No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

customer request to give SSL VPN access for their employ and other supplier. They would like to create a network extension different for type of user

Publication Date:  2018-03-29 Views:  63 Downloads:  0
Issue Description

Customer requirements is to give SSL VPN access their employ and other supplier. They would like to create a network extension different for type of user:

 

-          Employ need to reach internal network A e B

-          Supplier need to reach internal network B


Solution

First we need to follow this configuration example . And we need to add some other configurations to achieve customer’s need.

http://support.huawei.com/hedex/pages/EDOC1000154459AEG0822T/04/EDOC1000154459AEG0822T/04/resources/admin/sec_admin_userauth_0080_web.html?ft=0&fe=10&hib=6.13.8.2.2&id=sec_admin_userauth_0080_2&text=Web%253A%2520Example%2520for%2520Configuring%2520Local%2520Authentication%2520on%2520Remote%2520Access%2520Users%2520Using%2520SSL%2520VPN&docid=EDOC1000154459

First way:

1,   customer need to add a authentication policy for the network extent IP pool.


 

2, for the network extension, please add network A and B in the accessible private network segment list.


 

3, in the security policy, please add a policy deny the access to network A with other supplier.


 

 

 

Second way

1, create the group and users in the domain.


 

 

2, create the SSL VPN with web.

 

3, Binding ip pool (start with 10.1.1.1) with group1 (for employ). And binding another pool to the group for other supplier.

<sysname> system-view

[sysname] v-gateway abc     -into the ssl vpn gateway

[sysname-abc] service

[sysname-abc-service] network-extension netpool 10.1.1.1 10.1.1.10 255.255.255.0    -create the ip pool for group1

[sysname-abc-service] quit

[sysname-abc] vpndb

[sysname-abc-vpndb] group /default/group1      -add the group to v-gateway

[sysname-abc-vpndb] group /default/group1 network-extension netpool 10.1.1.1       -binding the ip pool with group

[sysname-abc-vpndb] display group      -

[sysname-abc-vpndb] display user       

[sysname-abc-vpndb] display group /default/group1    - Displays detailed information about a user group, including whether the user group is bound to a virtual IP address segment.


 

4, create a security policy deny the ip pool ( which is binding the group with supplier ) access to network A.

Source zone: ip pool,        destination zone: network A.           Action: deny


 


END