1. Configure interface IP addresses, routing, security domains, and inter-domain security policies to ensure that the network is reachable. The specific configuration steps are omitted
2. Configure SSL * Gateway
Configure SSL *The IP address of the gateway gw is 1.1.1.2 (public network address), and the port number is 4430.
<Device> system-view
[Device] ssl* gateway gw
[Device-ssl*-gateway-gw] ip address X.150.20.24 port 4430
[Device-ssl*-gateway-gw] service enable
[Device-ssl*-gateway-gw] quit
3. Create SSL * client address pool
Create an address pool ssl pool that assigns addresses to SSL clients . The address range is 10.1.1.1 to 10.1.1.10.
[Device] ssl ip address-pool SslPool 10.1.1.1 10.1.1.10
4. Create SSL * AC interface
Create SSL * AC interface 1, and configure the IP address of this interface to 10.1.1.254/24.
[Device] interface ssl*-ac 1
[Device-SSL*-AC1] ip address 10.1.1.254 24
[Device-SSL*-AC1] quit
Join the SSL*-AC1 interface to the security domain
[Device]security-zone name Untrust
import interface SSL*-AC1
5. Configure SSL *Access the instance
Configure SSL access instance Ssl , reference SSL * gateway gw, and specify domain name as domainip.
[Device] ssl context Ssl
[Device-ssl-context-ctxip] gateway gw domain Ssl
Configure the SSL * AC interface referenced by IP access 1.
[Device-ssl-context-ctxip] ip-tunnel interface ssl-ac 1
Create the routing table rtlist and add the routing table entry 192.168.200.0/24.
[Device-ssl***-context-ctxip] ip-route-list SERVER
[Device-ssl***-context-ctxip-route-list-rtlist] include 192.168.7.0 24
[Device-ssl***-context-ctxip-route-list-rtlist] quit
Refer to the SSL client address pool Ssl Pool and configure and issue DNS.
[Device-ssl-context-ctxip] ip-tunnel address-pool SslPool mask 24
[Device-ssl***-context-ctxip] ip-tunnel dns-server primary 192.168.7.2
Create the SSL policy group Ssl , reference the routing list rtlist, and configure ACL filtering for IP access at the same time.
[Device-ssl-context-ctxip] policy-group Ssl
[Device-ssl***-context-ctxip-policy-group-resourcegrp] ip-tunnel access-route ip-route-list SERVER
[Device-ssl***-context-ctxip-policy-group-resourcegrp] filter ip-tunnel 3300
[Device-ssl***-context-ctxip-policy-group-resourcegrp] quit
Open SSL *** to access the instance ctxip.
[Device-ssl***-context-ctxip] service enable
[Device-ssl***-context-ctxip] quit
#Create ACL 3300, the rule is to allow packets with the source IP 10.1.1.0/24 to access the destination IP network segment 192.168.200.0/24.
[Device] acl advanced 3300
[Device-acl-ipv4-adv-3300] rule permit ip source 10.1.1.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
[Device-acl-ipv4-adv-3300] quit
6. Configure SSL VPN user
Create a local SSL user ssl user, the password is 123456, the user role is network-operator, and the SSL *** policy group of authorized users is resourcegrp.
local-user weixy class network
password simple weixy
service-type ssl
authorization-attribute ssl-policy-group Ssl***
authorization-attribute user-role network-operator
quit
WEN:
ssl*** context Weixy
gateway Weixy domain Weixy
url-list URLLIST
heading web
url Tongyirenzheng url-value https://sit1-sso.zhph.lan/cas/login?service=http://sit1-instalsale.zhph.lan/admin
policy-group Weixy
resources url-list URLLIST
service enable
ssl*** gateway Weixy
ip address 182.150.20.24 port 65002
service enable