Virtual Gateway - Home Teachers India

Breaking

Welcome to Home Teachers India

The Passion for Learning needs no Boundaries

Translate

Monday, 30 March 2020

Virtual Gateway

Virtual Gateway By Home Teachers India
The default gateway IP address of the default gateway channel through SSL VPN. The shape of the physical unit functions of the Port Replicator logically independent use of technology with the default gateway configuration and service for all the logical gateway independently of each other. In this way, the device of an institution to meet the requirements of several companies or departments.
·         1. Overview
Overview  This section describes the basic concepts of the default gateway, IT concepts.
·        2. Application scenarios
Application scenarios This section describes the actual application scenarios intranet gateway unarmed systems
·        3. Mechanism
·        The mechanism of this section of the principles of the default gateway Intranet unarmed systems 
·          Configuration Flow
The composition of this section describes the configuration of default gateways. The application can be flexibly on the basis of networks.
·        2. Virtual Gateway generation
The establishment of the default gateways in this section describes how to create a virtual gateway status information.
·        6 Virtual Gateway System
Virtual Gateway system configuration of the default gateway system covers the default gateway DNS server is configured, the default gateway Default Gateway SSL, director of policy at the level of the page to specify default gateway
·        7 Configure Intranet Insulation Items
The composition of the INTRANET INSULATION during the configuration of the default gateway, the function of the intranet to allow isolation. Only after specifying the function, you can configure, Network Address Translation The actual source of the Gateway router default gateway. If the function is disabled, you can configure Network Address Translation The actual source of the Gateway router of the layer.
1.1 Overview
This section describes the basic concepts of the default gateway, IT concepts. From the logically independent gate on svn called Virtual Gateway. The Entity physical svn can have multiple independent logic gates work with virtual gateway, and is designed to address the needs of several companies or branches of an institution. Configure the default gateway all services to make available, regardless of any other
Figure 1 -1  Schematic representation of the virtual gateway 





The virtual gateway is a module on the SVN the SSL VPN function. The Client is a terminal by SSL VPN user is used. The data is transferred between the client and the Virtual Gateway via an SSL encrypted.
 Note:
If you select the SSL VPN Gateway, the image does not include devices such as the firewall.
 2 application scenarios
This section describes the application scenarios of Virtual Gateway and intranet insulation systems.
The SVN can be divided into several logically independent SSL VPN gateways, namely virtual gateways. You can configure separate services and information about this virtual gateways refined management and deployment to implement.
 Note:
The number of virtual gateways from the SVN is supported by the license. By default, the SVN supports a virtual gateway.
To mark the Virtual Gateway, the image does not include devices such as the firewall.
Individual Virtual Gateway
You can configure only one virtual gateway on the SVN, so that all users can access this virtual gateway. Figure  1-2 Shows the typical networking of the individual virtual gateway. Users can access from the Internet or enterprise intranet.
Figure  1-2  diagram of each virtual gateway connectivity 

Multiple Virtual Gateways
You can configure multiple virtual gateways in the SVN so that various departments have different virtual gateways. For example, different ACLs are required if the employees in different departments have different resources and services. In this case, you can assign a virtual gateway to each department and independently to configure users, resources and guidance for you.
Figure  1-3 Shows the typical networking of multiple virtual gateways. Virtual Gateways A, B and C offer services for Divisions 1, 2 and 3.
Figure  1-3  networking diagram of the multiple virtual gateways 


 Note:
Multiple Virtual Gateways implement service isolation (different Virtual Gateways offers a variety of services), but not physical network isolation. For example, in Figure  1-3the various departments , IP addresses must be unique.
Intranet Insulation Gateway
Intranet insulation is a special application, physical network isolation (IP address reuse) into multiple virtual gateway scenario is implemented. If the SVN is rented to various companies, the IP address conflicts may occur, because every company has its own network plan. The traditional multiple virtual gateways cannot solve the problem. The Intranet insulation function is required.
The Intranet insulation function splits the SVN into multiple virtual gateways. Of common multiple Virtual Gateways, this virtual gateways are independent. Each of them has its own forwarding of information such as IP addresses and routes. In this way, each virtual gateway has its own forwarding paths and IP-address is the re-use is implemented.
Figure  1-4 Shows the networking of the Intranet isolation. IP addresses of the companies A and B overlap is planned. After the intranet insulation function is on the SVN, the networks of companies A and B are enabled. Packages are on the routes for the corresponding virtual gateways configured.

Figure  1-4  networking diagram of the Intranet insulation 


 Note:
The SVN supports the function of the Intranet isolation. In addition, when in virtual desktop solutions provided, the SVN functions as a desktop cloud agent (ICA agent) and ensures that the communication between clients and servers. How desktop cloud agent, the SVN attachments especially the functions of the load-balancing-Gateway and Secure Cloud Gateway. For more information, see 8.7 Desktop Cloud.
 3 Mechanism
This section describes the principles of the Virtual Gateway and intranet insulation systems.
Virtual Gateway
As a physical entity, the SVN as several logically stand-alone gateway using the virtual gateway technology, and therefore the needs of several businesses or branch offices of a company. The configuration of each virtual gateway and services provided are independent of each other. The Virtual Gateways are in the following types of IP addresses and domain names are classified:
Intranet Insulation Systems
In the process of creating a virtual gateway, if the intranet of the current virtual gateway must be isolated from the intranets of the other virtual gateways, the Intranet isolation function can be activated. The source then NAT and routes under the virtual gateway configuration.
As in Figure  1-5companies A and B share a SVN. The Intranets are separated as follows:
1.     Virtual Gateways A and B separately on the SVN for companies A and B. The Intranet insulation function is enabled on both virtual gateways.
2.     VPN create VPN Instance_A and connect it with Virtual Gateway A. Then VPN VPN Instance_B and connect it to create Virtual Gateway Example
3.     If the user of the enterprise access to the intranet of the company, a request is sent first to the SVN. The package then goes through the VPN_a route. Also, if the user of the enterprise B access to the intranet from company B, the packet to the VPN_B route leads.
4.     After that, the SVN sends the packet from the enterprise to the intranet of the company and the package from the enterprise B on the intranet of the company B.
5.     Finally react on both intranet server. The reply packets pass through the VPN VPN_B_A route and route separately.
In this way, the exchange of data packets between different virtual gateways and intranets through different routes. Packets are sent and received without interference. Therefore, the Intranet is isolated.
Figure  1-5 of  the functioning of the Intranet insulation systems 
 Note:
The IP addresses of the virtual gateways can coexist in the same network segment or different network segments can be configured. For all virtual gateways, IP addresses, the exchange packets with external networks to the interfaces to the root-bound firewall are configured. If a virtual gateway is not equipped with a VPN instance bound, the exchange packages in the intranet via the routes of the root-Firewall.
SSL
The SSL connection is established if the client sends requests to the SVN. The SSL handshake procedure is shown in Figure  1-6.
Figure  1-6  SSL handshake procedure 

The procedures for the transmission of each message in Figure  1-6 are as follows:
1.     The client sends a message to the client hello server. This message contains all versions of SSL and encryption algorithm supported by the customer lists. This encryption algorithm lists are sorted by their priorities. The encryption algorithm, the list with the highest priority is the one that the customer recommends that the server to use.
2.     The server sends a message to the client-server hello. This message contains the definitive SSL version and encryption algorithm from the client list and a random value selected.
3.     The server sends its certificate to the client via a certificate message, so that the client can confirm the identity of the communicated peer the certificate sent by the server. his public key and digitally signed with the private key must contain. The client uses the certificate in accordance with the server certificate to verify the authenticity of the certificate. The public key in the certificate is used to verify the signature and to confirm the identity of the server. Then the public key of the server is used to encrypt information. In other words, data encryption and protection against this step.
4.     The server sends an empty server hello done message to the client, indicating that the server all information sent in this phase will be sent.
5.     The client sends a message to the Server Client keyex change by the public key is encrypted. In the SSL implementation, the public key is used for encryption is used only when the authentication of identity on the peer end is executed with the certificate. In the actual data transfer, the efficient share key is used for encryption. This information will be encrypted with the public key in the certificate.
6.     The client sends a message to the server change cipher spec, the encryption with the negotiated encryption method.
7.     The client sends a message to the server, the new encryption parameters used for the encryption and notifies the server, the information is sent. Also, make sure that no message is being manipulated by an attacker.
8.     The server sends a change cipher spec message to the client, which is the encryption with the negotiated encryption method.
9.     The server sends a message to the client, notification of the client, the information is sent.
 4 Configuration Flow
This section describes the process for the configuration of virtual gateways. The flow can be applied flexibly to networks.
Table  1-1 Shows the basic configuration for virtual gateways. The basic configurations of virtual gateways are valid for all gateways. After the administrator configures the virtual gateway, authorized users can the virtual gateway after entering the IP address of the Virtual Gateway in the browser.
Table  1-1  task list for the configuration of the virtual gateway

"Configuration task
Task Task
Description
Create a virtual gateway
 2.1 Creating a Virtual Gateway
This task is mandatory. You need to create a virtual gateway, before other configurations.
Configure the virtual gateway products
 3.1 Configuring DNS
This task is optional. If you configure it, Intranet access to resources by domain names.
 3.2.2 Configuring CFCA
This task is optional. Configure it, if the cfca server is required to issue user certificates.
 3.3 Configuring SSL
This task is optional. Configure it, if the SSL parameters need to be changed. The default value is recommended.
 3. 1 Creating a Virtual Gateway Administrator
This task is optional. The virtual gateway administrators can only manage their own virtual gateways. First of all, the account of a Virtual Gateway Administrator is not planned. After logging in as a virtual gateway administrator manage current account is displayed.
 3.5 Configuring Policy
This task is optional. Configure it, when users to specific IP addresses or address segments allowed or denied, the virtual gateway need to access. If no other measures, work on the default policy measures.
 3.6 Customizing Virtual Gateway Web Page
This task is optional. Configure it, if you customize the logo, welcome, the title and the resource on the login page, click the icon of the virtual gateways.
 3.7 Configuring Schedule
This task is optional. If you configure it, at the time of registration of the user with the virtual gateways.
 3.8 Configuring User-Defined Browser Type
This task is optional. You can use the browser to obtain enter the optimized web page.
Configure Intranet insulation items
 4.1 Configuring Source NAT
This task is optional. Configure it, if you have a source IP address is an IP address for private networks to a valid IP address of the public networks.
 4.2 Configuring Static Route
This task is optional. Configure it, if the SVN server is on a different subnet from the intranet.
 Note:
Before you create the virtual gateway, determine if the insulation with the intranet. To enable this feature, select Intranet isolation to create the virtual gateway. In this case, Source NAT and static route can be configured for intranet insulation.
 5 Virtual Gateway generation
This section describes how to create a virtual gateway and its status information.
 2.1 Creating a virtual gateway
This section describes how to create, modify, or delete a virtual gateway. In order to enable SSL VPN services, you need to create a virtual gateway.
When you create a virtual gateway, to be sure, whether you are a intranet insulation for the virtual gateway to activate. As soon as the virtual gateway was created successfully, you can click on "Cancel" to the existing Intranet Intranet-bound or new insulation insulation system.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on the Add button.
3.     Set the following parameters.

