No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Huawei Firewall Security Policy Essentials
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How to Configure Security Policies to Allow SSL VPN

How to Configure Security Policies to Allow SSL VPN

Typical services supported by SSL VPN include web proxy, port forwarding, file sharing, and network extension.

Web Proxy, Port Forwarding, and File Sharing

The interaction processes of the web proxy, port forwarding, and file sharing services are similar. A remote user logs in to the virtual gateway on the firewall through HTTPS, and then browses and accesses service resources. As a service proxy, the firewall interacts with the server through HTTP, TCP, and SMB/NFS.

Figure 9-9 Interaction process of the web proxy, port forwarding, and file sharing services

Remote users must be allowed to access the virtual gateway from the public network through HTTPS, and then service access from the firewall to intranet service resources must be allowed.

Table 9-8 Security policy example — web proxy, port forwarding, and file sharing

No.

Name

Source Security Zone

Destination Security Zone

Source Address/Region3

Destination Address/Region

Service

Action

101

Allow SSL tunnel

Untrust

Local

any

203.0.113.1/32

https (TCP: 443)

permit

102

Allow web proxy

Local

Trust

any

10.1.2.10/32

HTTP (TCP: 80)

permit

103

Allow port forwarding

Local

Trust

any

10.1.2.11/32

telnet (TCP: 23)1

permit

104

Allow file sharing

Local

Trust

any

10.1.2.12/32

smb (TCP: 445)

netbios-session (TCP: 139)2

permit

1: The Telnet service is used as an example to describe the security policy for port forwarding.

2: The SMB file sharing in Windows is used as an example. TCP ports 139 and 445 need to be enabled. To access NFSv4 in a UNIX-like operating system, you need to enable TCP port 2049.

3: For the SSL tunnel, the source address is the public IP address of the remote user, and the address range cannot be specified. Therefore, the source address is set to any. The source address for accessing the server from the firewall is the IP address of the firewall. You can set the source address to any.

Network Extension

The remote user logs in to the virtual gateway through HTTPS and enables the network extension service. After the network extension function is enabled, an SSL VPN tunnel is established between the remote user's device and the virtual gateway. The remote user's device obtains a private IP address from the address pool of the virtual gateway to access intranet resources. The access request of the remote user is encapsulated in SSL and sent to the virtual gateway. After decapsulating the packet, the virtual gateway searches for the route and security policy, and then sends the packet to the server according to the search result. An SSL VPN tunnel can work in either of the following modes based on the client configuration:

  • Reliable transmission mode: TCP is used as the transport protocol, and SSL is used as the encapsulation protocol. In this mode, TCP port 443 is used.
  • Quick transmission mode: UDP is used as the transport protocol, and SSL is used as the encapsulation protocol. In this mode, UDP port 443 is used.

Figure 9-10 uses the reliable transmission mode as an example to show the packet sending process of the network extension service.

Figure 9-10 Network extension service process

The remote user must be allowed to log in to the virtual gateway through HTTPS to establish an SSL tunnel. According to the client configuration, the SSL tunnel may use TCP port 443 or UDP port 443. Then, the virtual gateway must be allowed to send decapsulated packets to the server.

Table 9-9 Security policy example — network extension

No.

Name

Source Security Zone

Destination Security Zone

Source Address/Region

Destination Address/Region

Service

Action

101

Allow SSL tunnel

Untrust

Local

any

203.0.113.1/32

https (TCP: 443)

UDP: 4431

permit

102

Allow network extension

Untrust

Trust

10.1.3.1-10.1.3.1002

10.1.2.10/24

any3

permit

1: UDP port 443 needs to be enabled only when the quick transmission mode is configured on the client. TCP port 443 must be enabled in any case. If the port number of the virtual gateway and the port number for the quick transmission mode are changed, use the actual configuration.

2: The source address of the inner packet of the network extension service is the address obtained by the remoter user's device from the virtual gateway address pool.

3: The service specified in the security policy is related to the specific network extension service. Configure the service based on the actual situation. If the server needs to proactively access the remote user's device, you need to configure a reverse security policy to permit corresponding traffic.

The source security zone of the inner packets of the network extension service varies depending on the product model and version.

Table 9-10 Rules for determining the source security zone of inner packets

Scenario

Applicable Product and Version

Rule

Scenario 1

USG6000E series: all versions

USG6000 series: versions later than V50R005C00SPC200

The source security zone is the security zone of the public network interface that a remote user accesses.

If remote users access the virtual gateway from multiple public network interfaces, multiple security zones must be specified.

Scenario 2

USG6000 series: V500R001 to V500R005C00SPC200 (included)

USG9500 series: V500R001 to V500R005C00SPC200 (included)

USG6000 series: V100R001C30SPC600 and later versions

The source security zone is the security zone of the next-hop interface in the route to the public IP address of the mobile device.

If the route does not exist, the network extension service is unavailable.

If the firewall has multiple public network routes, multiple security zones need to be specified.

Scenario 3

USG6000 series: V100R001 to V100R001C30SPC600 (excluded)

When the address pool of the virtual gateway and the server address are on the same network segment, the source security zone is the security zone of the server.

When the address pool of the virtual gateway and the server address are on different network segments, you need to manually configure a route whose destination address is the address pool of the virtual gateway. Generally, the outbound interface is specified as the public network interface, and the source security zone is the security zone where the public network interface resides. If no route is configured, the network extension service is unavailable.

Scenario 4

USG9500 series: V300R001

When the address pool of the virtual gateway and the server address are on the same network segment, the source security zone is the security zone of the server.

When the address pool of the virtual gateway and the server address are on different network segments, you need to manually configure a route whose destination address is the address pool of the virtual gateway. Generally, the outbound interface is specified as the public network interface, and the source security zone is the security zone where the public network interface resides. If no route is configured, the source security zone is Local.

Translation
简体中文
Download
Updated: 2023-04-06

Document ID: EDOC1100172313

Views: 124683

Downloads: 564

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :