Specifies the name of the SSL VPN.

Specifies the AAA server that is used for user authentication,take the following steps:

1. Select an AAA server from the AAA server drop-down list.
2. Type the domain name into the Domain box. The domain name is used to distinguish the AAA server.
3. Verify User Domain Name:Select the Enable check box to verify the domain name when authenticating the username;
4. Click Add.
5. Repeat the above steps to add more AAA servers. To delete an AAA server, select the AAA server you want to delete from the list, and click Delete.

Specifies the SCVPN server interface. This interface is used to listen to the request from SCVPN client. The options are:

• Interface 1: Select the interface from the drop-down list.
• Interface 2: Select the interface from the drop-down list. This interface is needed when the optimal path detection function is enabled.
• Service port: Specifies the SCVPN service port number.

Specifies the tunnel interface used to bind to the SCVPN tunnel. Tunnel interface transmits traffic to/from SCVPN tunnel. The options are:

• Tunnel interface: Use one of the following ways to specify the tunnel interface:
  • Select the configured tunnel interface from the drop-down list.
  • Click New from the drop-down list, and in the Interface Configuration dialog, configure a new tunnel interface.
  • Select a configured tunnel interface from the drop-down list, and then click Modify to edit the selected tunnel interface in the Interface Configuration dialog.
  For more information about creating/editing tunnel interfaces, see Configuring an Interface.
• Zone: Shows the zone of the selected tunnel interface.
• IP address: Shows the IP address of the selected tunnel interface.
• Netmask: Shows the netmask of the selected tunnel interface.

Specifies the SCVPN address pool. The options are:

• Address pool: Use one of the following ways to specify the address pool:
  • Select a configured address pool from the drop-down list.
  • Select New from the drop-down list, and in the Address Pool Configuration dialog, create a new address pool.
  • Select a configured address pool from the drop-down list, and then click Modify to edit the selected address pool in the Address Pool Configuration dialog.
  For more information about creating/editing address pools, see Configuring a SCVPN Address Pool.
• Start IP: Shows the start IP of the selected address pool.
• End IP: Shows the end IP of the selected address pool.
• Netmask: Shows the natmask of the selected address pool.

Specifies the routes from SCVPN tunnel to the specific network segments. SCVPN clients access the specified network segments through the routes assigned by SCVPN server. Take the following steps:

1. Type the destination IP address, the netmask of the destination IP address, and the metric value into the IP, Netmask, and Metric boxes respectively.
2. Click Add.
3. Repeat the above steps to add more routes. To delete a tunnel route, select the route you want to delete from the list, and then click Delete.

SSL version:Specifies the SSL version. The system supports SSLv3 and TLSv1. Any indicates both of the versions.

Trust domain：Specifies the trust domain.

Encryption:Specifies the encryption algorithm of the SCVPN tunnel. The default value is 3DES. NULL indicates no encryption.

Hash:Specifies the hash algorithm of the SCVPN tunnel. The default value is SHA-1. NULL indicates no hash.

Compression:Specifies the compression algorithm of the SCVPN tunnel. By default, no compression.

Idle time:Time that a client keeps online without any traffic with the server. After waiting for the idle time, the server will disconnect the connection with the client. The value range is 15 to 120 minutes. The default value is 30.

Multiple login:This function permits one client to sign in at more than one place simultaneously. Select the Enable check box to enable the function. Type the login time into the Login times box. The value range is 0 to 99999999. The value of 0 indicates no login time limitation.

Anti-Replay:The anti-replay function is used to prevent replay attacks. The default value is 32.

DF bit:Specifies whether to permit packet fragmentation on the device forwarding the packets. The actions include:

• Set - Permits packet fragmentation.
• Copy - Copies the DF value from the destination of the packet. It is the default value.
• Clear - Forbids packet fragmentation.

Port (UDP):Specifies the UDP port number for the SCVPN connection.

