R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
332
Example of the CLI configuration required for SSL VPN
Network requirements
As shown in Figure 270, configure SSL and enable SSL VPN service on the SSL VPN gateway, so that
users can log in to the Web interface of the SSL VPN gateway through HTTPS and then access the
internal resources of the corporate network through the SSL VPN gateway.
In this configuration example:
• The IP address of the SSL VPN gateway is 10.1.1.1/24.
• The IP address of the Certificate Authority (CA) is 10.2.1.1/24. The name of the CA is CA server,
which is used to issue certificates to the SSL VPN gateway and remote users.
Figure 215 Network diagram
Configuration procedure
NOTE:
• In this example, the Windows Server is used as the CA. Install the Simple Certificate Enrollment Protocol
(SCEP) plugin on the CA.
• Before the followin
g
confi
g
urations, make sure that the intended SSL VPN
g
ateway, the CA, and the hos
t
used by the remote user can reach each other, and the CA is enabled with the CA service and can issue
certificates to the Firewall (SSL VPN gateway) and the host.
1. Apply for a certificate for the SSL VPN gateway (Firewall).
# Configure a PKI entity named en and specify the common name of the entity as http-server.
<Firewall> system-view
[Firewall] pki entity en
[Firewall-pki-entity-en] common-name http-server
[Firewall-pki-entity-en] quit
# Configure a PKI domain named sslvpn, and specify the trusted CA as ca server, the URL of the
RA server as http://10.2.1.1/certsrv/mscep/mscep.dll, registration authority for certificate
requesting as RA, and the entity as en.
[Firewall] pki domain sslvpn
[Firewall-pki-domain-sslvpn] ca identifier ca server
[Firewall-pki-domain-sslvpn] certificate request url
http://10.2.1.1/certsrv/mscep/mscep.dll
[Firewall-pki-domain-sslvpn] certificate request from ra