Configuring Role Authorization/Users

Context

Add the SSL VPN users to the virtual gateway, configure roles to authorize the resources accessible to these users, and implement access control.

Procedure

Configure role authorization.

The default role of a virtual gateway can be edited but not deleted. By default, users associated with the default role cannot access any resource.

If a user or group is not added to any user-defined role, the user or group belongs to the default role. Otherwise, the user or group no longer belongs to the default role.

Users/User Groups associated with the default role cannot be edited. Users/User Groups that do not join user-defined roles are automatically associated with the default role. For USG6510E/6510E-POE/6530E, the network extension function is enabled by default for the default role and cannot be disabled.

The user permission is the union set of the permissions of the user's role and its parent group's role. But as long as the user or user group belongs to a user-defined role, the user permission is no longer controlled by the default role.

In List of Authorized Roles, click Add and set role parameters.

Parameter	Description
Role Name	Role name. The value cannot be "default".
Associated User (Groups)	User or group associated with the role. You can select a single user or group from the drop-down list or click Multiple to select multiple users or groups from the user organizational structure.
Enabled Service	Service that users of the role can access. All models except USG6510E/6510E-POE/6530E support this parameter. NOTE: For USG6510E/6510E-POE/6530E, the network extension function is enabled for the new role by default and cannot be disabled.
Resource Authorization List	Click Select to select service resources. Users of a role can access only authorized resources.
Policy Check
Host Check Policy Pass Condition	Meet all following policies: Users of a role can access the virtual gateway only after passing all associated host check policies. Meet one of the following policies: Users of a role can access the virtual gateway as long as they pass one associated host check policy.
Host Check Policy Association	Host check policy associated with the role.

Click OK.

Add an SSL VPN user to the virtual gateway.

If an SSL VPN user needs to be bound to the virtual IP address of network extension or a role, add the SSL VPN user to the virtual gateway.

In User/User Group List, click Add and set user parameters.

Parameter	Description
Name	You can select an existing user or create a user.
SSL Virtual IP Address	Specify the virtual IP address assigned to the user when the network extension function is used. The virtual IP address must be included in Available IP Address Range of Network Extension.
Maximum Online Users	Enter the maximum number of users that can log in to the virtual gateway from multiple terminals. The default and upper limit of maximum online users are both the maximum number of concurrent online users of the virtual gateway. If the maximum number of concurrent online users is not specified when you create the virtual gateway, this parameter cannot be specified.

Parameter

Description

Name

You can select an existing user or create a user.

SSL Virtual IP Address

Specify the virtual IP address assigned to the user when the network extension function is used.

The virtual IP address must be included in Available IP Address Range of Network Extension.

Maximum Online Users

Enter the maximum number of users that can log in to the virtual gateway from multiple terminals.

The default and upper limit of maximum online users are both the maximum number of concurrent online users of the virtual gateway. If the maximum number of concurrent online users is not specified when you create the virtual gateway, this parameter cannot be specified.

Select the routing mode of a user group.

This step is required only when Name is set to a user group.

If both the virtual gateway and user group routing modes are configured, the routing mode configured for the user group takes precedence.

Parameter	Description
Virtual gateway routing mode	The routing mode of the user group is the routing mode configured on the virtual gateway.
Split routing mode	The data sent by the client to an Intranet is identified by the system routing table, and then transmitted to a virtual network card for forwarding. The source IP address is a virtual IP address. The data sent to the LAN is forwarded by an actual network card, and its source IP address is an actual IP address. Therefore, the network extension forwards only the data sent to the Intranet. In split tunnel mode, other data that is not sent to the local LAN is also forwarded by a virtual network card.
Full routing mode	The data sent to any resource is delivered to a virtual network card and forwarded to a virtual gateway for processing.
Manual routing mode	The administrator of the FW must manually configure static routes for the network segments. Data sent to this network segment is identified on the client, and then is transmitted to a virtual network card for forwarding.

Under Accessible Private Network Segment List, click Add.
This step is required only when the manual routing mode is selected.

Configure an accessible intranet subnet.

This step is required only when the manual routing mode is selected.

In this mode, users can remotely access the resources on specific intranet segments. The access to the Internet and LAN is not affected. The remote intranet is preferentially accessed when a network segment conflict occurs.

Parameter	Description
IP Network Segment	IP address or subnet that users can access using the network extension service.
Subnet Mask	The subnet mask determines the accessible subnet. A smaller subnet mask indicates a larger subnet.

If the intranet server IP address and virtual IP address are on different subnets, configure a route to the virtual IP address on the intranet server.
Adding, modifying, or deleting an accessible private network segment may log an online user out.

Click OK.

Click Finish.