select the configured tunnel interface from the drop-down list.
- Click New from the drop-down list, and in the Interface Configuration dialog, configure a new tunnel interface.
- Select a configured tunnel interface from the drop-down list, and then click Modify to edit the selected tunnel interface in the Interface Configuration dialog.
For more information about creating/editing tunnel interfaces, see Configuring an Interface.
Zone: Shows the zone of the selected tunnel interface.
IP address: Shows the IP address of the selected tunnel interface.
Netmask: Shows the netmask of the selected tunnel interface.

Address pool

Specifies the SCVPN address pool. The options are:

Address pool: Use one of the following ways to specify the address pool:
- Select a configured address pool from the drop-down list.
- Select New from the drop-down list, and in the Address Pool Configuration dialog, create a new address pool.
- Select a configured address pool from the drop-down list, and then click Modify to edit the selected address pool in the Address Pool Configuration dialog.
For more information about creating/editing address pools, see Configuring a SCVPN Address Pool.
Start IP: Shows the start IP of the selected address pool.
End IP: Shows the end IP of the selected address pool.
Netmask: Shows the natmask of the selected address pool.

Click Next. In the Policy/Route page, configure the policy rules and tunnel routes.

Option	Description
Policy	Select The following policy rules are created by system automatically. And the policy rules in the list will be created automatically. You can also create or edit the policy rules in the Policy page (Configure > Security > Policy). For more information about policy rules, see Configuring a Policy Rule.
Tunnel route	Specifies the routes from SCVPN tunnel to the specific network segments. SCVPN clients access the specified network segments through the routes assigned by SCVPN server. Take the following steps: Type the destination IP address, the netmask of the destination IP address, and the metric value into the IP, Netmask, and Metric boxes respectively. Click Add. Repeat the above steps to add more routes. To delete a tunnel route, select the route you want to delete from the list, and then click Delete.

Option

Description

Policy

Select The following policy rules are created by system automatically. And the policy rules in the list will be created automatically. You can also create or edit the policy rules in the Policy page (Configure > Security > Policy). For more information about policy rules, see Configuring a Policy Rule.

Tunnel route

Specifies the routes from SCVPN tunnel to the specific network segments. SCVPN clients access the specified network segments through the routes assigned by SCVPN server. Take the following steps:

Type the destination IP address, the netmask of the destination IP address, and the metric value into the IP, Netmask, and Metric boxes respectively.
Click Add.
Repeat the above steps to add more routes. To delete a tunnel route, select the route you want to delete from the list, and then click Delete.

If necessary, click Advanced to configure the advanced functions, including parameter, client/USB key, host security, SMS authentication, and optimized path. For the detailed information, see Step 11 to 15.

Click Parameters, and in the Parameters page, configure the parameters of security kit, client connection, and the advanced options.

Option	Description
Security kit	SSL version: Specifies the SSL version. The system supports SSLv3 and TLSv1. Any indicates both of the versions.
	Trust domain: Specifies the trust domain.
	Encryption: Specifies the encryption algorithm of the SCVPN tunnel. The default value is 3DES. NULL indicates no encryption.
	Hash: Specifies the hash algorithm of the SCVPN tunnel. The default value is SHA-1. NULL indicates no hash.
	Compression: Specifies the compression algorithm of the SCVPN tunnel. By default, no compression.
Client connection	Idle time: Time that a client keeps online without any traffic with the server. After waiting for the idle time, the server will disconnect the connection with the client. The value range is 15 to 120 minutes. The default value is 30.
Client connection	Multiple login: This function permits one client to sign in at more than one place simultaneously. Select the Enable check box to enable the function. Type the login time into the Login times box. The value range is 0 to 99999999. The value of 0 indicates no login time limitation.
Advanced	Anti-Replay: The anti-replay function is used to prevent replay attacks. The default value is 32.
	DF bit: Specifies whether to permit packet fragmentation on the device forwarding the packets. The actions include: Set - Permits packet fragmentation. Copy - Copies the DF value from the destination of the packet. It is the default value. Clear - Forbids packet fragmentation.
	Port (UDP): Specifies the UDP port number for the SCVPN connection.

