R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide
357
• Specify the SSL server policy to be used by the SSL VPN service. To access the SSL VPN gateway or
the internal resources, remote users need to log in to the web interface of the SSL VPN gateway
through HTTPS. Therefore, you must specify an SSL server policy on the SSL VPN gateway so that the
gateway can determine the SSL parameters to be used for providing the SSL VPN service.
• Specify the TCP port number to be used by the SSL VPN service. The SSL VPN gateway acts as the
HTTPS server to provide the web interface for remote users to log in.
• Enable the SSL VPN service. Remote users can access the web interface of the SSL VPN gateway
only after the SSL VPN service is enabled on the gateway.
Follow these guidelines when you configure SSL VPN:
• If the HTTPS service and the SSL VPN service use the same port number, the two services must use
the same SSL server policy. Otherwise, you cannot enable both the services.
• When both the HTTPS service and the SSL VPN service are enabled and they use the same port
number, to modify the SSL server policy that the services use, you must first disable the two services,
modify the SSL server policy, and then enable the services again.
• When the SSL VPN service is enabled, your change to the port number or SSL server policy for the
service does not take effect. To make your change take effect, disable the SSL VPN service and then
enable it again.
Before you configure SSL VPN, create an SSL server policy. For information about SSL server policy
configuration, see "Configuring SSL."
To configure SSL VPN:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the SSL server
policy and port to be used
by the SSL VPN service.
ssl-vpn server-policy
server-policy-name [ port
port-number ]
By default, no SSL server policy is specified
for the SSL VPN service and the SSL VPN
service uses TCP port 443.
3. Enable the SSL VPN
service.
ssl-vpn enable Disabled by default.
SSL VPN configuration example at the CLI
Network requirements
As shown in Figure 124, configure SSL and enable SSL VPN service on the SSL VPN gateway, so that
users can log in to the Web interface of the SSL VPN gateway through HTTPS and then access the
internal resources of the corporate network through the SSL VPN gateway.
In this configuration example:
• The IP address of the SSL VPN gateway is 10.1.1.1/24.
• The IP address of the Certificate Authority (CA) is 10.2.1.1/24. The name of the CA is CA server,
which is used to issue certificates to the SSL VPN gateway and remote users.