Redirect URL:This function redirects the client to the specified redirected URL after successful authentication. Type the redirected URL into the box. The value range is 1 to 255 characters. HTTP (http://) and HTTPS (https://) URLs are supported. Based on the type of the URL, the corresponding fixed format of URL is required. Take the HTTP type as the example:

• For the UTF-8 encoding page - The format is URL+username=$USER&password=$PWD, e.g., http://www.abc.com/oa/login.do?username=$USER&password=$PWD
• For the GB2312 page - The format is URL+username=$GBUSER&password=$PWD, e.g., http://www.abc.com/oa/login.do?username=$GBUSER&password=$PWD
• Other pages: - Type the URL directly, e.g., http://www.abc.com

English title:Specifies the English description for the redirect URL. The value range is 1 to 31 bytes. This title will appear as a client menu item for the English operating system PC.

Chinese title:Specifies the Chinese description for the redirect URL. The value range is 1 to 63 bytes. This title will appear as a client menu item for the Chinese operating system PC.

Authentication:Select the Enable check box to enable the Digital Certificate authentication function. There are two options available: Username/Password + Digital Certificate and Digital Certificate only.

• Username/Password + Digital Certificate - To pass the authentication, you need to have the correct file certificate, or the USB Key that stores the correct digital certificate, and also type the correct username and password. The USB Key certificater users also need to type the USB Key password.
• Digital Certificate only - To pass the authentication, you need to have the correct file certificate, or the USB Key that stores the correct digital certificate. The USB Key certificater users also need to type the USB Key password. No username or user's password is required.

Download URL:When USB Key authentication is enabled, you can download the UKey driver from this URL.

To configure the trust domain and the subject & username checking function, take the following steps:

1. From the Trust domain drop-down list, select the PKI trust domain that contains the CA (Certification Authority) certificate. If only the certificate submitted by the client is matched to any CA certificate of the trust domain, the authentication will succeed.
2. If necessary, select the Subject & username checking check box to enable the subject & username check function. After enabling it, when the user is authenticated by the USB Key certificate, the system will check whether the subject CommonName in the CA certificate of the PKI trust domain is the same as the name of the login user.
3. Click Add. The configured trust domain and Subject & username checking status will be displayed in the list below.
4. Repeat the above steps to add more trust domains. To delete a trust domain, select the trust domain you want to delete from the list, and click Delete.

To configure the SMS authentication function, take the following steps:：

1. Select the Enable SMS authentication check box to enable the function.
2. Specify the lifetime of the SMS authentication code. Type the lifetime value into the Lifetime of SMS auth code box. The SCVPN connection will be disconnected under the following two situations: no SMS authentication code is provided before the lifetime ends; no new request code is submitted before the lifetime ends.
3. If necessary, under SMS test, specify a mobile phone number in the box, and then click Send to check whether the device works normally.

Host Checking/Binding

Creates a host check rule (binding host check profile to the host check rule) to perform the host check function. Take the following steps:

1. Specify the host check profile. Select the profile from the Host checking name drop-down list.
2. Specify the check period. The system will check the status of the host automatically according to the host check profile in each period. Type the period value into the Periodic checking box. The value range is 5 to 1440 minutes. The default value is 30.

Select the Enable host binding check box to enable the function. By default, one user can only log in on one host. You can change the login status by configuring the following options.

• Allow one user to login through multiple hosts.
• Allow multiple users to login on one host.
• Automatically add the user-host ID entry into the binding list at the first login.

Optimal path detection can automatically detect which ISP service is better, giving remote users a better user experience. To configure the function, take the following steps:

1. Specify the detecting method by the Tunnel detection mode option. The options are:

   • No detection - Do not detect.
   • Client - The client selects the optimal path automatically by sending UDP probe packets.
   • The device - When the client connect the server directly without any NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted IP addresses of the egress interfaces to the client --> the client selects the optimal path. When the client connects the server through a NAT device, the detection process is: the server recognizes the ISP type of the client according to the client's source address --> the server sends all the sorted NAT IP addresses of the external interfaces to the client --> the client selects the optimal path.
2. If necessary, in the NA mapping address and port section, specify the mapped public IPs and ports of the server referenced in the DNAT rules of the DNT device. When the client connects to the server through the DNAT device, the NAT device will translate the destination address of the client to the server's egress interface address. Type the IP address of the NAT device's external interface and the HTTPS port number (You are not recommended to specify the HTTPS port as 443, because 443 is the default HTTPS port of WebUI management). You can configure up to 4 IPs.