Web: Example for Enabling Remote Users to Use Internet Explorer to Access Enterprise Intranet Through Network Extension (User Name + Password Authentication)

Networking Requirements

As shown in Figure 1, local authentication of the FW is used to authenticate employees in each department. Authenticated users can access the enterprise intranet.

The enterprise has the following requirement: Remote users in a group (group1) can obtain an intranet IP address when they are on the move and can access resources in the enterprise as if they were on a LAN. To enhance security, local authentication through user name and password is required.

Figure 1 Networking diagram of network extension

Procedure

1. Configure interfaces.
   1. Choose Network > Interface.
   2. Click of GigabitEthernet 0/0/1 and set parameters as follows.

      Zone	untrust
      IPv4
      IP address	1.1.1.1/24

   3. Click OK.
   4. Repeat the preceding steps to set the parameters for GigabitEthernet 0/0/2.

      Zone	trust
      IPv4
      IP address	10.2.0.1/24

2. Configure user objects and authentication.
   1. Choose Object > User > default and set parameters as follows:

      User user0001 belongs to user group /default/group1. Authentication Type is local authentication, and Password is Password@123. Before creating user user0001, you need to create group /default/group1 so that you have a group to reference when creating a user.

      

   2. Click Apply.
3. Configure the SSL VPN gateway.
   1. Choose Network > SSL VPN > SSL VPN.
   2. Click Add and set parameters as follows.

      

   3. Click Next.
4. Configure the SSL version, cipher suite, session timeout duration, and session lifecycle. You can use the default values and click Next.
5. Select Network Extension and click Next.
6. Configure the network extension function.
   1. Set the parameters as follows.

      

   2. Click Next.
7. Configure SSL VPN role authorization/users.
   1. Click Add in List of Authorized Roles and set the role authorization parameters as follows. After the configuration is completed, click OK.

      

   2. Return to the Role Authorization/User configuration page, and click Finish.
8. Configure security policies.
   1. Configure an Internet-to-FW security policy to allow employees on the move to access the SSL VPN gateway.
      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add to configure security policy policy01 and set parameters as follows:

         Name	policy01
         Source Zone	untrust
         Destination Zone	local
         Destination Address/Region	1.1.1.1/24
         Service	https NOTE: If the HTTPS port number is changed, use the new port number when creating the security policy.
         Action	Permit

      3. Click OK.
   2. Configure a FW-to-intranet security policy to allow employees on the move to access resources at the Headquarters.
      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add to configure security policy policy02 and set parameters as follows:

         Name	policy02
         Source Zone	untrust
         Destination Zone	trust
         Source Address/Region	172.16.1.0/24
         Destination Address/Region	10.2.0.0/24
         Action	Permit

      3. Click OK.

Verifying the Configuration

1. Enter https://1.1.1.1:443 in the address bar of Internet Explorer to access the SSL VPN login page.

   Install the control as prompted upon the first login.

2. In the login window, enter the user name and password, and then click Login.

   After the login is successful, click Start under Network Extension. Then you can access the corresponding servers on the enterprise intranet.

   

Configuration Script

# 
aaa 
 authentication-scheme default      
 authorization-scheme default 
 domain default  
  service-type ssl-vpn        
  internet-access mode password     
  reference user current-domain     
# 
interface GigabitEthernet 0/0/1 
 ip address 1.1.1.1 255.255.255.0 
# 
interface GigabitEthernet 0/0/2 
 ip address 10.2.0.1 255.255.255.0  
# 
firewall zone trust           
 set priority 85 
 add interface GigabitEthernet 0/0/2 
# 
firewall zone untrust         
 set priority 5  
 add interface GigabitEthernet 0/0/1
# 
v-gateway gateway interface GigabitEthernet 0/0/1 private
v-gateway gateway authentication-domain default 
# 
#****BEGIN***gateway**1****#  
v-gateway gateway 
 basic 
  ssl version tlsv11 tlsv12 
  ssl timeout 5 
  ssl lifecycle 1440 
  ssl ciphersuit custom aes256-sha aes128-sha 
 service 
  network-extension enable 
  network-extension keep-alive enable 
  network-extension keep-alive interval 120 
  network-extension netpool 172.16.1.1 172.16.1.100 255.255.255.0 
  netpool 172.16.1.1 default 
  network-extension mode manual 
  network-extension manual-route 10.2.0.0 255.255.255.0 
 security 
  policy-default-action permit vt-src-ip 
  certification cert-anonymous cert-field user-filter subject cn group-filter subject cn 
  certification cert-anonymous filter-policy permit-all 
  certification cert-challenge cert-field user-filter subject cn 
  certification user-cert-filter key-usage any 
  public-user enable 
  public-user default-login-number 500  
 hostchecker 
 cachecleaner 
 vpndb 
  group /default 
  group /default/group1 
 role 
 role default 
  role default condition all 
 role role 
  role role condition all 
  role role network-extension enable 
#****END****# 
# 
security-policy 
 rule name policy01 
  source-zone untrust 
  destination-zone local 
  destination-address 1.1.1.0 mask 255.255.255.0 
  service https 
  action permit 
 rule name policy02 
  source-zone untrust 
  destination-zone trust 
  source-address 172.16.1.0 mask 255.255.255.0 
  destination-address 10.2.0.0 mask 255.255.255.0 
  action permit 
# 
# The following configurations are saved in the database and are not displayed in the configuration file.  user-manage user user0001 domain default 
 password %$%$j@p.U.0bwNQv9nE#tf]G-+"v%$%$ 
  parent-group /default/group1 
 v-gateway gateway 
  role 
 role role group /default/group1