Creating a Virtual Gateway

Preparations

Before using the SSL VPN service, you must create a virtual gateway.

Preparations for Configuring an SSL VPN Virtual Gateway
When a remote user accesses the virtual gateway remotely, the client automatically selects the corresponding CA certificate to verify whether the certificate (local certificate) of the virtual gateway is valid. If the CA certificate matching the local certificate of the FW is not installed on the client, a security alert is displayed on the client. You can view and install the CA certificate online to prevent the security alert from being displayed during the next login.

To clear the security warning displayed during SSL VPN login, you can perform the following operations before configuring the virtual gateway:
1. Apply for a CA certificate and a matching local certificate from the CA, download and install them on the FW, and configure certificate authentication on the FW. The value of the CN field in the certificate to be applied for must be the same as the gateway address or domain name.
2. Import and install the CA certificate on each client.
Preparations for Configuring User Authentication
SSL VPN user authentication is mandatory. The following authentication modes are supported: Local authentication, server authentication (RADIUS, HWTACACS, AD, and LDAP), certificate-anonymous authentication, and certificate-challenge authentication.

The preparations and subsequent configurations vary according to the user authentication mode. Therefore, you need to select an authentication mode before configuring SSL VPN. Then, read and complete related preparations based on the selected authentication mode.

Only browsers with an Internet Explorer kernel support certificate authentication, and the certificates must be valid in this case.
- Local Authentication
  On the FW, configure users and user groups based on the enterprise organization structure. You can manually create users or user groups or import them in batches.
- Server Authentication
  On the FW, configure users and user groups based on the enterprise organization structure. You can manually create users or user groups or import them in batches. Note: The method for importing users/user groups to the FW varies according to server type. FW For details about RADIUS and HWTACACS authentication, see Manually Creating a User/User Group or Manually Importing Users/User Groups in Batches. For details about AD and LDAP authentication, see Importing Users/User Groups/Security Groups from a Server. Configure an authentication domain and specify an authentication server (including the server type and IP address) on the FW.
- Certificate Authentication (Certificate-Anonymous Authentication and Certificate-Challenge Authentication)
  1. Configure users and user groups on the FW based on the enterprise organization structure. Note: If you select the certificate challenge authentication mode, which involves server authentication, you need to configure users and user groups on the server based on the enterprise organization structure, and then manually create users and user groups on the FW based on the user structure on the server, or import or synchronize users and user groups from the server to the FW, and configure an authentication domain and specify an authentication server (including the server type and IP address) on the FW.
  2. Apply for client certificates from the CA. The value of the user filtering field of a client certificate must be the user name.
    For example, if the user filtering field value is CN and user0001 is configured, the common name must be user00001.
  3. Import the CA certificate to the FW.
  4. Import and install the client certificate on each client.

Procedure

Choose Network > SSL VPN > SSL VPN.
Click Add under SSL VPN List.

Configure a virtual gateway.

Set basic parameters for the shared virtual gateway.

Parameter	Description
Gateway Name	Specifies the virtual gateway name.
Type	Shared Specifies a shared virtual gateway in the system. The IP address and domain name are shared in the system. Users can access the SSL VPN login page by using the combination of IP address and port number, or the combination of child domain name and port number. Shared virtual gateways in different virtual systems sharing a public IP address Before creating a virtual gateway in a virtual system, select and click the name of a virtual system in the Virtual System drop-down list. The public IP address, domain name, certificate, SSL version, and cipher suite are shared among different virtual systems. For details about how to set common parameters, see Configuring Public Parameters of Multiple Virtual Gateways. The public domain name/child domain name combination is used to access the virtual gateway service and virtual gateways are distinguished by child domain name. SSL connections are set up using the certificate, SSL version, and cipher suite in the common configuration.
Gateway IP Address	Specifies the virtual gateway IP address. Users use this IP address to access the virtual gateway. You can configure the IP address in either of the following ways: In the drop-down list, select Manually set the IP address and enter an IP address in the text box as the IP address of the virtual gateway. In the drop-down list, select Public IP. The system will use the Public IP configured in Public Configuration as the IP address of the virtual gateway. If the gateway address is not a common public IP address, click to add a virtual gateway address. A virtual gateway supports a maximum of three addresses. NOTE: In addition, the web page provides the [Add Security Policy] link. You can click this link to access the Add Security Policy configuration page and quickly create a security policy for the data flow to be encrypted to permit the encrypted traffic. In addition, the Add Security Policy configuration page also provides the Switch Source and Destination and OK and Copy functions, which are used to quickly configure security policies for the forward and reverse traffic.
Port	Specifies the port used by the virtual gateway. Users use this port to log in to the virtual gateway. The default port is 443.
Domain Name	Specifies the domain name of the virtual gateway. If the mapping between a domain name and a Gateway IP Address exists on the DNS server on the public network, users can use this domain name to access the virtual gateway. When the virtual gateway is a shared virtual gateway that shares the public IP address, the domain name is in the format of parent domain name/child domain name. By default, the public domain name in Public Configuration is used as the parent domain name. You need to manually configure the child domain name.