Parameters
Description
Name
Displays the virtual gateway name.
Type
Exclusive.
An exclusive Virtual Gateway, the IP address and domain name exclusively. Users can use an exclusive Virtual Gateway through the domain name or IP address.
HTTP-Redirect
Redirects users requests to the home page of the virtual gateway via HTTP. The home page of the Virtual Gateway is https://domain name (or IP address). If the HTTP redirect feature is enabled, enter only domain name (or IP address) of the virtual gateway or http://domain name (or IP address) to access the home page of the virtual gateway. For example, the home page and the domain name of the Virtual Gateway Are https://10.10.1.22 or Www.example.com. If the HTTP redirect feature is on the home page enter   http://Www.example.com www.example.com 10.10.1.22 http://10.10.1.22 , or the home page of the Virtual Gateway.
The HTTP redirect function uses the HTTP port (the default value is 80) The Virtual Gateway. Therefore, the Virtual Gateway IP address must be different from the SVN-Gateway, HTTP port may be used.
In the mobile work scenarios that enable users  to download the AnyOffice Client Software from the self-service web page, you must enable the HTTP redirect function.
HTTP access
The HTTP access, select the virtual gateway.
By default, the HTTPS protocol is used to access the virtual gateway.
Backup Link
Specifies whether the backup link feature is enabled:
·        Shared: Indicates that the backup link feature is enabled.
The power plant expansion client dynamically selects the fastest connection of links to the SVN-Gateway.
·        Disabled: indicates that the backup link function is deactivated.
The power plant expansion client does not dynamically select the fastest connection of links to the SVN-Gateway.
GSLB acceleration
You need to function and the global IP address in the DNS load balancing scenario to configure.
Intranet insulation
You must select this option if the Intranets in accordance with the current Virtual Gateway and other virtual gateways are isolated from one another.
IP address
Displays the IP address of the Virtual Gateway. Users can access the virtual gateway using this IP address.
In hot standby networks, use the VRRP group address as the address of the virtual gateway. In other scenarios, use an interface IP address as the IP address of the Virtual Gateway.
The external IP address is only required in the DNS load balancing scenario. The external IP address is the IP address of the Virtual Gateway input by NAT in external IP address.
Click to select  multiple IP addresses (a maximum of four IP addresses) for the exclusive Virtual Gateway add. Exclusive virtual gateway allows users to access the virtual gateway via these IP addresses.
Note:
Deleting or Changing an IP-address of the Virtual Gateway has reported all the user's IP address.
Load Balancing Gateway IP Address
The user can load balance gateway using this IP address.
The IP address must match the interface via which the Client Gateway connects with the load balance.
You must configure this parameter only in desktop cloud agent.
If the device is used as a Load Balance Gateway, you need to enable HTTP-Redirect.
Secure Cloud Gateway IP Address
Users can access the secure cloud gateway using this IP address.
The IP address must match the interface via which the client with the Secure Cloud Gateway connects.
You must configure this parameter only in desktop cloud agent.
Virtual Gateway Domain Name
Optional.
Users can access the Virtual Gateway Via this domain name.
The domain name must be legitimate, and a DNS server, the domain name into an IP address is on the Extranet.
For example, www.example.com.
Secure Cloud Gateway Domain Name
Users can access the Virtual Gateway Via this domain name.
The domain name must be legitimate, and a real server, the domain name into an IP address is on the Extranet.
HTTP Port
This connection is used in the following scenarios:
·        HTTP is used to access the virtual gateway.
·        With the HTTP Forwarding is enabled.
·        Android users in the self-service terminal side of the AnyOffice download client login.
·        PC users in the self-service side of the AnyOffice download client login.
SSL Port
This connection is used in the following scenarios:
·        SSL is used to access the virtual gateway.
·        IOS terminal users in the self-service side of the AnyOffice download client login.
·        Android users download enterprise applications on the AnyOffice Client.
·        The SVN provides multimedia tunnel with Android devices.
Note:
Modify an SSL port of the virtual gateway logs all users who use the port.
Rapid port
Indicates the port for UDP communication is used.
This port is used by Virtual Gateway Services including network extension and multimedia tunnel.
Max. Number of users via MTM
For only an exclusive Virtual Gateway.
Specifies the number of simultaneous users online the virtual gateway via the multimedia tunnel.
The value is determined by the license.
Max. Number of users over SSL VPN
Specifies the number of simultaneous online SSL VPN user of the virtual gateway.
The online SSL VPN user refers to the SSL VPN user that the Virtual Gateway accesses through the SSL VPN.
The value is determined by the license.
Max. Number of users via IPSec VPN
Specifies the number of simultaneous online IPSec VPN users of the virtual gateway.
The on-line- IPSec VPN user refers to the IPSec VPN user that the Virtual Gateway accesses through the IPSec VPN.
The value is determined by the license.
Max. Number of users on cloud
Specifies the number of simultaneous users online the virtual gateway via the cloud.
The value is determined by the license.
Maximum virtual desktop user
Specifies the number of simultaneous users online the virtual gateway via the virtual desktop.
The value is determined by the license.
Maximum registered terminals
Indicates that the maximum number of terminals through the Virtual Gateway Login E-Mail address.
The value is determined by the license.
Registered Maximum Security Browser Terminals
Indicates that the maximum number of terminals through the virtual security gateway allows the browser to register.
The value is determined by the license.
Maximum registered MDM terminals
Indicates that the number of users, from the virtual firewall allows to MDM to register.
The value is determined by the license.
Maximum registered SDK terminals
Indicates that the number of users who sign in by the virtual firewall SDK.
The value is determined by the license.
Max. Number of Users
Specifies the maximum number of users online on the virtual gateway.
The maximum number of users on the new virtual gateway must be less than or equal to the number of remaining users with licenses.
Maximum administrators
Specifies the maximum number of administrators on the Virtual Gateway.
The maximum number of administrators on the new virtual gateway must be less than or equal to the number of remaining administrators with licenses.
Maximum Resource
Specifies the maximum number of resources on the Virtual Gateway.
The maximum number of resources on the new virtual gateway must be less than or equal to the number of available resources.
4.     Click Apply.
Other Operations
·    Modify a virtual gateway: Click on  the virtual gateway to change parameters. Nametype, and time are immutable. Deleting or Changing an IP-address of the Virtual Gateway has reported all the user's IP address.
·    Deleting a virtual gateway: Select the virtual gateway that you want to delete and click Delete. Note that existing services may be cut off when the virtual gateway is deleted.
 2.2 Virtual Gateway Status
You can view the details of the current virtual gateway and the online-view monitoring information.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway Status > Virtual Gateway select status.
 6 Virtual Gateway System
Configure the Virtual Gateway System includes the display of the Virtual Gateway Status, the DNS server by configuring the SSL, Virtual Gateway Administrator, Virtual Gateway level political and individual adjustment of the Virtual Gateway page.
 3.1 Configuring DNS
After the DNS server is configured, users can access the Virtual Gateway through domain name. After the domain name to use for the DNS server is specified, users can access the intranet server without entering the distinguishing number of the domain name.
After the DNS server is configured, users can access the Virtual Gateway through domain name. After the domain name to use for the DNS server is configured, you can user the Intranet server without entering the suffix of the Internet address to access. A prerequisite
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > > DNS DNS Select.
4.     Set the following parameters.
 Note:
·        The configuration of the Preferred DNS Server and the alternate DNS server should not be the same.
·        To ensure the reliability of the DNS service, it is recommended that both the preferred DNS server and the alternate DNS server to configure.
·        The DNS servers are configured in the following order: the preferred DNS server and Alternate DNS Server 1 and Alternate DNS Server 2.

Parameters
Description
Primary DNS Server
Displays the IP address of the primary DNS server.
Secondary DNS Server 1.
Displays the IP address of the secondary DNS server if the primary DNS server is invalid.
Secondary DNS Server 2
Displays the IP address of the secondary DNS server when both the primary DNS server and the secondary DNS server 1 has become invalid.
Server Domain Name
After the domain name to use for the DNS server is configured, you can user the Intranet server without entering the suffix of the Internet address to access.
A domain consists of letters, digits and hyphens. Assume that the Domain Name format x.x.x each string must not be more than 63 characters long and cannot begin or end with a hyphen. The last string must contain at least one character.
For example, if the Virtual Gateway Administrator configures the domain names like server.com, users can access the URL http://oa.server.com only by entering OA.
This is an invalid configuration, if the SVN access by the name of the domain.
5.     Click Apply.
 3.2 Configuring the CA
The SVN virtual gateway can automatically connect the SCEP and cfca servers and WLAN certificates for users.
 3.2.1 Configuring SCEP
The SVN Virtual Gateway uses the Simple Certificate Enrollment Protocol (SCEP) WLAN certificates for users.
For WLAN certificates from the SCEP server, the SVN virtual gateway offers the certificates to mobile devices. If the user using the WLAN certificates for access to Enterprise Wireless LAN Wireless LAN, the authentication server authenticates the validity of certificates.
The SCEP server is used by companies. Each company with a SCEP Server can use SCEP Wi-Fi issue certificates.
In the provision of a SCEP server on an enterprise intranet, set the RSA key to 2048 bytes and the hash algorithm the signing certificate to SHA256 or be adjusted later.
Configure the SCEP server
You can configure the URL and the authentication code of the SCEP server. Make sure that the SVN, the SCEP server is reachable.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.     Select Virtual Gateway System > Settings > Mobile Terminal CA.
4.     Select the SCEP- to choose the CA server.
5.     To configure certificate server, information of the SCEP server.

Parameters
Description
SCEP server URL
Specifies the URL of the SCEP server to connect for the SVN. It can be accessed by the administrator of the SCEP server.
Challenge Code
Indicates that the challenges posed by the SVN uses for a WLAN Certificate from the SCEP server. It can be accessed by the administrator of the SCEP server.
Automatic Renewal ahead of time
In front of the existing WLAN Certificate expires, the SVN requests a new Wi-fi certificate from the SCEP server and returns the certificate to a specific mobile device.
For example, if the automatic renewal before the time is set to one week, the SVN requests a new Wi-fi certificate within one week, as long as a user when AnyOffice Client.
Domain Account
Indicates that the account and the password for logging in to the SCEP server. The domain account to request the authorization for a certificate. You must use the domain account and password to obtain the administrator of the SCEP server only if the Windows authentication on the SCEP server is enabled.
If Windows authentication on the SCEP server is enabled, the SVN needs to use the domain account and the password for a WLAN Certificate from the SCEP server.
Password
Configure the CA certificate of the SCEP server
For a WLAN Certificate, the svn, a CA certificate which can be obtained in two modes.
·    Local Upload Upload: local the CA certificate from the administrator of the SCEP server.
1.     Click Upload.
2.     Click Browse to appear on the page, and select the local CA certificate.
3.     Click on Confirm.
·    Of the SCEP server download: The certificate from a configured SCEP Server URL download.
1.     Click on Download of SCEP server.
2.     The downloaded certificate in the list of certificates.
Certificate fields configuration
Certificate fields include user information for wi-fi certificate application are necessary. After connecting to the SVN, the AnyOffice client receives the certificate request template from the SVN, and creates and sends a Certificate Signing Request (CSR) for the SVN. The forwards the CSR to the SCEP server for WLAN certificates are valid.
1.     To configure certificate, enter the certificate information on certificate DN is based.
The Wi-FI certificate has the parameters listed in the following table. Each parameter shows a function of a certificate.
These parameters are optional. For example, if a wireless authentication server is not OE in a WLAN certificate check whether the parameter is not set.

Parameters
Description
CN
Indicates that a common name.
DC
Indicates that a domain controller.
OU
Indicates that the department.
O
Displays the organization.
C
Indicates that the country.
DNS
Indicates the domain name of a server. Since this parameter is rarely used, it is not in a DN template.
2.     Click Apply.
 3.2.2 Configuring the CFCA
China Financial Certification Authority (CFCA) is a state-level security certification organization and relevant certificates to companies by the cfca server. If an Administrator Certificate Server address and the CFCA - Supplemental Information on the SVN virtual gateway is configured, the administrator can access the CFCA Server and applies for a certificate.
After you install the certificate from the CFCA Server, the SVN virtual gateway offers the certificate on the mobile device. If the user uses the certificate for access to Enterprise Wireless LAN Wireless LAN, the authentication server authenticates the validity of certificates.
A company provides the CFCA Server. The company buys services of cfca and register information about the cfca server.
Configure the CFCA Server
Configure the IP address and port of the CFCA Server. Make sure that routes between the SVN and the cfca server can be reached. Otherwise, the SVN server and the cfca cannot communicate with each other.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > > Mobile Terminal, you can take settings from.
4.     Select the cfca in select the CA server.
5.     To configure certificate server, you can set the parameter for the cfca server.
The IP address and port of the CFCA servers are for the business plan data. Determine the IP address and port of network administrators.

