Web: Example for Enabling Remote Users to Access Enterprise File Server Through File Sharing

Networking Requirements

As shown in Figure 1, local authentication is used on the FW to authenticate remote users. The authentication domain is default. Authenticated users can access the enterprise intranet.

The enterprise needs to open a secure file sharing path using SSL VPN so that remote users can view and download internal documents.

Figure 1 Networking diagram of file sharing

Procedure

1. Configure interfaces.
   1. Choose Network > Interface.
   2. Click of GigabitEthernet 0/0/1 and set parameters as follows.

      Zone	untrust
      IPv4
      IP address	1.1.1.1/24

   3. Click OK.
   4. Repeat the preceding steps to set the parameters for GigabitEthernet 0/0/2.

      Zone	trust
      IPv4
      IP address	10.2.0.1/24

2. Configure user objects and authentication.
   1. Choose Object > User > default and set parameters as follows:

      User user0001 belongs to user group /default/group1. Authentication Type is local authentication, and Password is Password@123. Before creating user user0001, you need to create group /default/group1 so that you have a group to reference when creating a user.

      

   2. Click Apply.
3. Configure the SSL VPN gateway.
   1. Choose Network > SSL VPN > SSL VPN.
   2. Click Add and set parameters as follows:

      

   3. Click Next.
4. Configure the SSL version, cipher suite, session timeout duration, and session lifecycle. You can use the default values and click Next.
5. Select File Sharing and click Next.
6. Configure file sharing.
   1. In File Sharing Resource List, click Add and configure file sharing resources as follows:

      

   2. Click OK.
   3. Click Next.
7. Configure SSL VPN role authorization/users.
   1. Click Add in List of Authorized Roles and set the role authorization parameters as follows. After the configuration is completed, click OK.

      

   2. Return to the Role Authorization/User configuration page, and click Finish.
8. Configure a security policy to allow employees on the move to access file servers at the Headquarters.
   1. Configure an Internet-to-FW security policy to allow employees on the move to access the SSL VPN gateway.
      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add to configure security policy policy01 and set parameters as follows:

         Name	policy01
         Source Zone	untrust
         Destination Zone	local
         Destination Address/Region	1.1.1.1/24
         Service	https NOTE: If the HTTPS port number is changed, use the new port number when creating the security policy.
         Action	Permit

      3. Click OK.
   2. Configure a FW-to-intranet security policy to allow employees on the move to access resources at the Headquarters.
      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add and configure security policy policy02 as follows.

         Name	policy02
         Source Zone	local
         Destination Zone	trust
         Destination Address/Region	10.2.0.0/24
         Action	Permit

      3. Click OK.

Verifying the Configuration

1. Enter https://1.1.1.1:443 in the address bar of Internet Explorer to access the SSL VPN login page.

   Install the control as prompted upon the first login.

2. In the login window, enter the user name and password, and then click Login.

   After the login succeeds, the file sharing resource links are displayed on the virtual gateway page. You can click a link to access the resource.

   

Configuration Script

# 
aaa
 authentication-scheme default     
 authorization-scheme default
 domain default 
  service-type ssl-vpn       
  internet-access mode password    
  reference user current-domain    
#  
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 255.255.255.0  
#  
interface GigabitEthernet 0/0/2
 ip address 10.2.0.1 255.255.255.0 
#  
firewall zone trust          
 set priority 85
 add interface GigabitEthernet 0/0/2
#  
firewall zone untrust        
 set priority 5 
 add interface GigabitEthernet 0/0/1
#
v-gateway gateway authentication-domain default
#****BEGIN***gateway**1****# 
v-gateway gateway
 basic
  ssl version tlsv11 tlsv12
  ssl timeout 5
  ssl lifecycle 1440
  ssl ciphersuit custom aes256-sha aes128-sha
 service
  files-share enable
  files-share resource smb file-system //10.2.0.2/study 
 security
  policy-default-action permit vt-src-ip
  certification cert-anonymous cert-field user-filter subject cn group-filter subject cn
  certification cert-anonymous filter-policy permit-all
  certification cert-challenge cert-field user-filter subject cn
  certification user-cert-filter key-usage any
  undo public-user enable
 hostchecker
 cachecleaner
 vpndb
  group /default
  group /default/group1
 role
 role default
  role default condition all
 role role
  role role condition all
  role default files-share enable
#****END****#   
#
security-policy
 rule name policy01
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  service https
  action permit
 rule name policy02
  source-zone local
  destination-zone trust
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
#
# The following configurations are saved in the database and are not displayed in the configuration file.  user-manage user user0001 domain default
 password %$%$j@p.U.0bwNQv9nE#tf]G-+"v%$%$
  parent-group /default/group1
 v-gateway gateway
   role
   role role group /default/group1