Network requirements, Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

Page 350

338

NOTE:
•

If the HTTPS service and the SSL VPN service use the same port number, the two services must use the
same SSL server policy. Otherwise, you cannot enable both the services.

•

When both the HTTPS service and the SSL VPN service are enabled and they use the same port number,
to change the SSL server policy that the services use, you must first disable the two services, specify

another SSL server policy, and then enable the services again.

•

When the SSL VPN service is enabled, your change to the port number or SSL server policy for the
service does not take effect. To make your change take effect, disable the SSL VPN service and then
enable it again.

Example of the CLI configuration required for SSL VPN

Network requirements

As shown in

Figure 270

, configure SSL and enable SSL VPN service on the SSL VPN gateway, so that

users can log in to the Web interface of the SSL VPN gateway through HTTPS and then access the
internal resources of the corporate network through the SSL VPN gateway.
In this configuration example:

•

The IP address of the SSL VPN gateway is 10.1.1.1/24.

•

The IP address of the Certificate Authority (CA) is 10.2.1.1/24. The name of the CA is CA server,
which is used to issue certificates to the SSL VPN gateway and remote users.

Figure 215 Network diagram

Configuration procedure

NOTE:
•

In this example, the Windows Server is used as the CA. Install the Simple Certificate Enrollment Protocol
(SCEP) plugin on the CA.

•

Before the following configurations, make sure that the intended SSL VPN gateway, the CA, and the host
used by the remote user can reach each other, and the CA is enabled with the CA service and can issue

certificates to the SecPath (SSL VPN gateway) and the host.

Apply for a certificate for the SSL VPN gateway (SecPath).
# Configure a PKI entity named en and specify the common name of the entity as http-server.

system-view

SecPath

SSL VPN gateway

Host

Remote user

Internal servers

Internet

10.2.1.1/24

10.1.1.1/24

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS