R2511-HP MSR Router Series Security Configuration Guide(V5)
402
• The IP address of the Certificate Authority (CA) is 10.2.1.1/24. The name of the CA is CA server,
which is used to issue certificates to the SSL VPN gateway and remote users.
Figure 133 Network diagram
Configuration procedure
In this example, the Windows Server is used as the CA. Install the SCEP plugin on the CA.
Before the following configurations, make sure the intended SSL VPN gateway, the CA, and the host used
by the remote user can reach each other, and the CA is enabled with the CA service and can issue
certificates to the device (SSL VPN gateway) and the host.
1. Apply for a certificate for the SSL VPN gateway:
# Configure a PKI entity named en and specify the common name of the entity as http-server.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server
[Device-pki-entity-en] quit
# Configure a PKI domain named sslvpn, and specify the trusted CA as ca server, the URL of the
RA server as http://10.2.1.1/certsrv/mscep/mscep.dll, registration authority for certificate
requesting as RA, and the entity as en.
[Device] pki domain sslvpn
[Device-pki-domain-sslvpn] ca identifier ca server
[Device-pki-domain-sslvpn] certificate request url
http://10.2.1.1/certsrv/mscep/mscep.dll
[Device-pki-domain-sslvpn] certificate request from ra
[Device-pki-domain-sslvpn] certificate request entity en
[Device-pki-domain-sslvpn] quit
# Generate the local RSA key pair.
[Device] public-key local create rsa
# Retrieve the CA certificate.
[Device] pki retrieval-certificate ca domain sslvpn
# Apply for a certificate for the device.
[Device] pki request-certificate domain sslvpn
2. Configure an SSL server policy for the SSL VPN service:
# Configure an SSL server policy named myssl, and specify the policy to use PKI domain sslvpn.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain sslvpn
Device
SSL VPN gateway
Host
Remote user
Internal servers
CA
Internet
10.2.1.1/24
10.1.1.1/24