Web: Example for Enabling Remote Users to Access the Headquarters through SSL VPN (AD Authentication + Local Authorization)
Networking Requirements
Figure 1 shows the network topology. Mobile users can access resources at the headquarters using SSL VPNs. An AD server is used to authenticate access users.
Requirements are as follows:
- Top executives on the move or working at home can obtain IP addresses and access the intranet smoothly and securely. They can also access the Webmail and ERP systems using a browser.
- Employees on the move or working at home can access the Webmail and ERP systems using a browser.
Data Planning
Item |
Data |
|---|---|
Interface |
Interface ID: GigabitEthernet 0/0/1 IP address: 1.1.1.1/24 Security zone: Untrust |
Interface ID: GigabitEthernet 0/0/2 IP address: 10.2.0.1/16 Security zone: Trust |
|
Teleworker account |
Top executive User name: user_0001 Group: /cce.com/director |
Common employee User name: user_0002 Group: /cce.com/employee |
|
Virtual gateway |
Name: example Interface: GigabitEthernet 0/0/1 Domain name: example.huawei.com Maximum number of users: 150 Maximum number of online users: 100 |
AD server |
Primary server IP address: 10.2.0.155 Secondary server IP address: 10.2.0.156 |
Web proxy resource |
Name: Webmail; link: http://10.2.0.10 Name: ERP; link: http://10.2.0.11 |
Network extension |
Network extension address pool: 172.16.1.1-172.16.1.100 Routing mode: Manual Intranet subnet accessible to network extension users: 10.2.0.0/16 |
Procedure
- Configure interfaces.
- Click
of GE0/0/1 and set the following parameters:Zone
untrust
IPv4
IP Address
1.1.1.1/24
Default Gateway
1.1.1.2
- Click
- Configure security policies.
- Choose and set parameters for interconnection between the FW and AD server.
For the V600R007C20 version, whether to enable SSL for AD authentication cannot be configured on the web UI. When you configure the AD server on the web UI, SSL (ldap-over-ssl) is enabled by default. In this mode, LDAP over SSL must also be enabled on the AD server. For details, see the operating system guide of the AD server. To disable SSL (no-ssl), click CLI Console in the lower right corner of the web page. On the CLI configuration page that is displayed, run the ad-server authentication 10.2.0.155 88 no-ssl command in the corresponding AD server template view. From V600R007C20SPC100, you can configure whether to enable SSL for AD authentication on the Web UI. The following uses no-ssl as an example.
If you are unfamiliar with the AD server and cannot provide the server name, Base DN, or filter field values, you can use the AD Explorer or AD Browser software to connect to the AD server to query the attribute values. The AD Explorer is used as an example. The AD server attributes and mappings between the server attributes and parameters on the FW are as follows.
Click Test. In the dialog box that is displayed, click OK and enter the user name and password. Click Start to check the connectivity to the AD server.
The user name and password used for the test must be the same as those on the AD server.
- Choose , configure an authentication domain.
When the FW uses AD or LDAP authentication, the authentication domain name configured on the FW must be the same as that configured on the authentication server. In this example, the domain name on the AD server is cce.com. Therefore, the authentication domain name must be set to cce.com on the FW.
- Choose , click Add and configure a policy to import user information from the AD server to the FW.
After the policy is created, click
to import the users and organizational structures from the authentication server to the FW.
After the import succeeds, choose to view the user and organizational structure information.
- Choose and select cce.com.
- Set to and and set the following parameters.
- Set new user options for the authentication domain.
- Set to and and set the following parameters.
- Configure an SSL VPN gateway, including the gateway address, user authentication, and maximum number of concurrent users.
- Click the Add, configure an SSL VPN gateway and set the parameters as follows.
If the virtual gateway is bound to an authentication domain, the user name entered for a login should not carry the authentication domain information. If the user name carries an authentication domain name, the gateway considers the string following the at sign (@) as a part of the user name, not an authentication domain name. For example, if the virtual gateway has been bound to the authentication domain cce.com, you should enter user_0001, not user_0001@cce.com, as the user name.
- Click the Add, configure an SSL VPN gateway and set the parameters as follows.
- Configure the SSL parameter.
- Configure the SSL parameter as follows. In the example, use the default algorithms.
- Click Next.
- Select the services to be enabled.
- Select Web Proxy and Network Extension.
- Select Web Proxy and Network Extension.
- Configure the network extension function.
- Set the Available IP Address Range and Accessible Private Network Segment List to the network extension function as follows:
- Set the Available IP Address Range and Accessible Private Network Segment List to the network extension function as follows:
- Configure the web proxy function and add resources Webmail and ERP.
- In Web Proxy Resource List, click Add.
