< Home

Web: Example for Enabling Remote Users to Access the Intranet Through the SSL VPN Tunnel (Certificate-Challenge Authentication)

Networking Requirements

Figure 1 shows the network topology. The headquarters of an enterprise has multiple departments including the research department. Local authentication of the FW is used to authenticate employees in each department.

Authenticated users can access the enterprise intranet.

The enterprise has the following requirement: Mobile office users in the research department can obtain an intranet IP address when they are on the move and can access various resources in the enterprise as if they were on a LAN. In addition, to enhance security, certificate and local authentication (certificate-challenge authentication) needs to be used together to authenticate mobile office users. In this case, users need to install client certificates and enter passwords.

Figure 1 Networking diagram of network extension

Configuration Roadmap

To allow mobile office users to access intranet resources in certificate-challenge authentication mode, the administrator must provide the client certificate and user names and passwords. When mobile office users access the virtual gateway, the FW uses the CA certificate issued by the same CA to authenticate the client certificates of mobile office users. Users also need to enter passwords.

  1. Apply for a CA certificate and client certificate from the CA, and import the CA certificate to the FW for authenticating mobile office users.

  2. On the FW, configure users and add a research user group, and set user passwords. The configured data is used for identity authentication and authorization of users in the user group, ensuring that mobile office users can use the SSL VPN service.
  3. Create an SSL VPN gateway and enable the network extension function so that mobile office users can access intranet resources.
  4. Configure security policies to allow mobile office users to access intranet resources.

  5. On the intranet server, create a route to the virtual IP address pool of the mobile office users and issue the client certificate to the mobile office users. Mobile office users install this client certificate in the browser. The certificate is used for the FW to authenticate users when they access the SSL VPN virtual gateway.

Procedure

  1. Apply for the CA certificate and client certificate. In this example, the CA certificate obtained is jsciq.crt. In the client certificate, the value of the Subject-CN (Common name) field is user0001, which is the user name, and the value of the Subject-OU (Organizational unit) field is research, which is the group name.
  2. Configure interfaces.
    1. Choose Network > Interface.
    2. Click corresponding to GE0/0/1 and set the parameters as follows:

      Zone

      untrust

      IPv4

      IP Address

      1.1.1.1/24

    3. Click OK.
    4. Repeat the preceding steps to set the parameters for GE0/0/2.

      Zone

      trust

      IPv4

      IP Address

      10.2.0.1/24

  3. Configure users.
    1. Choose Object > User > default, and set the parameters as follows:

      Configure a user and a user group based on the values of User Filtering Field and Group Filtering Field planned for the virtual gateway. For example, if the virtual gateway uses Subject-CN as User Filtering Field and Subject-OU as Group Filtering Field, the user name must be the same as the value of Subject-CN in the client certificate, and the user group name must be the same as the value of Subject-OU in the client certificate. For details about how to obtain the values of the Subject-CN and Subject-OU fields in the client certificate, see 11. In addition, the user and user group created here are used for identity authentication and subsequent role authorization.

    2. Click Apply.
  4. Configure the SSL VPN gateway.
    1. Choose Network > SSL VPN > SSL VPN.
    2. Click Add and set the parameters as follows:

      User Filtering Field indicates the field of the client certificate that is used as the user name. Group Filtering Field indicates the field of the client certificate that is used as the user group name. The two parameters are used for identity authentication and subsequent role authorization.

    3. Click Next.
  5. Configure the SSL version, cipher suite, session timeout, and session lifecycle. You can use the default values and click Next.
  6. Select Network Extension and click Next.
  7. Configure the network extension function.
    1. Set the parameters as follows.

    2. Click Next.
  8. Configure SSL VPN role authorization/users.
    1. Click Add in List of Authorized Roles and set the role authorization parameters as follows. After the configuration is complete, click OK.

      If you do not configure role authorization for users in certificate-challenge authentication mode, the users use the authorization of the default role after logging in to the virtual gateway. Generally, to precisely control users' resource access permission, you are advised to configure independent role authorization for users.

    2. Return to the Role Authorization/User configuration page, and click OK.
  9. Configure security policies.
    1. Configure an Internet-to-FW security policy to allow employees on the move to access the SSL VPN gateway.

      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add Security Policy and configure the security policy policy01 as follows:

        Name

        policy01

        Source Zone

        untrust

        Destination Zone

        local

        Destination Address/Region

        1.1.1.1/24

        Service

        https

        NOTE:

        If the HTTPS port number is changed, you are advised to enable security policies based on the new port number.

        Action

        Permit
      3. Click OK.

