HP VPN Firewall Appliances VPN Configuration Guide
321
SSL VPN configuration example at the CLI
Network requirements
As shown in Figure 273, configure SSL and enable SSL VPN service on the SSL VPN gateway, so that
users can log in to the Web interface of the SSL VPN gateway through HTTPS and then access the
internal resources of the corporate network through the SSL VPN gateway.
In this configuration example:
• The IP address of the SSL VPN gateway is 10.1.1.1/24.
• The IP address of the Certificate Authority (CA) is 10.2.1.1/24. The name of the CA is CA server,
which is used to issue certificates to the SSL VPN gateway and remote users.
Figure 219 Network diagram
Configuration procedure
In this example, the Windows Server is used as the CA. Install the SCEP plugin on the CA.
Before the following configurations, make sure the intended SSL VPN gateway, the CA, and the host used
by the remote user can reach each other, and the CA is enabled with the CA service and can issue
certificates to the firewall (SSL VPN gateway) and the host.
1. Apply for a certificate for the SSL VPN gateway:
# Configure a PKI entity named en and specify the common name of the entity as http-server.
<Firewall> system-view
[Firewall] pki entity en
[Firewall-pki-entity-en] common-name http-server
[Firewall-pki-entity-en] quit
# Configure a PKI domain named sslvpn, and specify the trusted CA as ca server, the URL of the
RA server as http://10.2.1.1/certsrv/mscep/mscep.dll, registration authority for certificate
requesting as RA, and the entity as en.
[Firewall] pki domain sslvpn
[Firewall-pki-domain-sslvpn] ca identifier ca server
[Firewall-pki-domain-sslvpn] certificate request url
http://10.2.1.1/certsrv/mscep/mscep.dll
[Firewall-pki-domain-sslvpn] certificate request from ra
[Firewall-pki-domain-sslvpn] certificate request entity en
[Firewall-pki-domain-sslvpn] quit
# Generate the local RSA key pair.