- Add web proxy resource Webmail as follows:
- Repeat the preceding steps to add web proxy resource ERP as follows:
- In Web Proxy Resource List, click Add.
- Configure SSL VPN role authorization/users.
- Under List of Authorized Roles, click Add.
- Add director user group to a role and associate corresponding permissions.
- Add employee user group to a role and associate corresponding permissions.
- Under List of Authorized Roles, click Add.
Verifying the Configuration
- Enter example.huawei.com or https://1.1.1.1 in the address box of the browser to access the SSL VPN login page using the teleworker account. Upon initial login, install the controls as instructed by the browser.
Virtual gateways of different versions require Active controls of different versions to be installed on the client. When a client is used to access virtual gateways of different versions. Delete the old Active control and install a new one for accessing a new virtual gateway. Otherwise, the browser will be stuck at the control loading page.
If the client is on a PC, run the following command to delete a control:
PC> regsvr32 SVNIEAgt.ocx -u -s PC> del %systemroot%\SVNIEAgt.ocx /q PC> del %systemroot%\"Downloaded Program Files"\SVNIEAgt.inf /q PC> cd %appdata% PC> rmdir svnclient /q /s
- Enter the user name and password on the login page to log in to the SSL VPN gateway.
- After logging in to the SSL VPN gateway using the top executive account user_0001, you can use the web proxy and network extension service. You can click Webmail and ERP to use corresponding services. Click Start to automatically install the virtual network adapter to obtain a virtual IP address. After that, you can use various services just as you are on a LAN.
- Use common employee account user_0002 to log in to the SSL VPN gateway. You can use only the web proxy service. You can click Webmail and ERP to use corresponding services.
Configuration Scripts
# ad-server template ad_server ad-server authentication 10.2.0.155 88 no-ssl ad-server authentication 10.2.0.156 88 secondary no-ssl ad-server authentication base-dn dc=cce,dc=com ad-server authentication manager cn=administrator,cn=users %$%$M#._~J4QrR[kJu7PUMtHUqh_%$%$ ad-server authentication host-name info-server2.cce.com secondary ad-server authentication host-name info-server.cce.com ad-server authentication ldap-port 389 ad-server user-filter sAMAccountName ad-server group-filter ou # interface GigabitEthernet0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 ip address 10.2.0.1 255.255.0.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1 # user-manage import-policy ad_server from ad server template ad_server server basedn dc=cce,dc=com server searchdn ou=director,dc=cce,dc=com server searchdn ou=employee,dc=cce,dc=com destination-group /cce.com user-attribute sAMAccountName user-filter (&(|(objectclass=person)(objectclass=organizationalPerson))(cn=*)(!(objectclass=computer))) group-filter (|(objectclass=organizationalUnit)(ou=*)) import-type all import-override enable sync-mode incremental schedule interval 120 sync-mode full schedule daily 01:00 # aaa authentication-scheme ad authentication-mode ad # domain cce.com authentication-scheme ad ad-server ad_server service-type internetaccess ssl-vpn reference user current-domain new-user add-temporary group /cce.com auto-import ad_server # v-gateway example interface GigabitEthernet0/0/1 private example.huawei.com v-gateway example authentication-domain cce.com v-gateway example max-user 150 v-gateway example cur-max-user 100 # v-gateway example basic ssl timeout 5 ssl lifecycle 1440 service web-proxy enable web-proxy web-link enable web-proxy proxy-resource Webmail http://10.2.0.10 show-link web-proxy proxy-resource ERP http://10.2.0.11 show-link network-extension enable network-extension keep-alive enable network-extension netpool 172.16.1.1 172.16.1.100 255.255.255.0 network-extension mode manual network-extension manual-route 10.2.0.0 255.255.0.0 role role director condition all role director network-extension enable role director web-proxy enable role director web-proxy resource ERP role director web-proxy resource Webmail role employee condition all role employee web-proxy enable role employee web-proxy resource ERP role employee web-proxy resource Webmail # security-policy rule name policy_sslvpn_1 source-zone untrust destination-zone local destination-address 1.1.1.1 32 service https action permit rule name policy_sslvpn_2 source-zone local destination-zone trust destination-address 10.2.0.10 32 destination-address 10.2.0.11 32 action permit rule name policy_sslvpn_3 source-zone untrust destination-zone trust source-address range 172.16.1.1 172.16.1.100 destination-address 10.2.0.0 16 action permit rule name policy_ad_server source-zone local destination-zone trust destination-address 10.2.0.155 32 destination-address 10.2.0.156 32 action permit # The following configuration is used to perform a one-time operation and not stored in the configuration profile. execute user-manage import-policy ad_server # The following configuration is stored in the database, but not in the configuration profile. v-gateway example vpndb group /cce.com/director group /cce.com/employee role role director group /cce.com/director role director group /cce.com/employee