Parameters
Description
Cfca Server IP Address
Specifies the IP address of the CFCA Server.
Port
Specifies the port number of the CFCA Server.
Certificate fields configuration
Certificate fields contain information for the certification required. If a client on the SVN-virtual gateway is connected, the client receives the certificate fields from the SVN virtual gateway, Generate Certificate Signing Request (CSR), and sends the CSR to the SVN virtual gateway. The SVN virtual gateway transfers the CSR to the CFCA server for the user certificate.
1.     To configure certificate fieldsenter information in the certificate DN template.

Parameters
Description
CN
Specifies the name of a user logs into the SVN virtual gateway.
The user name must be no configurations. The client is automatically given the name of a user who logs in to the Virtual Gateway.
T
Indicates that the device ID of a mobile terminals.
The Device ID no configurations are required. The client receives the device ID of a mobile terminal automatically.
·        The ID of an Android terminal is the IMEI. Choose Settings About Phone/Tablet > Status, in order to check the IMEI.
·        The ID of an iOS-Terminal is Udid. The terminal to an iTunes-installed PC. Choose Devices > Summary of the UDID in iTunes on the PC.
OU
Indicates that the department information.
The configurations must be the same as the registered information on the CFCA Server.
O
Indicates that an organization.
The configurations must be the same as the registered information on the CFCA Server.
C
Indicates that a country.
The configurations must be the same as the registered information on the CFCA Server.
2.     Click Apply.
 3.3 Configuring SSL
This section describes how to configure the SSL version, SSL encryption, and timeout period and life-cycle of SSL sessions on the device. The configuration is optional. You can use the default values.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > SSL configuration > SSL configuration.
4.     Set the following parameters.

Parameters
Description
SSL Version
Shows the supported SSL versions. The client must have these versions support the virtual gateway.
Encryption Suite
Shows the supported encryption Suite. The Encryption Suite encrypts the data that the client sends the virtual gateway. On the basis of the supported encryption suites, the device automatically selects a cipher suite with the highest density of the encryption of the data that the client sends the virtual gateway to encrypt it.
The 253-bit AES encryption with RSA and SHA algorithm has the highest encryption density. It is recommended to select it.
Session Timeout
Returns the session timeout, also called the storage period. It refers to the time in which a zero traffic connection is closed. If the session is complete, the client and the server to authenticate each other.
If the session has ended, but the entire life cycle is not time out, must re-authenticate the client, but not log in again.
To allow the user in the virtual gateways in multiple locations with the same account, you'll want to make the default value of the Session Timeout.
Note:
The session timeout must be greater than the UDP Keepalive Interval and send keep-alive packet cycle in the Multimedia Tunnel.
Full life cycle
Indicates that the life expectancy is not limited. After logging in to the Virtual Gateway, the user will always be in the connected state.
Life Cycle
If the life cycle of the user session has expired, the connection to the virtual gateway is automatically closed. The access to the Virtual Gateway, the user must log in again.
If full life cycle is selected, life cannot be set.
SSL compression
Indicates whether the data transfer SSL sessions together, to improve efficiency.
5.     Click Apply.
 3.4 Configuring Virtual Gateway Administrator
The Virtual Gateway Administrator refers to the administrator of the Virtual Gateway.
  1 Creating a Virtual Gateway Administrator 3.
Virtual Gateway administrators manage only the virtual gateway to which they belong. No Virtual Gateway Administrator account exists in the system.
Background
Virtual Gateway allows administrators to manage permissions be classified as follows:
·    Virtual Gateway administrators whose management scope is allVirtual Gateway Administrator in this document are of this type. These virtual gateway allows administrators to manage all assets of each virtual gateway.
·    Virtual Gateway administrators whose scope is Asset Management: These Administrators Administrators are described in this document.
A asset managers can view only the Web-UI of the SVN log and only the functions on the asset > Asset page. An administrator can only belong to an organization and an organization can have multiple asset administrators. An asset can the administrator the assets in the specified asset group in this organization and by the asset managers on the Web-UI of the SVN, were created.
Create a Virtual Gateway Administrator
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway Administrator > Virtual Gateway Administrator select.
4.     Click Add to create a Virtual Gateway administrator.
a.      Set the necessary parameters to configure basic virtual gateway administrator information.

Parameters
Description
Account
Indicates that the account of the Virtual Gateway administrator.
Account is the account that the Virtual Gateway Administrator enters on the login page.
New Password
Shows the password of the Virtual Gateway administrator.
This password is the password that the Virtual Gateway Administrator enters on the login page.
Confirm Password
Indicates that the password for the account of the Virtual Gateway Administrator enter again.
Name
Displays the name of the Virtual Gateway administrator.
Telephone
Displays the phone number of the Virtual Gateway administrator.
E-Mail
Specifies the E-mail address of the Virtual Gateway administrator.
b.     Click Permissions Permissions for the administrator to set up virtual gateway.

Parameters
Description
Administrative Area
·        Select All when creating a virtual gateway administrator.
·        Select Asset when creating an asset administrator.
Permission Control
·        Read and Write: An administrator has permission to view and edit certain functions.
·        Read-only: An administrator only has the authorization of certain functions.
Organization
The organization to which an asset belongs administrator set.
Tying Asset Group
The asset groups, which can be managed by an asset administrator.
5.     Click Apply.
 3. 2 the Remember Password option
You can use this function to adjust the strength, validity period, and policy expiration prompt modification of the Virtual Gateway Administrator Authentication List Administrator Password.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System >  Options > Virtual Gateway Administrator Password.
4.     Set the following parameters.
 Note:
To ensure system security, it is recommended to configure a rule, a complex passwords and change the passwords on a regular basis.