Click Client/USB KEY, and in the Client/USB KEY page, configure the options of client authentication.

Option	Description
Client configuration	Redirect URL: This function redirects the client to the specified redirected URL after successful authentication. Type the redirected URL into the box. The value range is 1 to 255 characters. HTTP (http://) and HTTPS (https://) URLs are supported. Based on the type of the URL, the corresponding fixed format of URL is required. Take the HTTP type as the example: For the UTF-8 encoding page - The format is URL+username=$USER&password=$PWD, e.g., http://www.abc.com/oa/login.do?username=$USER&password=$PWD For the GB2312 page - The format is URL+username=$GBUSER&password=$PWD, e.g., http://www.abc.com/oa/login.do?username=$GBUSER&password=$PWD Other pages: - Type the URL directly, e.g., http://www.abc.com
	English title: Specifies the English description for the redirect URL. The value range is 1 to 31 bytes. This title will appear as a client menu item for the English operating system PC.
	Chinese title: Specifies the Chinese description for the redirect URL. The value range is 1 to 63 bytes. This title will appear as a client menu item for the Chinese operating system PC.
USB KEY authentication	Authentication: Select the Enable check box to enable the USB KEY authentication function. Client will be authenticated by the method of USB KEY. In this method, a standard-Windows-SDK-supported USB KEY with a legal UKey certificate is needed for a successful authentication.
	Download URL: The URL where the clients can download the UKey driver.
	To configure the client trust domain and the subject & username checking function, take the following steps: From the Trust domain drop-down list, select the PKI trust domain that contains the CA (Certification Authority) certificate. If necessary, select the Subject & username checking check box to enable the subject & username check function. After enabling it, the system will check whether the CommonName in the CA certificate is the same as the name of the login user. The user with different name will fail in the authentication. Click Add. Repeat the above steps to add more trust domains. To delete a trust domain, select the trust domain you want to delete from the list, and click Delete. If more than one trust domain is added, as long as one trust domain is matched, the user will be authenticated successfully.

Click Host Security, and in the Host security check page, configure the host check and host binding functions.

Option	Description
Host Check	Creates a host check rule (binding host check profile to the host check rule) to perform the host check function. Take the following steps: Specify the role to which the host check rule will be applied. Select the role from the Role drop-down list. Default indicates the rule will take effect to all the roles. Specify the guest role. Select the role from the Guest role drop-down list. The user will get the access permission of the guest role when the host check fails. If Null is selected, the system will disconnect the connection when the host check fails. Specify the host check profile. Select the profile from the Host checking name drop-down list. Specify the check period. The system will check the status of the host automatically according to the host check profile in each period. Type the period value into the Periodic checking box. The value range is 5 to 1440 minutes. The default value is 30. Click Add. Repeat the above steps to create more rules. To delete a rule, select the rule you want to delete from the list and click Delete. Note: You must create the host check profile first before creating the host check rule here. For more information about host check profile, see Introduction to Host Check.
Host binding	Select the Enable host binding check box to enable the function. By default, one user can only log in on one host. You can change the login status by configuring the following options. Allow one user to login through multiple hosts. Allow multiple users to login on one host. Automatically add the user-host ID entry into the binding list at the first login. Note: To use the host binding function, you still have to configure it in the host binding configuration page. For more information about host binding, see Introduction to Host Binding.

Option

Description

Host Check

Creates a host check rule (binding host check profile to the host check rule) to perform the host check function. Take the following steps:

Specify the role to which the host check rule will be applied. Select the role from the Role drop-down list. Default indicates the rule will take effect to all the roles.
Specify the guest role. Select the role from the Guest role drop-down list. The user will get the access permission of the guest role when the host check fails. If Null is selected, the system will disconnect the connection when the host check fails.
Specify the host check profile. Select the profile from the Host checking name drop-down list.
Specify the check period. The system will check the status of the host automatically according to the host check profile in each period. Type the period value into the Periodic checking box. The value range is 5 to 1440 minutes. The default value is 30.
Click Add.
Repeat the above steps to create more rules. To delete a rule, select the rule you want to delete from the list and click Delete.