Set basic parameters for an exclusive virtual gateway.

Parameter	Description
Gateway Name	Specifies the virtual gateway name.
Type	Exclusive Specifies an exclusive virtual gateway in the system. The IP address and domain name are exclusive in the system. Users can access the SSL VPN login page by using the combination of IP address and port number, or the combination of domain name and port number. Exclusive virtual gateways in different virtual systems sharing a public IP address Each virtual system has an exclusive domain name. If an exclusive virtual gateway has its own domain name, you can use the domain name to access the SSL VPN login page. If an exclusive virtual gateway does not have its own domain name, you can use the IP address and port number to access the SSL VPN login page. In this case, the port number is exclusively used by the virtual gateway.
Gateway IP Address	Specifies the virtual gateway IP address. Users use this IP address to access the virtual gateway. You can configure the IP address in one of the following ways: In the drop-down list, select Manually set the IP address and enter an IP address in the text box as the IP address of the virtual gateway. In the drop-down list, select Public IP. The system will use the Public IP configured in Public Configuration as the IP address of the virtual gateway. After you select an interface name from the drop-down list, the system uses the IP address of the interface as the IP address of the virtual gateway. If the gateway address is not a public IP address, click to add a virtual gateway address. A virtual gateway supports a maximum of three addresses. When configuring multiple IP addresses for a virtual gateway, use the same configuration method for all IP addresses. For example, you can use the Manually set the IP address option or use the interface IP address method to assign all the IP addresses. If you use different methods, the system automatically changes the interface IP address method to the manual mode.
Port	Specifies the port number of the virtual gateway. Users use this port to access the virtual gateway. The default port is 443.
Domain Name	Optional Specifies the domain name of the virtual gateway. If the mapping between a domain name and a Gateway IP Address exists on the DNS server on the public network, users can use this domain name to access the virtual gateway.
Allow the user of the SSL cipher suite and certificate in global configuration for negotiation, encryption, and decryption	Select this option in the following scenarios: A user uses a domain name to access an exclusive virtual gateway. If the user uses the Internet Explorer of the Windows Server 2003 operating system to access the SSL VPN gateway, the Client Hello packet does not carry the Server Name Indication (SNI) when the SSL connection is established. As a result, the virtual gateway cannot be identified by domain name. In this case, the public certificate, SSL version, and cipher suite are used to establish an SSL connection, and the domain name carried in the HTTP packet is used to identify the virtual gateway. This function is also recommended when the device certificate of the exclusive virtual gateway is the same as the public certificate.

Use one of the following ways to authenticate users.

Local authentication and server authentication (RADIUS, HWTACACS, AD, and LDAP)

Parameter	Description
Client CA Certificate	Use the default setting for local authentication and server authentication.
Certificate Authentication	Select NONE because certificate authentication is not required.
Authentication Domain	Bind the virtual gateway to an authentication domain. By default, a virtual gateway is not bound to any authentication domain. If the virtual gateway is bound to an authentication domain, the FW authenticates users based on the authentication mode and user organizational structure of the bound authentication domain. If the virtual gateway is not bound to any authentication domain, the FW determines the authentication domain of a user based on the string following the at sign (@) in the user name and then authenticates the user based on the authentication mode and user organizational structure of the bound authentication domain. For example, user1@bj belongs to the authentication domain bj. If the authentication domain, for example, bj, does not exist, the user cannot log in. If the user name does not carry the at sign (@), the virtual gateway authenticates the user in the default authentication domain. NOTE: If the virtual gateway is bound to an authentication domain, the user name entered for login must not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the at sign (@) and the string following it as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain bj, you must enter user1, not user1@bj, as the user name.

Parameter

Description

Client CA Certificate

Use the default setting for local authentication and server authentication.

Certificate Authentication

Select NONE because certificate authentication is not required.

Authentication Domain

Bind the virtual gateway to an authentication domain. By default, a virtual gateway is not bound to any authentication domain.

If the virtual gateway is bound to an authentication domain, the FW authenticates users based on the authentication mode and user organizational structure of the bound authentication domain.
If the virtual gateway is not bound to any authentication domain, the FW determines the authentication domain of a user based on the string following the at sign (@) in the user name and then authenticates the user based on the authentication mode and user organizational structure of the bound authentication domain. For example, user1@bj belongs to the authentication domain bj. If the authentication domain, for example, bj, does not exist, the user cannot log in. If the user name does not carry the at sign (@), the virtual gateway authenticates the user in the default authentication domain.

NOTE:

If the virtual gateway is bound to an authentication domain, the user name entered for login must not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the at sign (@) and the string following it as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain bj, you must enter user1, not user1@bj, as the user name.