Parameters
Description
Minimum Password Length
Specifies the minimum length of the Virtual Gateway Administrator Authentication List Administrator Password.
Maximum Password Length
Specifies the maximum length of the Virtual Gateway Administrator password.
Minimum number of digits
Specifies the minimum number of digits in the password.
Minimum number of alphabetic characters
Specifies the minimum number of letters in the password.
Mixture of uppercase and lowercase letters
Indicates that the password should contain both uppercase and lowercase letters.
This element is required, if the password is not less than two bytes.
The password for the old
Indicates that the new password must differ from the old password, if the administrator changed.
The password for the account name or any reverse speed
Indicates that the new password must be from the account of the administrator or the reverse, if the administrator changes the password.
Password validity period
Indicates that the time, in which the password is valid.
Prompt Period Expires
Specifies the number of days before the password expires, if the system administrator to change the password.
The value is less than the password the validity period. It is recommended that you set the value to 7 days or 15 days.
5.     Click Apply.
  3 Managing current account 3.
This section describes how to reset the password for a virtual gateway administrator.
 Note:
The administrator's account currently log in to the virtual gateway is the default administrator account and cannot be changed.
1.      Virtual Gateway System > Virtual Gateway Administrator > Manage current account.
2.     Set the following parameters.

Parameters
Description
Old Password
Shows the old password of the Virtual Gateway administrator.
This password is the password that the Virtual Gateway Administrator enters on the login page.
New Password
Specifies the new password of the Virtual Gateway administrator.
Confirm Password
Indicates that the password for the account of the Virtual Gateway Administrator enter again.
3.     Click Apply.
 3.5 Configuring
By adding a virtual gateway source IP address-based policy, you can control access to a virtual gateway on the client IP address. The administrator can allow users to specific IP addresses or address segments to be able to access access to the Virtual Gateway or to ban them.
The matching rule is on the basis of the type. The appropriate sequence is as follows:
1.     Source IP address of the Virtual Gateway
2.     Source IP addresses of users
3.     Destination IP addresses of users or the URLs of the user
The appropriate sequence for the policies of the individual-specific type is as follows:
1.     Depth - first: the policy with the most long mask has a higher priority than the other. For a policy, with the same mask length, the policy for a firm surface has a higher priority than the policy for a random interface.
2.     Policy whose actions toward the standard actions
3.     Default Policy
Configure the default settings for action
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway Level select Action > Default Policy Policy.
4.     Configure the default action for a policy.

Parameters
Description
Refuse
User does not have access to the Virtual Gateway found, if no policy is prohibited.
Allow
Users can access the Virtual Gateway, if no policy is found.
Download
The users have permission to download to the security of the data transmission. Download the permission of the users on the security of the data transfer cannot be closed.
Upload
The users have the permission to upload the security of data transmission. The user can upload, rename or delete a file and create directories.
5.     Click Apply.
Configure the Virtual Gateway source IP address-based policy
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway Level Policy > Virtual Gateway source IP address-based policy choices.
4.     Click Add to add a virtual gateway source IP address-based policy.

Parameters
Description
Type
Specifies the IP address or IP address segment that require political control.
IP Address, Subnet Mask
Specifies the source IP address and subnet mask that require political control.
You can configure the IP address and subnet mask only if you select the IP address for .
Start IP Address and End IP Address
Indicates the start and end IP addresses of the IP segment that requires political control.
You can adjust the starting IP address and ending IP address only, if you select the IP address range for type.
Action
Specifies the action for the policy.
·        Allow: Allows the client whose source IP address corresponds to the previous IP addresses of the virtual gateways.
·        Deny: prohibits the client whose source IP address corresponds to the previous IP addresses to access the Virtual Gateway.
5.     Click on the OK button.
 3.6 Customizing Virtual Gateway Web Page
The device provides the virtual gateway adaptation options for the function. By customizing the web page, you can select the desired virtual gateway login page for corporate users.
Adjust the Virtual Gateway Logo
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway website > Fit Virtual Gateway select logo.
4.     Click Browse to select the logo graphic file.
5.     Click Upload to upload the logo graphic file.
Adjust the virtual gateway link
The Virtual Gateway desktop shortcut, simplification of the procedure for logging on to the Virtual Gateway.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway website > Fit Virtual Gateway Select link.
4.     Select Enable to Create Desktop Shortcut.
5.     Click Apply to activate the shortcut on the desktop.
6.     Click Browse to select the logo file.
7.     Click Upload to upload the logo file.
Change the Virtual Gateway Welcome Message
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.     Choose Virtual Gateway System > Virtual Gateway website > Fit Virtual Gateway Message Welcome .
4.     Click Browse to locate the Welcome Message Select the graphic file.
5.     Click Upload to upload the welcome message graphic file.
Adjust the Virtual Gateway Title
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway website > Fit Virtual Gateway title from.
4.     Click " Browse" to select the title graphic file.
5.     Click Upload to upload the title graphic file.
Upload the customized page
Customized pages includes:
·    Current Login page.
·    Current home page. After the user has logged on virtual gateway and displays the page.
·    External website. If you have specified the external website, the page appears after the user in the virtual gateway is redirected to the specified external website.
 Note:
If the file to be uploaded in .txt format, save the file in UTF-8 format before uploading the file.
If the administrator does not have files after download login customizing the template, the custom page should be in the form of login information (including user name, password, and selected language) and click "Login". The template type and target URL of the form and are post./login.html. Other information can be individually adjusted.
The size of all the files for the customization of virtual gateway can not be more than 4MB and the size of all the files for the user-defined customization of the entire device must not be more than 32MB. Otherwise, the file upload will fail.
Due to the difference in the performance of the device, PC and mobile terminal users have different experiences when accessing the same virtual gateway page. Therefore, the SVN virtual gateway provides the functionality of customizing virtual gateway pages for PCs and mobile devices, which improves the user experience.
For example, the procedure for the adaptation of a virtual gateway page for PCs is as follows:
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click on  the virtual gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway Web Site Customization customization > Virtual Gateway Web Page.
4.     The upload customized page
a.      Click on Download PC Login Page Template Download PC Home Page Template or download GPS orientation of the template.
b.     Requirements for the adaptation of a page will be included in the template file. You can only change the custom content.
c.      Save the page.
d.     In the customized page file , click Upload.
e.      Select the page file, such as the login page and click Not Configured. Select the file type in the page that appears.
f.      Click on the OK button.
The procedure for the adaptation of a virtual gateway page for mobile devices is similar to the adaptation of a virtual gateway page for PCs.
Upload custom resource icons of the Virtual Gateway
 Note:
The icon for the user-defined adjustment is used for port-forwarding and file sharing is not available.
It is recommended that a .bmp, .gif, .jpeg, .jpg or .png file with transparent background.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click  Next to display the Virtual Gateway to be configured.
3.      Virtual Gateway System > Virtual Gateway website > Virtual Gateway Resource Adjustment Adjustment dial.
4.     Click  below to get resource customization file list of resource custom icons for the virtual gateway upload.
5.     Upload the file in the dialog that appears, click Browse.
6.      In the Select File dialog box, select a picture  and click Open.
7.     Click on Confirm.
 3.7 Configuring the schedule
A schedule specifies the time range for users or groups of users in the virtual gateway. If a role is with a time plan, users or user groups to this role can log in only in the virtual gateway within the scheduled time.
The device has the following plans:
·    Default Schedule
Each virtual gateway has only a standard schedule. The default schedule can be changed, but not deleted. All users or user groups are assigned to the default schedule name, unless you specify otherwise.
·    User-defined schedule
A maximum of 63 custom schedules can be created on each virtual gateway. Custom schedules are created, modified, and deleted.
All new users or user groups are assigned to the default schedule name, unless you specify otherwise.
Create a schedule
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click  Next to display the Virtual Gateway to be configured.
3.      Virtual Gateway System > Schedule > Schedule.
4.     Click on the Add button.
5.     The name for a new schedule in the name.
By default , the name of the default schedule. The name for a new schedule can not be set to Default.
6.     In the table "Schedule for the time in which the users are allowed to access the Virtual Gateway.
7.     Click Apply.
 3.8 Configuring your Web browser user-defined type
The Virtual Gateway offers for web pages to the browser on the value of the User-agent field in the request packet.
Matching Rule
The Web resources for PCs may not be for mobile devices. Therefore, two sets of web resources are available on the virtual gateway: one for PC users and the other for mobile subscribers. The Virtual Gateway uses the value of the UA field in the request package to determine the set of web resources. The values of the UA-fields with browsers.
The matching rule is described as follows:
·    The virtual gateway corresponds to the value of the UA field in the request packets with the predefined keywords: MobileSymbianOSBlackBerryand UCWEB.
·    If the UA field corresponds to either of the preceding four keywords, the Virtual Gateway offers Web resources for mobile devices.
·    If the UA field corresponds to neither of the preceding four keywords, the Virtual Gateway offers Web resources for PCs.
In some cases, users may not be for web resources using the above rules. You need to define browser types for these users, the defined matching rule is described as follows:.
·    After you specify, terminal type and Match String, the virtual gateway the UA field corresponds with the given string.
·    If a match is found, the Virtual Gateway provides the sources on the web for the specified type.
·    If no matches are found, the virtual gateway offers web resources on the matching rule is based.
 Note:
Custom matching rules enjoy a higher priority than the pre-defined rules. If you have multiple user-defined rules are configured, the earlierly defined rule is a priority.
Creating Custom Browser
Each virtual gateway supports 16 custom browser configuration rules.
1.      SSL Virtual Gateway > Virtual Gateway.
2.     Click  Next to display the Virtual Gateway to be configured.
3.      Virtual Gateway System > Custom Browser Type > Configure the custom browser type select.
4.     Click Add to create a custom browser.

Parameters
Description
Terminal Type
The type of the terminal.
Currently, the device only supports PC and mobile phone.
Match-string
The keyword that the Virtual Gateway uses the UA field in the request packet for the provision of the web resources to be delivered to the requesting browser.
When specifying this parameter, you need to know the keywords in the Browser UA.
For example, when terminal type is PC and match string is chrome, a match is found, if a user is using the mobile Chrome browser uses the web resources on the Virtual Gateway. Then the mobile device, the user receives the web resources for PCs. To avoid such cases, will give you a clear idea of the difference between the UA-fields of the PC and mobile browsers before the actual configuration.
5.     Click Apply.
 7 Configure Intranet Insulation Items
You can choose whether you want the Intranet to enable isolation function in the configuration of a virtual gateway. But only if the function is enabled, you can configure Source NAT and the virtual gateway router for the virtual gateway. If the function is disabled, you can configure Source NAT and the virtual gateway router at the system layer.
 4.1 Configuring Source NAT
With the power of the Source NAT function, the source IP address of an IP packet from a private to a legitimate public a translated. By configuring a NAT pool you can enter a range of IP addresses for Source NAT configuration will be referenced.
A prerequisite
The Intranet insulation - enabled Virtual Gateway will be created.
Create a Source NAT
The NAT function translates the source IP address of the IP packet, by a private into a legitimate public without the translation of the source TCP/UDP port number. Basic NAT is also known as one-to-one translation. In other words, a private address corresponds to a public, and a public address is not by several private network user can be used at the same time.
Network Address and Port Translation (NAPT) translates the source port number of TCP/UDP as well as the source IP address of the packets. Private IP addresses can be distinguished by your sender port numbers. NAPT is far more than one-to-one translation is used. A public address that can be used by multiple private network, the user realizes the multiplexing of public addresses and overcomes the lack of public address can be used.
Simple IP is also more than one-to-one translation. The NAT pool is not needed, but directly replaces the source IP address of packets with the public IP address of the interface. Easy IP is mainly suitable for small networks, there are a few private network hosts and the power plant of the egress lighting, a connection to the Internet, the public IP address via dial-up or DHCP. All private users have access to the Internet via the public IP address of the outgoing interface that simplifies network configuration, saves the cost of purchasing the public address and reduces the construction costs.
Similar to basic, NAT and NAPT, intra-zone NAT translates the information of the source of the packages, such as, for example, the source IP address or source IP address and port. But intra-zone NAT applies only to packets in the intra-zone.
The previous NAT functions can be realized through the creation of the Source NAT. If you have more than one source for an inter-zone NATs are configured, depending on your priorities. If a Source NAT, the other source NATs no longer matched. By default, the earliest Source NAT configured the highest priority. You can use the commands of the priorities of the source NATs.
1.      Virtual Gateway system >   Select > > Source NAT NAT Source NAT.
2.     Click Add Source NAT-list.
3.     Set the following parameters.

