Mobile Access Resource Publishing technology

1. Mobile Access Resource Publishing demand

1.1 Background demand

demand:

1. A business trip or at home can access the enterprise application systems / networks unit
2. Need to support access to the visiting computer B / S, C / S class for all applications (what is the B / S and C / S https://www.cnblogs.com/groler/articles/2116905.html)
3. It supports mobile terminal (phone, tablet) to use the application on windows
   

1.2 Solution

1. After access authorization allows access to business system computers (address, protocol, port)
2. Implement remote application publishing windows applications on mobile terminals

2. Mobile Access Resource Publishing technology

2.1 resource classification

After the resource is authorized SSL VPN remote access terminal to allow access to network services ==

Depending on the implementation mechanism and application services of the resources are divided into four categories:
1. WEB application
2. TCP application
3. an L3VPN
4. Remote Application

2.2 WEB Application

2.2.1 demand background

Required to achieve:

1. Mobile phone users outside the office, and headquarters has been established SSL VPN. Now users need access to the headquarters of mobile phone web resources.
2. Users do not want to install additional controls on the phone.
   Solution: WEB release resources to the user

Introduction 2.2.2 WEB application technology

WEB applications
WEB application by SSL device converts the HTTPS protocol network services to
support application types: HTTP, HTTPS, MAIL, FTP and FileShare

Advantages: The client-free controls, all browsers support.
Recommendation: not recommended routine testing WEB applications for mobile phones, and other non-IE browsers can not access the ActiveX control installation environment conditions.

Note: Client Access SSL VPN access WEB application, can not open a new window to access the input address, only click on the link or use the address bar to access the whole network services WEB.

2.2.3 WEB application of technical principles

Figure above step 123 are described as follows:

1. SSL client and SSL VPN device to establish a link, SSL VPN resources in the new OA system. SSL VPN equipment to service the conversion for the Client Server browser can open the link, such as: http://172.172.3.100 , converted to: https://202.96.137.88/web/1/http/0/172.172.3.100/

2. After the client logs VPN, click the resource connection list, visit OA resources. Access is https://202.96.137.88/web/1/http/0/172.172.3.100/. Go directly to the VPN tunnel.

3. After sending the data to the SSL VPN device, SSL VPN decapsulation, the original HTTPS protocol conversion into HTTP, to SSL VPN device's own IP (default) or user a virtual IP address is a source IP, a resend request to the transmission to the OA server the resources loaded into the SSL VPN equipment locally. SSL VPN and then answer the client's request. Modify the source IP packet is routed back to solve the problem]

2.2.4 WEB resource configuration release

1. [SSL VPN settings] [new] Resource Management WEB application, add the OA system application resources, type of HTTP, IP is 172.172.3.100

登录成功初始化完成后，可以在资源列表看到对应的资源，点击资源可以打开对应的系统，如下图：从地址栏可以看到设备进行了协议转换

2.3 TCP应用技术

2.3.1 需求背景

要求实现：

1. 用户在外电脑办公，需要通过电脑远程登录总部的web服务器进行资源更新。
   

2.3.2 TCP应用技术介绍

TCP应用
TCP应用的实现是通过在Client安装Proxy控件，由控件抓取访问服务器的TCP连接并对数据进行封装，将普通的TCP连接转换成SSL协 议数据实现的。

支持应用类型：所有基于TCP传输协议的应用。

优点：适用范围广，仅自动在Client安装一个小控件

建议： 所有基于TCP的应用，建议首选添加TCP应用

2.3.3 TCP 应用技术原理

总体步骤如下

1. 客户端和SSL设备建立SSL VPN链接，SSL VPN中新建OA系统的资源

2. 客户端安装ProxyIE控件（必须在资源已经建立的情况下安装该控件，新建资源则要退出重新登录以更新ProxyIE控件）。该控件可以辨别哪些流量走VPN隧道。

3. 客户端登录VPN后，访问172.172.3.100。

4. ProxyIE识别该数据包是访问TCP应用资源，是VPN流量，把数据包抓取并封装到隧道中。把原来的整个数据包加密封装到新数据包的应用层数据中。

5. 数据发送到SSL VPN设备后，SSL VPN解封装，将源IP改为VPN设备自身IP（默认）或用户的虚拟IP并把原始数据包发送给OA服务器。【修改源IP是为了解决路由回包的问题】

2.3.4 TCP 应用案例

客户需求：

1. 出差的用户需要通过SSL VPN安全接入使用内网的OA系统
2. 总部发布的是OA系统的TCP应用资源。

需求确认： OA系统使用浏览器访问，地址为：http://172.172.3.100

配置

1. 【SSL VPN设置】 【资源管理】新建TCP应用，添加OA系统应用资源，类型为 HTTP，IP为172.172.3.100，端口为80
   

登录成功初始化完成后，可以在资源列表看到对应的资源，点击资源或者在浏览器输入地址都可以打开对应的系统，如下图：

2.4 L3VPN

2.4.1 需求背景

要求实现：

1. 用户在外电脑办公，需要通过电脑访问总部的SNMP服务器进行管理。

2.4.2 L3VPN 技术介绍

L3VPN应用
L3VPN应用的实现是通过在Client安装虚拟网卡，虚拟网卡在客户端生成路由表指向虚拟网卡，由虚拟网卡抓取访问服务器的数据，进行封装后通过虚拟网卡和SSL设备建立的隧道将数据传递到Server。

