R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
331
VPN gateway finds the user groups to which the user belongs, and checks the resource groups assigned
to the user groups to determine which resources to provide for the user.
CLI configuration required to implement SSL VPN
To configure SSL VPN, you must perform the following operations at the CLI:
• Specify the SSL server policy to be used by the SSL VPN service. To access the SSL VPN gateway or
the internal resources, remote users need to log in to the web interface of the SSL VPN gateway
through HTTPS. Therefore, you must specify an SSL server policy on the SSL VPN gateway so that the
gateway can determine the SSL parameters to be used for providing the SSL VPN service.
• Specify the TCP port number to be used by the SSL VPN service. The SSL VPN gateway acts as the
HTTPS server to provide the web interface for remote users to log in.
• Enable the SSL VPN service. Remote users can access the web interface of the SSL VPN gateway
only after the SSL VPN service is enabled on the gateway.
This section describes the configuration that you must perform at the CLI. For the SSL VPN to function
normally, you must also perform the configuration in the web interface, such as configuring access
resources, users, and domains. For more information about the web configuration, see "Web
c
onfiguration required to implement SSL VPN."
Configuration prerequisites
Before you configure SSL VPN, create an SSL server policy. For information about SSL server policy
configuration, see Network Management Configuration Guide.
Configuration procedure
To configure SSL VPN:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the SSL server policy
and port to be used by the SSL
VPN service.
ssl-vpn server-policy
server-policy-name [ port
port-number ]
By default, no SSL server policy is
specified for the SSL VPN service
and the SSL VPN service uses TCP
port 443.
3. Enable the SSL VPN service.
ssl-vpn enable Disabled by default.
NOTE:
• If the HTTPS service and the SSL VPN service use the same port number, the two services must use the
same SSL server policy. Otherwise, you cannot enable both the services.
• When both the HTTPS service and the SSL VPN service are enabled and they use the same port number,
to change the SSL server policy that the services use, you must first disable the two services, specify
another SSL server policy, and then enable the services again.
• When the SSL VPN service is enabled, your change to the port number or SSL server policy for the
service does not take effect. To make your change take effect, disable the SSL VPN service and then
enable it again.