Parameters
Description
Source Zone
Indicates that the network a zone in which the private IP address in front of the NAT.
The Zone
Indicates that the network a zone in which the public IP address for NAT.
Sender address
Specifies the source IP address of the Source NAT.
The value is usually a private IP address before the NAT. If this parameter is not specified, the default value of each accepted, indicating that all IP addresses in the Source Network Zone.
Destination Address
Specifies the destination IP address of the Source NAT.
If this parameter is not specified, the default value of each accepted, indicating that the destination IP address is not restricted.
Action
Configured whether Source NAT over coordinated packages to implement.
·        Approval: Implements Source NAT over coordinated packages.
·        Deny: does not implement Source NAT over coordinated packages.
Compile source address in
Compile source address in the Address field in a pool of addresses or the address of an interface.
·        Address in an address pool: indicates that the private IP address in a public IP address in the NAT address pool is being translated.
·        Address of an interface: indicates that the private IP address in the IP address of an interface is translated.
Address Pool
Creates or selects a NAT pool. When compiling the source address in the address in an address pool, the configuration element is set, displayed on the page. For more information, see Creating a NAT Address Pool.
PAT
PAT allows multiple private IP addresses in the public IP address to translate.
When compiling the source address in the address in an address pool, the configuration element is set, displayed on the page.
Interface
Indicates that the interface on the destination network zone. The public IP address must be configured.
When compiling the source address in the address of an Interface, the configuration item is set to on, appears on the page.
4.     Click Apply.
Create a NAT pool
1.      Virtual Gateway system >   Select > > Source NAT NAT NAT Pool.
2.     In the NAT Address Pool list, click Add.
3.     Set the following parameters.

Parameters
Description
ID
Specifies the number of a NAT pool, which clearly identifies the NAT address pool.
Name
Displays the name of the NAT pool.
Starting IP Address.
Specifies the starting IP address of the NAT pool.
The NAT pool contains a maximum of 256 IP addresses.
End IP Address
Indicates that the End IP address of the NAT pool.
The NAT pool contains a maximum of 256 IP addresses.
VRRP
Displays the VRRP-ID.
According to the Dual System Hot Backup feature is configured, the configuration item is displayed on the page. 2.2.2.1 HRPdetails the configuration of the Dual System Hot Backup function.
In the Dual System Hot Backup networking, if the addresses in the NAT pool are located on different network segments from the virtual IP address of the VRRP backup group, this parameter is not required. On the contrary, this parameter is required, and the value is the Management Group of the VRRP backup group according to the NAT outbound interface.
4.     Click Apply.
Other Operations
·    A Source NAT NAT: Once a source is created, it is activated. A disabled Source NAT is not effective.
·    Duplicating a Source NAT: When duplicating a Source NAT, you can fine-tune the original Source NAT in a new one. The New Source NAT numbered in ascending order on the basis of the current source NATs. NATs to several similar source, click  the Source NAT to Configure Source NAT policy be duplicated list.
·    Move a Source NAT: You can adjust the positions of the source NATs in the inter-zone, so that their matching order. The Source NAT with a higher location, give it a higher priority, and it is already voted. To move a Source NAT, click  the Source NAT NAT policy be moved in Source List.
·    Insert a Source NAT NAT: In Source liston  an existing source NAT a New Source NAT for the inter-zone. The New Source NAT is inserted before the current one.
·    Changing a NAT pool: a referenced NAT Address Pool can not be changed. You first need to remove it.
 4.2 Configuring Static Routes
A static route is in the rule for a power plant with a simple topology. The correct configuration and application of static routes to control exactly the route selection, the power plant to improve performance and ensure sufficient bandwidth for critical applications.
A prerequisite
The Intranet insulation - enabled Virtual Gateway will be created.
Create a static route
1.      Virtual Gateway System > Virtual Gateway Route > Static Route.
2.     In the static route from, click Add.
3.     Set the following parameters.

Parameters
Description
Destination Address
Specifies the destination IP address.
Mask
Displays the IP mask.
The Next Hop
Specifies the IP address of the next hop.
Each route entry has a specified next-hop address. When a packet is sent, the route to reach the destination address can be searched in the routing table. The Link Layer You can find the corresponding MAC address (Media Access Control) and forward the packet.
If you configure a static route, you can use the outgoing interface or the next-hop address.
Interface
Displays the name of the outgoing interface.
If you configure a static route, an indication of the outgoing interface or the next-hop address as follows:
·        If the outbound interface is a PPP interface, specify the outgoing interface.
For a point-to-point interface, specifying an outbound interface also refers to a next-hop address. In this case, the IP address of the Peer interface with the interface with the IP address of the next hop.
·        If the outbound interface is a broadcast interface exists, the next hop IP address must be specified.
For the static route configuration, it is recommended that an Ethernet interface as a sender port. Because the Ethernet interface is a broadcast interface across multiple addresses for the next hop, the address of the next hop cannot be specified. In some specific applications, if only a broadcast interface such as an Ethernet interface can be specified as the transmitter interface, you should use the next-hop address for packets on this interface will be transmitted.
Priority
Specifies the priority of the static routing protocol.
Configuring Static Routes realized the priorities for flexible route. Example: Configuring the same priority for several routes the nine on the same IP address, load balance achieved during the configuration of the various priorities for it reaches route backup.
4.     Click Apply.
Hope your virtual gateway has been setup successfully .

No comments:

Post a Comment

Thank you for Contacting Us.

Post Top Ad