Certificate authentication

Certificate-anonymous authentication

Parameter	Description
Client CA Certificate	Select an imported client CA certificate. To implement certificate-anonymous authentication, the imported client CA certificate and the client certificate must be issued by the same CA.
Certificate Authentication	Select Anonymous Certificate.
User Filtering Field	Specifies the certificate field that is used as the user name. For example, if this parameter is set to Subject-CN, the Subject-CN field in the certificate is used as the user name. The user name information is used during role-based authorization. For example, if you want to assign the web proxy resource access permission to a user of a role, you need to specify the user name. This is specified by the user filtering field. NOTE: If the user name field in the certificate contains quotation (") or question mark (?), the administrator cannot log off these users. To facilitate user management, do not include such special characters in the user name when applying for a certificate. If Subject-CN is selected, the complete email address in the certificate is used as the user name, which contains the @ symbol.
Group Filtering Field	Specifies the certificate field that is used as the user group. For example, if this parameter is set to Subject-O, the Subject-O field in the certificate is used as the user group. The user group information is used during role-based authorization. For example, if you want to assign the web proxy resource access permission to a user group of a role, you need to specify the user group. This is specified by the group filtering field.
Authentication Domain	A specific authentication domain needs to be specified to authorize users if certificate-anonymous authentication is used.

Certificate-challenge authentication

Parameter	Description
Client CA Certificate	Select an imported client CA certificate. To implement certificate-challenge authentication, the imported client CA certificate and the client certificate must be issued by the same CA.
Certificate Authentication	Select Certificate Challenge.
User Filtering Field	Specifies the certificate field that is used as the user name. For example, if this parameter is set to Subject-CN, the Subject-CN field in the certificate is used as the user name. The user name information is used during role-based authorization. For example, if you want to assign the web proxy resource access permission to a user of a role, you need to specify the user name. This is specified by the user filtering field. NOTE: If the user name field in the certificate contains quotation (") or question mark (?), the administrator cannot log off these users. To facilitate user management, do not include such special characters in the user name when applying for a certificate. If Subject-CN is selected, the complete email address in the certificate is used as the user name, which contains the @ symbol.
Group Filtering Field	Specifies the certificate field that is used as the user group. For example, if this parameter is set to Subject-O, the Subject-O field in the certificate is used as the user group. The user group information is used during role-based authorization. For example, if you want to assign the web proxy resource access permission to a user group of a role, you need to specify the user group. This is specified by the group filtering field.
Authentication Domain	Bind the virtual gateway to an authentication domain. By default, a virtual gateway is not bound to any authentication domain. If the virtual gateway is bound to an authentication domain, the FW authenticates users based on the authentication mode and user organizational structure of the bound authentication domain. If the virtual gateway is not bound to any authentication domain, the FW determines the authentication domain of a user based on the string following the at sign (@) in the user name and then authenticates the user based on the authentication mode and user organizational structure of the bound authentication domain. For example, user1@bj belongs to the authentication domain bj. If the authentication domain, for example, bj, does not exist, the user cannot log in. If the user name does not carry the at sign (@), the virtual gateway authenticates the user in the default authentication domain. NOTE: If the virtual gateway is bound to an authentication domain, the user name entered for login must not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the at sign (@) and the string following it as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain bj, you must enter user1, not user1@bj, as the user name.

Configure the DNS server.

Parameter	Description
Primary DNS Server	Specifies the IP address of the preferred DNS server on the intranet. If you have configured the mapping between the IP address and the domain name on the DNS server, users can use the domain name to access intranet resources.
Secondary DNS Server1/Secondary DNS Server2	Specifies the IP address of the alternate DNS server. If the preferred DNS server fails, the alternate DNS server takes over. To ensure the reliability of the DNS service, configure both Primary DNS Server and Secondary DNS Server.

Configure other parameters.

Parameter	Description
Rapid Channel Port	By default, clients send service packets to UDP port 443 on virtual gateways when the network extension tunnel mode of the clients is set to quick transmission mode.
Maximum Total Users	Indicates the maximum number of allowed users based on user authorization when role authorization or user is configured. When the number of such users exceeds the threshold, the FW reports an error.
Maximum Concurrent Users	Specifies the maximum number of concurrent users that the virtual gateway allows. By default, the maximum number of concurrent users is not configured on virtual gateways. Virtual gateways work in preemption mode for available resources. This number is controlled by license. If the virtual system feature is enabled, before configuring the maximum number of concurrent users, ensure that the virtual system that the virtual gateway belongs to is bound to the resource class and the concurrent number of concurrent SSL VPN users has been allocated to the resource class.
Maximum Resources	Specifies the total number of web proxy, file sharing, and port forwarding resources.
Allow Users at Different Locations to Log in to the Virtual Gateway Using the Same Account	This option is available only when you modify the virtual gateway configuration. One account can be used at different places at the same time to log in to the same virtual gateway only after this option is selected. If this option is selected, SSL VPN users cannot change the passwords. Only the network administrator can change the passwords. The mandatory password change function upon the first login does not apply. If this option is not selected, SSL VPN users can change the passwords after logging in to the virtual gateways.

Click Next.