Note: You must create the host check profile first before creating the host check rule here. For more information about host check profile, see Introduction to Host Check.

Host binding

Select the Enable host binding check box to enable the function. By default, one user can only log in on one host. You can change the login status by configuring the following options.

Allow one user to login through multiple hosts.
Allow multiple users to login on one host.
Automatically add the user-host ID entry into the binding list at the first login.

Note: To use the host binding function, you still have to configure it in the host binding configuration page. For more information about host binding, see Introduction to Host Binding.

Click SMS Authentication, and in the SMS authentication page, configure the SMS authentication function.

Select the Enable SMS authentication check box to enable the function.
Specify the lifetime of the SMS authentication code. Type the lifetime value into the Lifetime of SMS auth code box. The SCVPN connection will be disconnected under the following two situations: no SMS authentication code is provided before the lifetime ends; no new request code is submitted before the lifetime ends.
If necessary, under SMS test, specify a mobile phone number in the box, and then click Send to check whether the device works normally.

Click Optimal Path, and in the optimal path page, configure the optimal path detection function.

Function	Description
Optimal Path Detection	Optimal path detection can automatically detect which ISP service is better, giving remote users a better user experience. To configure the function, take the following steps: Specify the detecting method by the Tunnel detection mode option. The options are: No detection - Do not detect. Client - The client selects the optimal path automatically by sending UDP probe packets. The device - When the client connect the server directly without any NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted IP addresses of the egress interfaces to the client --> the client selects the optimal path. When the client connects the server through a NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted NAT IP addresses of the external interfaces to the client --> the client selects the optimal path. If necessary, in the NA mapping address and port section, specify the mapped public IPs and ports of the server referenced in the DNAT rules of the DNT device. When the client connects to the server through the DNAT device, the NAT device will translate the destination address of the client to the server's egress interface address. Type the IP address of the NAT device's external interface and the HTTPS port number (You are not recommended to specify the HTTPS port as 443, because 443 is the default HTTPS port of WebUI management). You can configure up to 4 IPs.

Function

Description

Optimal Path Detection

Optimal path detection can automatically detect which ISP service is better, giving remote users a better user experience. To configure the function, take the following steps:

Specify the detecting method by the Tunnel detection mode option. The options are:
- No detection - Do not detect.
- Client - The client selects the optimal path automatically by sending UDP probe packets.
- The device - When the client connect the server directly without any NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted IP addresses of the egress interfaces to the client --> the client selects the optimal path. When the client connects the server through a NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted NAT IP addresses of the external interfaces to the client --> the client selects the optimal path.
If necessary, in the NA mapping address and port section, specify the mapped public IPs and ports of the server referenced in the DNAT rules of the DNT device. When the client connects to the server through the DNAT device, the NAT device will translate the destination address of the client to the server's egress interface address. Type the IP address of the NAT device's external interface and the HTTPS port number (You are not recommended to specify the HTTPS port as 443, because 443 is the default HTTPS port of WebUI management). You can configure up to 4 IPs.

Click OK to save the settings.

Editing a SCVPN Instance

To edit a SCVPN instance, take the following steps:

On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.

Select the SCVPN instance you want to edit from the list and click Edit.

In the SSL VPN Configuration dialog, modify according to your need.

Deleting a SCVPN Instance

To edit a SCVPN instance, take the following steps:

On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.

Select the SCVPN instance you want to delete from the list and click Delete.

Viewing Online Users

To view the SCVPN online users, take the following steps:

On the Navigation pane, click Configure > Network > SSL VPN to visit the SSL VPN page.

You can get the detailed information of the online users in the online user list.

Name: Shows the name of the online user.
Type: Shows the type of the online user.
Login time: Shows the time when the user logs in.
Public IP: Shows the public IP of the online user.
Private IP: Shows the IP allocated by the SCVPN server.
Client version: Shows the client version of the online user.
Action: Click Kick off to disconnect the SCVPN connection.

To search a specific user, type the user name into the Online user box, and then click Search.