支持应用类型：支持所有基于TCP、UDP、ICMP的应用

特点：
1.Client需安装虚拟网卡，较TCP的控件包大一些。
2.首次登录接入 SSL VPN需安装虚拟网卡，实现方式类似于IPsec的移动客户端。

建议： 基于UDP，ICMP的应用或Server需主动访问Client端的应用的时候使用L3VPN资源。

2.4.3 L3VPN应用技术原理

过程具体步骤如下所述：

1. 客户端和SSL设备建立SSL VPN链接，SSL VPN中新建OA系统的资源

2. 客户端安装虚拟网卡控件（必须在资源已经建立的情况下安装该控件，新建资源则要退出重新登录 以更新虚拟网卡控件）。该控件可以把去往L3VPN资源的路由条目下发到客户端的本地路由表中。

3. 客户端登录VPN后，访问172.172.3.100。通过查询路由表，客户端发现去往172.172.3.100的数据 包应该给虚拟网卡进行处理。

4. 虚拟网卡对数据包进行封装并送入SSL VPN隧道。把原来的整个数据包加密封装到新数据包的应用 层数据中，源IP改为虚拟网卡IP。

5. 数据发送到SSL VPN设备后，SSL VPN解封装，源IP改为VPN设备自身IP（默认）或用户的虚拟IP 并把原始数据包发送给OA服务器。【修改源IP是为了解决路由回包的问题】

2.4.4 L3VP案例

客户需求

用户需要通过SSL VPN安全接入内网。 用户希望以L3VPN资源访问总部OA资源（172.172.3.100）。

需求确认

IM通讯软件是C/S架构，终端需要安装IM客户端 IM服务器内网地址为：172.172.3.100使用协议端口为：UDP 80

配置

在设备控制台添加对应的L3VPN资源，如下图:

登录过程会自动安装必须的对应SSL VPN组件，如下图为登录过程初始化过程：

登录成功后，客户端获取到虚拟IP地址（2.0.1.1），并且在系统自动生成了一条 DIP为172.172.3.100的资源路由，如下图：

2.5 远程应用技术

2.5.1 远程应用技术介绍

采用基于服务器计算的应用模式，应用程序的安装、配置、管理、维护 以及应用的执行均集中在服务器上进行，用户通过远程客户端登录服务器进行操作，输入输出的内容通过网络传输到客户端

技术特点

1.客户端无需安装应用程序，只需要安装EasyConnect客户端；终端服务器需要安装RemoteServerAgent组件减少C/S应用系统使用 的局限性，提高易用性；

2.某些B/S架构的应用需要在客户端浏览器安装插件才能访问，但是该插件对手机或者平板不兼容，不支持安装等情况，可以通过远程应用发布的方式来使用。

2.5.2 远程应用案例

客户需求

移动终端用户、PC通过SSL VPN安全接入内网，在用户本地不需要安装对应的应用系统软件，可以使用企业内部运行在windows平台的办公系统应用。

需求确认

应用系统软件是C/S、B/S架构，不支持移动终端，比如IE浏览器、ERP系统、 MS office应用等

配置

1. 通过终端服务器登录SSL VPN，并通过[SSL VPN设置]—[终端服务器管理 ]—下载终端服务器程序SFRemoteAppServerInstall.exe，并在服务器上双击运行安装。

2. In the [SSL VPN Settings] - [Terminal Server Administration] - New - server, fill in the server name, IP address, Windows Server, user name and password, click connection "to test the link" Test SSL VPN appliance and terminal server. Normal will prompt "terminal server connection and authentication success" as shown below:
   
3. Click on the "Add Preset", select the application you need to publish choose to publish the IE browser
   
4. After adding the configuration, click Save; click on the upper right corner "with immediate effect", you can view the online status of a terminal server has been added, as shown below:
   

6. Configuring the resource name, type of application, start parameters, as follows:
   

Once configured, the resource group which can be configured remotely view the application resources, as shown below:
After a successful login, display resource page, as shown below:

Click on the resource

Effect of the display
of the mobile terminal by EasyConnect after a successful login, the resources page, click on the remote application resources, you can open a remote application resource publishing, as shown below:

3. relative term.

3.1 Role

3.1.1 Role explanation

SANGFOR SSL role is the link between the users and resources, which is used to associate different users to different resources within the network, in order to achieve finer control of the remote access.

3.1.2 Role Configuration

3.2 Policy Group

3.2.1 explain the policy group

Policy Group to set user access VPN security policy.

It includes the following:
client-related options, account attributes and secure desktop-related information.

After the policy group setup is complete, the user need not take effect or be associated with a user group.
Depending on the requirements, the user can set the user group associated with a different policy groups, respectively.

3.2.2 Strategy Group Configuration

(1) associate users or user groups

(2) Client Options

Client privacy option to set the client's bandwidth session, whether to allow access PPTP embodiment, the SSL line, the number of signatures of hardware limitations.

(3) Account Control

Account Control is used to set account permissions related.