    2. Configure a FW-to-intranet security policy to allow employees on the move to access resources in the headquarters.

      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add Security Policy and configure the security policy policy02 as follows. Click OK.

        Name

        policy02

        Source Zone

        untrust

        Destination Zone

        trust

        Source Address/Region

        172.16.1.0/24

        Destination Address/Region

        10.2.0.0/24

        Action

        Permit

  10. On intranet server, configure a route to the network segment 172.16.1.0 to 172.16.1.254.
  11. Install the client certificate required for certificate-anonymous authentication in the browsers of mobile office users.

    The prerequisite is that you have obtained the client certificate required for certificate-challenge authentication.

    1. Open Internet Explorer and choose Tools > Internet Options.
    2. Click the Content tab and click Certificates.

    3. Click Import.

    4. Install the certificate following the wizard. Click Next. Click Browse and choose the certificate required for authentication. Click Next.

      Click Next. If the imported certificate is encrypted using a key, you need to enter the key. If no key is used for encryption, click Next without entering the key.

      After the certificate is imported, click View to view the Subject-CN and Subject-OU fields of the certificate. The values of the two fields are the user name (user0001) and user group (research) configured on the virtual gateway.

Verifying the Configuration

  1. Enter https://1.1.1.1:443 in the address box of Internet Explorer to access the SSL VPN login page.

    Install the control as prompted upon the first login.

  2. On the login page, enter the login password, select the imported certificate, and click Login.

  3. After the login is successful, click Start under Network Extension. Then you can access the corresponding network extension resources.

When you log in to the virtual gateway in certificate-challenge mode, the following situations may occur due to different browser versions and browser settings. If any of the following situations occurs, select the corresponding solution.

  • The imported client certificate cannot be found in the certificate drop-down list.

    Possible causes:

    • An incorrect tab is selected during the client certificate import. The correct tab is Personal.
    • The login page is not refreshed after the client certificate is imported.
  • The certificate is correct, but the system displays a message indicating that the certificate Verifying the Configuration fails and a valid certificate is required.

    On the tool bar of Internet Explorer, choose Tools > Internet Options. Click the Advanced tab and deselect Use SSL2.0.

Configuration Scripts

#
aaa
 authentication-scheme default     
 authorization-scheme default
 domain default 
  service-type ssl-vpn       
  internet-access mode password    
  reference user current-domain    
#  
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0  
#  
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0 
#  
firewall zone trust          
 set priority 85
 add interface GigabitEthernet0/0/2
#  
firewall zone untrust        
 set priority 5 
 add interface GigabitEthernet0/0/1
#
 v-gateway public ssl version tlsv11 tlsv12
 v-gateway public ssl ciphersuit custom aes256-sha aes128-sha
 v-gateway gateway interface GigabitEthernet0/0/1 private
 v-gateway gateway alias gateway
#
#****BEGIN***gateway**1****# 
v-gateway gateway
 basic
  ssl version tlsv11 tlsv12
  ssl timeout 5
  ssl lifecycle 1440
  ssl ciphersuit custom aes256-sha aes128-sha
 service
  network-extension enable
  network-extension keep-alive enable
  network-extension keep-alive interval 120
  network-extension netpool 172.16.1.1 172.16.1.100 255.255.255.0
  netpool 172.16.1.1 default
  network-extension mode manual
  network-extension manual-route 10.2.0.0 255.255.255.0
 security
  authentication-mode cert-challenge
  policy-default-action permit vt-src-ip
  certification cert-anonymous cert-field user-filter subject cn group-filter subject ou 
  client-cert-require enable
  certification user-cert-filter key-usage any
  undo public-user enable hostchecker
 cachecleaner
 vpndb
  group /default
  group /default/research
 role
 role default
  role default condition all
 role role
  role role condition all
    role role network-extension enable
#****END****#   
#
security-policy
 rule name policy01
  source-zone untrust
  destination-zone local
  destination-address 1.1.1.0 mask 255.255.255.0
  service https
  action permit
 rule name policy02
  source-zone untrust
  destination-zone trust
  source-address 172.16.1.0 mask 255.255.255.0
  destination-address 10.2.0.0 mask 255.255.255.0
  action permit
#
 ip route-static 172.16.1.0 255.255.255.0 GigabitEthernet0/0/1 1.1.1.2
#
# The following configurations are saved in the database and are not displayed in the configuration file.
 user-manage user user0001 domain default
 password %$%$j@p.U.0bwNQv9nE#tf]G-+"v%$%$
  parent-group /default/research
 v-gateway gateway
    role
   role role group /default/research
#
Parent Topic: SSL VPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >