SANGFOR Technologies Co., Ltd.
International Service Centre: +60 12711 7129 (7511)
Malaysia: 1700817071
Email: tech.support@sangfor.com.hk
RMA: rma@sangfor.com.hk
SSLM6.8EN User Manual
FEB2015
SANGFOR SSL M6.8EN User Manual
1
Table of Contents
Table of Contents .......................................................................................................................................................... 1
Declaration .................................................................................................................................................................. 10
Preface ........................................................................................................................................................................ 11
About This Manual ............................................................................................................................................. 11
Document Conventions....................................................................................................................................... 12
Graphic Interface Conventions ........................................................................................................................... 12
Symbol Conventions ........................................................................................................................................... 13
CLI Conventions ................................................................................................................................................. 13
Technical Support ............................................................................................................................................... 14
Acknowledgements ............................................................................................................................................. 14
Chapter 1 KnowingYour Sangfor Device ................................................................................................................... 15
OperatingEnvironment........................................................................................................................................ 15
Product Appearance ............................................................................................................................................ 15
ConnectingSangfor Device ................................................................................................................................. 16
Chapter 2 InitialLogin to Admin Console .................................................................................................................. 19
Logging in to Admin Console ............................................................................................................................ 19
Modifying Administrator Password .................................................................................................................... 21
Chapter 3 System and Network Settings .................................................................................................................... 23
Viewing Status .................................................................................................................................................... 24
Viewing SSL VPN Status ........................................................................................................................... 24
Viewing Online Users ................................................................................................................................. 27
ViewingAlarm Logs ................................................................................................................................... 28
SANGFOR SSL M6.8EN User Manual
2
Viewing Remote Application ..................................................................................................................... 30
System Settings ................................................................................................................................................... 33
Configuring System Related Settings ......................................................................................................... 33
Configuring License of Device and Function Modules .............................................................................. 33
Modifying System Date and Time .............................................................................................................. 35
Configuring Console Options ..................................................................................................................... 35
Generating Certificate for Sangfor Device ................................................................................................. 37
ConfiguringSMTP Server ........................................................................................................................... 39
Network Settings ................................................................................................................................................ 40
Device Deployment .................................................................................................................................... 40
Scenario 1: Deploying Device in Gateway Mode ............................................................................... 43
Scenario 2: Deploying Device in Single-Arm Mode .......................................................................... 45
Setting Multiline Options ............................................................................................................................ 46
Configuring Route ...................................................................................................................................... 50
Configuring Host Mapping Rule (HOSTS) ................................................................................................ 51
Configuring IP Assignment Options (DHCP) ............................................................................................ 53
Configuring Local Subnet ........................................................................................................................... 55
Schedules ............................................................................................................................................................ 57
Administrator ...................................................................................................................................................... 61
Adding Administrator Group ...................................................................................................................... 61
Adding Administrator ................................................................................................................................. 63
SSL VPN Options ............................................................................................................................................... 65
General Settings .......................................................................................................................................... 65
Configuring UserLogin Options ......................................................................................................... 65
SANGFOR SSL M6.8EN User Manual
3
Configuring Client Related Options ................................................................................................... 67
Scenario3:Enabling Automatic Access Using SSL VPN Client ................................................. 77
Configuring Virtual IP Pool ................................................................................................................ 80
Configuring Local DNS Server .......................................................................................................... 81
Configuring SSO Options ................................................................................................................... 84
Configuring ResourceOptions ............................................................................................................ 86
Web App Resource Options ........................................................................................................ 87
TCP App Resource Options ........................................................................................................ 88
Background Knowledge: What is Smart Recursion? .................................................................. 90
L3VPN Resource Options ........................................................................................................... 91
Other ResourceOptions ............................................................................................................... 92
Network Optimization Related Settings ..................................................................................................... 94
Data Transfer Optimization ................................................................................................................ 95
Webpage Access Optimization ........................................................................................................... 97
Web Cache ........................................................................................................................................ 100
User Logging in ........................................................................................................................................ 102
ConfiguringLogin Policy .................................................................................................................. 102
Configuring LoginPage ..................................................................................................................... 105
Scenario 5: Assigning Login Page to Specific User or Group .................................................. 109
Uploading Icon to Device ................................................................................................................. 111
Clustering .................................................................................................................................................. 112
Terminology...................................................................................................................................... 112
Main Features of Cluster ................................................................................................................... 112
Deploying Clustered Sangfor Devices .............................................................................................. 115
SANGFOR SSL M6.8EN User Manual
4
Deploying Clustered Device in Single-Arm Mode ................................................................... 115
Deploying Clustered Device in Gateway Mode ........................................................................ 116
Deploying Clustered Device with Multiple Lines..................................................................... 117
Viewing ClusteredNode Status ......................................................................................................... 120
Viewing Cluster Online Users .......................................................................................................... 120
Scenario 7:Configuring ClusteredSangfor Device ............................................................................ 122
Configuring Clustered Device in Gateway Mode ..................................................................... 122
Configuring Clustered Device in Single-Arm Mode ................................................................ 123
Configuring Clustered Device in Gateway Mode (Multiple Lines) .......................................... 125
Configuring Clustered Device in Single-Arm Mode (Multiple Lines) ..................................... 126
Distributed Nodes ............................................................................................................................. 129
Distributed Deployment ............................................................................................................ 129
Viewing Status of Distributed Nodes ........................................................................................ 130
Chapter 4 SSL VPN .................................................................................................................................................. 131
SSL VPN Users ................................................................................................................................................ 131
Adding User Group ................................................................................................................................... 132
Adding User .............................................................................................................................................. 138
Searching for Users ................................................................................................................................... 143
Managing Hardware IDs ........................................................................................................................... 144
Importing User to Device.......................................................................................................................... 146
Importing Users from File ................................................................................................................ 147
Importing Users from LDAP Server ................................................................................................. 150
Moving Users to Another Group .............................................................................................................. 152
Exporting Users ........................................................................................................................................ 152
SANGFOR SSL M6.8EN User Manual
5
Associating Roles with User ..................................................................................................................... 153
Configuring SSO User Account................................................................................................................ 154
Generating Multiple Certificates for Users ............................................................................................... 155
Creating Multiple USB Keys for Users .................................................................................................... 157
Viewing Associated Resources of User .................................................................................................... 159
Scenario 8: AddingUser Loggingin withLocal Password ................................................................. 160
Scenario 9: Adding User Logginginwith Certificate ........................................................................ 160
Resources .......................................................................................................................................................... 163
Adding/Editing Resource Group............................................................................................................... 163
Background Knowledge: Load-Balanced Resource Access ............................................................. 165
Adding/Editing Web Application ............................................................................................................. 166
Scenario 10: Adding Web Application ............................................................................................. 171
Scenario 11: Masquerading Resource Address ................................................................................. 174
Scenario 12: AddingFile Share Type of Web Resource ................................................................... 175
Adding/Editing TCP Application ............................................................................................................. 177
Scenario 13: Adding TCP Application ............................................................................................. 182
Scenario 14: Configuring URL Access Control Feature................................................................... 185
Adding/Editing L3VPN ............................................................................................................................ 186
Scenario 15: Adding L3VPN ............................................................................................................ 190
Adding/Editing Remote Application ........................................................................................................ 192
Scenario 16: Adding Remote Application ........................................................................................ 193
Exporting Resources ................................................................................................................................. 198
Importing Resources ................................................................................................................................. 199
Sorting Resources ..................................................................................................................................... 200
SANGFOR SSL M6.8EN User Manual
6
Roles ................................................................................................................................................................. 201
Adding Role .............................................................................................................................................. 201
Getting Privilege Report ........................................................................................................................... 203
Authentication Options ..................................................................................................................................... 206
Primary Authentication Methods .............................................................................................................. 207
Local Password Based Authentication .............................................................................................. 207
LDAP Authentication ....................................................................................................................... 208
Configuring LDAP Server ........................................................................................................ 208
RADIUS Authentication ................................................................................................................... 216
Configuring RADIUS Server .................................................................................................... 216
Certificate/USB Key Based Authentication ...................................................................................... 219
Local CA (RSA Encryption Standard Based) ........................................................................... 220
External CA .............................................................................................................................. 222
Configuring USB Key Model ................................................................................................... 227
Scenario 17: Using ExternalCA Root Certificate to GenerateDevice Certificate ..................... 228
Scenario 18: Mapping User to Local Group Based on External Certificate ............................. 230
Secondary Authentication Methods .......................................................................................................... 235
SMS Authentication .......................................................................................................................... 235
Using Built-in SMS Module to Send SMS Message ................................................................ 236
Using External SMS Module to Send SMS Message ............................................................... 238
Using SMS Gateway of ISP to Send SMS Message ................................................................. 241
Hardware ID Based Authentication .................................................................................................. 241
Dynamic Token Based Authentication ............................................................................................. 242
Other Authentication Options ................................................................................................................... 243
SANGFOR SSL M6.8EN User Manual
7
Priority of LDAP and RADIUS Servers ........................................................................................... 243
Password Security Options ............................................................................................................... 244
Anonymous Login ............................................................................................................................ 245
Policy Sets ........................................................................................................................................................ 247
Adding Policy Set ..................................................................................................................................... 248
Scenario19: Configuring Secure Desktop ......................................................................................... 252
Remote Servers ................................................................................................................................................. 258
Adding Remote Application Server .......................................................................................................... 259
Adding Remote Storage Server ................................................................................................................ 261
Endpoint Security ............................................................................................................................................. 264
Security Rules ........................................................................................................................................... 264
Predefining Basic Rule ..................................................................................................................... 265
Predefining Combined Rule .............................................................................................................. 272
Configuring Security Rule ................................................................................................................ 274
Security Policy .......................................................................................................................................... 275
Adding User-Level Policy ................................................................................................................ 278
Adding Role-level Policy .................................................................................................................. 280
Configuring Advanced Policy Settings ............................................................................................. 283
Built-in Rules Update ............................................................................................................................... 284
Chapter 5 Firewall………………………………………………………………………………………………….287
Defining Firewall Service……………………………………………………………………………………..287
Defining IP Group…………………………………………………………………………………………….288
Defining Filter Rule…………………………………………………………………………………………...289
Rule on Access to Local Device…………………………………………………………………………289
SANGFOR SSL M6.8EN User Manual
8
Rule on Access among Sangfor Device's Interfaces……………………………………………….289
Scenario 20: Configuring LAN <-> DMZ Filter Rules……………………………………….290
Scenario 21: Configuring LAN <-> VPN Filter Rules ............................................................. 293
Configuring NAT Rule…………………………………………………………………………………..296
Configuring SNAT Rule…………………………………………………………………………....296
Scenario 22: Adding SNAT Rule……………………………………………………………...296
Configuring DNAT Rule...................................................................................................................298
Scenario 23: Adding DNAT Rule……………………………………………………………..299
Configuring IP/MAC Binding...........................................................................................................300
Configuring HTTP Port.....................................................................................................................302
Defining URL Group….....................................................................................................................302
Defining WAN Service…..................................................................................................................304
Configuring Access Right of Local Users.........................................................................................306
Real-time Monitoring…....................................................................................................................310
Viewing Real-time Traffic.........................................................................................................310
Vieweing URL Access Logs......................................................................................................310
Configuring Anti-Dos…....................................................................................................................311
Configuring QoS Priority...................................................................................................................313
Configuring QoS Outbound Rule......................................................................................................313
Configuring QoS Inbound.................................................................................................................314
Chapter 6 System Maintenance ................................................................................................................................ 316
View Logs ......................................................................................................................................................... 316
Viewing System Logs……………………………………………………………………………………316
Viewing Operation Logs…………………………………………………………………………………317
SANGFOR SSL M6.8EN User Manual
9
Backing Up/Restoring Configurations .............................................................................................................. 318
Restarting/Shutting Down Device or Services.................................................................................................. 320
System Automatic Update ................................................................................................................................ 320
Appendix A: End Users AccessingSSL VPN ........................................................................................................... 322
Required Environment ...................................................................................................................................... 322
Configuring Browser and Accessing SSL VPN ............................................................................................... 322
Configuring Browser ................................................................................................................................ 322
Using Account to Log In to SSL VPN ...................................................................................................... 326
Using USB Key to Log In to SSL VPN .................................................................................................... 328
Appendix B: Sangfor Firmware Updater 6.0 ............................................................................................................ 330
Updating YourSangfor Device ......................................................................................................................... 330
SANGFOR SSL M6.8EN User Manual
10
Declaration
Copyright © 2012Sangfor Inc. All rights reserved.
No part of the contents of this document shall be extracted, reproduced or transmitted in any form or by any means
without prior written permission of SANGFOR.
SINFOR, SANGFOR and the Sangfor logo are the trademarks or registered trademarks of Sangfor Inc. All
other trademarks used or mentioned herein belong to their respective owners.
This manual shall only be used as usage guide, and no statement, information, or suggestion in it shall be
considered as implied or express warranty of any kind, unless otherwise stated. This manual is subject to change
without notice. To obtain the latest version of this manual, please contact the Customer Service of Sangfor.
11
Preface
Chapter
Describe…
Chapter 1Knowing Your Sangfor Device
The product appearance, function features and
performance parameters of SSL VPN M5.3EN,
wiring and cautions before installation.
Chapter 2Initial Login to Admin Console
How administrator logs in to SSL VPN
M5.3ENadministrator console for the first time
and change initial administrator password.
Chapter 3System and Network Settings
How administrator configures each function
module. The settings include system and
network related settings, global settings of SSL
VPN, as well as other system objects such as
schedule and administrator.
Chapter 4SSL VPN
How administrator configures SSL VPN
related setting, including users, resources,
roles, user authentication methods, policy sets,
remote servers, endpoint security.
Chapter 6System Maintenance
Maintenance options of this SSL VPN
hardware device.
Appendix A: End Users Accessing SSL VPN
How endusers configure browser and log in to
SSL VPN.
Appendix B: Sangfor Firmware Updater 6.0
How administrator uses Sangfor Firmware
Updater 6.0 to update the current Sangfor
device.
About This Manual
SSL VPN M5.8ENuser manual includes the following chapters:
SANGFOR SSL M6.8EN User Manual
SANGFOR SSL M6.8EN User Manual
12
Convention
Meaning
Example
boldface
Page title,
parameter,
menu/submenu,
button,
key press,
link,
other highlighted
keyword or item
Page/tab name example:
Navigate to System>Administrator to enter the
Administrator Management page.
Parameter example:
IP Address: Specifies the IP address that you want
to reserve for certain computer
Menus/submenus example:
The basic (SSL VPN related) settings are under
System>SSL VPN Options > General.
Button example:
Click the Save button to save the settings.
Key press example:
Press Enter key to enter the administrator console
of the Sangfor device.
Link example:
Once the certificate-signing request is generated,
click the Download link to download the request.
Highlighted keyword/item example:
The user name and password are Admin by default.
italics
Directory, URL
Enter the following address in the IE address
bar:http://10.254.254.254:1000
>
Multilevel menu and
Navigate to System>Network Interface to configure
Document Conventions
Graphic Interface Conventions
This manual uses the following typographical conventions for special terms and instructions:
SANGFOR SSL M6.8EN User Manual
13
submenu
the network interfaces.
“ ”
Prompt
The browser may pop up the prompt “Install ActiveX
control”.
Convention
Meaning
Description
Caution
Indicates actions that could cause setting error, loss of data
or damage to the device
Warning
Indicates actions that could cause injury to human body
Note
Indicates helpful suggestion or supplementary information
Symbol Conventions
This manual also adopts the following symbols to indicate the parts, which need special attention to be paid during
the operation:
CLI Conventions
Command syntax on Command Line Interface (CLI) applies the following conventions:
Content in brackets ([ ]) is optional
Content in {} is necessary
If there is more than one option, use vertical bar (|) to separate each option, for example,
ip wccp60redirect { in | out }
CLI command appears in bold, for example:
Configure terminal
Variables appear in italic, for example:
Interface e0/1
14
Technical Support
For technical support, please contact us through the following:
Website:http://data.sangfor.net/feedback.html
MSN, Email:tech.support@sangfor.com.hk
Tel:+60 12711 7129 (7511)
Acknowledgements
SANGFOR SSL M6.8EN User Manual
Thanks for using our product and user manual. If you have any suggestion about our product or user manual, please
provide feedback to us through phone call or email. Your suggestion will be much appreciated.
SANGFOR SSL M6.8EN User Manual
15
Interface
Description
CONSOLE
Network interface used for high availability (HA) feature or used by device
supplier to debug system.
Chapter 1 Knowing Your Sangfor Device
This chapter introduces the Sangfor device and the way of connecting Sangfor device. After proper hardware
installation, you can configure and debug the system.
Operating Environment
Voltage input:110V/230V (AC, alternating current)
Temperature:0-45°C
Humidity: 5%-90%
To ensure endurance and stability of the Sangfor device, pleaseensure the following:
The power supply is well grounded
Dustproof measures are taken
Working environment iswell ventilated
Indoor temperature is kept stable
This product conforms to the requirements on environment protection. The placement, usage and discard of the
product should comply with the relevant national laws and regulations of the countrywhere it is applied.
Product Appearance
Above is the front panel of a SSL VPN hardware device (M5100). The interfaces from left to right are described in
the table followed:
SANGFOR SSL M6.8EN User Manual
16
USB
Standard USB port, connecting to peripheral device
ETH0
LAN interface, connecting to the LAN network segment; orange LED on the left
side indicates link status, while green LED on the right side indicates data flow.
ETH1
DMZ interface, connecting to the DMZ network segment; orange LED on the
left side indicates link status, while green LED on right side indicates data flow.
ETH2
WAN1 interface, connecting to the first Internet line; orange LED on the left
side indicates link status, while green LED on the right side indicates data flow.
ETH3
WAN2 interface, connecting to the second Internet line; orange LED on the left
side indicates link status, while green LED on the right side indicates data flow.
POWER
Power LED
ALARM
Alarm LED
The picture above (M5100) is just for reference. The actual product you purchased and received may vary.
Connecting Sangfor Device
1. Deploy the Sangfor device in your network. Sangfor device can be deployed in either Single-arm mode or
Gateway mode. For details, please refer to the Device Deployment section in Chapter 3.
2. Plug the power cable into the power interface on the rear panel of the device. Attach and turn on power supply,
and then watch the LEDs on the front panel of the Sangfor device.
When the device starts up, ALARM LED will turn on and keep on for 1 to 2 minutes, then turn off; POWER
LED (in green) will turn on; ETH2/3 and ETH0 connection status LEDs (in orange) will turn on.
After successful boot up, POWER LED (in green), ETH2/3 and ETH0 connection status LEDs (in orange)
will stay on. If data are being transferred through a port, the data flow LED (in green, beside connection status
LED) will blink.
SANGFOR SSL M6.8EN User Manual
17
If ALARM LED stays on always, please switch off the power supply and reboot the device. If ALARM LED
still keeps on after reboot, please contact SANGFOR Customer Service.
If the corresponding LED indicates normal working status, turn off and unplug the power supply, and perform
the following steps.
3. Use RJ-45 straight-through Ethernet cable to connect the LAN interface (ETH0) to the internal network
(LAN).
4. Use RJ-45 Ethernet crossover cable to connect the WAN interface (ETH2) to the external network, (i.e.,
router, optical fiber transceiver or ADSL Modem for external network).
Multi-line function allows multiple Internet lines to be connected to Sangfor device. When deploy multiple
lines, please connect the second Internet line to WAN2 interface (ETH3) and the third Internet line to WAN3
interface (ETH4), and so on.
5. If you want the Sangfor device to provide secure protection for DMZ (Demilitarized Zone), use RJ-45
Ethernet cable to connect ETH1 interface to the devices such as Web server, SNMP Server that provides
services to external networks.
Use crossover cable to connect WAN interface (ETH2/3) to the external network.
Use straight-through cable to connect LAN interface (ETH0) to the internal network.
For direct access to administrator Web console, use crossover cable to connect LAN (ETH0) interface to
the computer.
In case, session cannot be established. However, the corresponding LED indicates normal working status,
please check whether the right type of cables are being used. The differences between straight-through cable
and crossover cable are shown in the figures below:
SANGFOR SSL M6.8EN User Manual
18
SANGFOR SSL M6.8EN User Manual
19
Chapter 2 Initial Login to Admin Console
SANGFOR SSL VPN system provides Web-based administration through HTTPS port 4430. The initial URL for
administrator console access is https://10.254.254.254:4430.
Before logging in to administrator console of SSL VPN, please ensure the following:
Deploy a computer in the subnet where the Sangfor device resides.
Connect the PC’s network interface card (NIC) and the Sangfor device’s ETH0 interface to a same layer-2
switch, or connect the PC’s NIC to Sangfor device’s ETH0 interface directly with a network cable.
Ensure any IE browser is installed on the PC. Non-IE browsers Opera, Firefox, Safari and Chrome are not
supported.
Logging in to Admin Console
1. Turn on the PC and Sangfor device.
2. Add an IP address on the PC, an IP address that resides in the network segment 10.254.254.X (for instance,
10.254.254.100) with subnet mask 255.255.255.0, as shown below:
SANGFOR SSL M6.8EN User Manual
20
3. Open the IE browser and enter the SSL VPN address and HTTPS port (https://10.254.254.254:4430) into the
address bar. Press Enter key to visit the login page to SSL VPN administrator Web console, as shown below:
4. Enter the administrator username and password and click the Log In button. The default administrator
username is Admin (case-sensitive) and password is Admin (case-sensitive).
5. For version information of the software package, click on Version below the textboxes.
SANGFOR SSL M6.8EN User Manual
21
Modifying Administrator Password
We strongly recommend you to change the administrator password after initial login, to prevent others from logging
in to the administrator Web console and using default Admin credentials to make unauthorized changes on the
administrator account and initial configurations.
To modify default administrator password, perform the following steps:
1. Navigate to System>Administrator to enter the Administrator Management page. The default administrator
account (super administrator) is as seen in the figure below:
2. Click the account name Admin to enter the Add/Edit Administrator page (as shown below):
SANGFOR SSL M6.8EN User Manual
22
3. Modify the password and click the Save button on the above page.
Password of the account Admin should not be shared with anyone.
If the Sangfor device is to be maintained by several administrators, create multiple administrator accounts for
segregation of duty.
SANGFOR SSL M6.8EN User Manual
23
Chapter 3 System and Network Settings
After logging in to the administrator console, status of this SSL VPN and some function modules are seen at the
right side of the page and a tree of configuration modules are seen at the left side of the page.
There are four configuration modules in all:
Status: Shows the running status of the Sangfor device and the
related modules.
System: Configures the related licenses of the device, network
settings and other global settings such as schedule,
administrator, SSL VPN options, etc.
SSL VPN: Configures the SSL VPN related settings, such as SSL VPN account, resources, roles, policy sets,
remote servers and endpoint security rules and policies.
Maintenance: Shows the logs, backups. It also enables administrator to restore configuration, restart service,
reboot or shut down device.
SANGFOR SSL M6.8EN User Manual
24
Viewing Status
Viewing SSL VPN Status
There are six panels showing status of SSL VPN, including System Status, External Interface Status,
Throughput, Trends of Concurrent Users, Concurrent Sessions and Byte Cache.
Each panel is selective and display criteria are configurable. To show or hide certain panel, click Select Panel and
then select or clear the checkbox next to the panel name, as shown below:
The other contents on the Status page are described as follows:
Auto Refresh: Specifies the time interval for refreshing the status automatically, or click Refresh to refresh
the page manually and immediately.
SANGFOR SSL M6.8EN User Manual
25
System Status: This panel shows the CPU utilization of the SSL VPN system, number of online users and
locked users as well as status of SSL VPN service. View is a link to the Online User page or Hardware ID
page.
Stop Service: Click this button to stop the SSL VPN service.
External Interface Status: This panel shows the status of the external interfaces and Internet, including
information of the outbound and inbound speed, Internet connection.
Throughput: This panel shows the overall outbound and inbound speed in graph.
Click the Settings icon (at the upper right of the panel) to specify display criteria, such as time period
(realtime, last 24 hours or last 7 days), Internet line and the unit of traffic speed, as shown below:
Trends of Concurrent Users: This panel shows the number of users that are using SSL VPN concurrently
during certain period of time, as shown below:
Click the Settings icon (at the upper right of the panel) to specify time period (real time, last 24 hours or
last 7 days), as shown below:
Concurrent Sessions: This panel shows the concurrent sessions initiated by users currently or during certain
period of time, as shown below:
SANGFOR SSL M6.8EN User Manual
26
Click the Settings icon (at the upper right of the panel) to specify time period (real time, last 24 hours or
last 7 days).
Byte Cache: This panel shows the byte cache status and optimization effect brought by byte caching, as
shown below:
Click the Settings icon (at the upper right of the panel) to specify display criteria, such as time period
(real time, last 24 hours or last 7 days) and direction of traffic speed (inbound & outbound, outbound or
inbound), as shown below:
SANGFOR SSL M6.8EN User Manual
27
Viewing Online Users
Navigate to Status>SSL VPN>Online User to view information of the online users, such as number of users
connecting to the SSL VPN, the time when these online users connected, the mount of received/sent bytes, as well
as the outbound and inbound speed. Administrator can disconnect or disable any of these online users.
The Online Users page is as shown below:
The following are the contents included on Online Users page:
Auto Refresh: Specifies the time interval for refreshing this page, or click Refresh to refresh the page
manually and immediately.
Disconnect: Click it and select an option to disconnect, or disconnect and disable the selected user(s), as
shown below:
If Disconnect is selected, the selected user will be forced to disconnect from the SSL VPN.
If Disconnect & Disable is selected and Apply button is clicked (on the pop-up bar at the top of the page), the
selected user will be forced to disconnect with SSL VPN after are clicked and be prohibited from logging in
again until it is unlocked.
Send Msg: Click it to write and send a message to the specified SSL VPN user(s), as shown below:
SANGFOR SSL M6.8EN User Manual
28
Click the OK button and the online end user(s) will see the system broadcasting prompt, as shown below:
Viewing Alarm Logs
Navigate to Status>SSL VPN>Alarm Logs to view the alarm-related logs on the Sangfor device, as shown below:
The following are the contents included on Alarm Logs page:
Delete: Click it and the selected alarm log(s) will be removed from the log list.
Select: Click it and three options appear, namely, Current page, all pages and Deselect.
If Current page option is selected, all the logs displayed on this page will be selected.
If all pages option is selected, all the logs (including those on all other pages that are not displayed) will be
selected.
SANGFOR SSL M6.8EN User Manual
29
If Deselect is selected, all the selected logs will be deselected, as shown in the figure below:
Alarm-Triggering Event: Click it to enter the Alarm-Triggering Event page to specify the event(s) that can
trigger email alarm.
The following are the contents included on the Alarm-Triggering Event page:
Line failure: Indicates that there is something wrong with Internet line.
Insufficient SSL VPN user licenses: Indicates the number of concurrent users that are connecting to
SSL VPN reaches the maximum number of licenses.
Long-lasting high CPU utilization (over 90%): Indicates that the CPU utilization is too high (above
90%) during 120 seconds. Once it reaches the threshold, the system will send an email to the specified
email address to notify the administrator of that, and do so when the CPU utilization of the system
returns to normal.
Insufficient memory (free space below 10%): Once system memory keeps insufficient (below 10%) for
SANGFOR SSL M6.8EN User Manual
30
4 minutes, the system will send an email to the specified email address to notify the administrator of that,
and do so when the system memory returns to normal.
Clustered node status changes: Once any node of the cluster changes status, the system will send an
email to the specified email address to notify the administrator of that.
Byte cache disk runs out: When the byte cache runs out of the assigned disk space, the system will
email an alarm event to the specified email address to notify the administrator of that.
Connecting to Web Agent fails: If the Web Agent is inaccessible, the system will email an alarm event
to the specified email address to notify the administrator of that.
Admin tries brute-force login: If an administrator successively fails to log into the SSL VPN
administrator console too many times, the system will email an alarm event to the specified email address
to notify the administrator of that.
User tries brute-force login: If a VPN user successively fails to log into SSL VPN too many times, the
system will email an alarm event to the specified email address to notify the administrator of that.
Remote application anomaly: Indicates that the system will generate remote application related alarm
once error arises from remote application, and will email an alarm event to the specified email address to
notify the administrator of that.
Certificate is about to expire: SSL certificate expired will email an alarm event to the specified email
address to notify the administrator of that.
CF card/disk related: CF card or disk got error, will email an alarm event to the specified email address
to notify the administrator of that.
Email Alarm: Click it to enter Email Alarm page. Select the checkbox next to Enable Email Alarm and
configure email recipient and subject. An email notification will be sent to the email address once alarm is
triggered by any of the specified alarm-triggering event(s).
Viewing Remote Application
Navigate to Status>SSL VPN>Remote Application to view the information and status of the remote application
servers that provide services to users over SSL VPN, as shown below:
SANGFOR SSL M6.8EN User Manual
31
The above page shows information of the remote servers, including name, address, sessions and status of the
remote application server, maximum number of concurrent sessions.
The following are the contents included on Remote Application page:
View: Indicates the object showing up on this page. Options are Servers and Applications, as shown below:
Servers: Mainly offers the information of the involved servers that are providing services to VPN users. They
are the servers configured in SSL VPN>Remote Servers. The page is as shown below:
To view users that are currently connecting to a server, click on server name and the user detailed information
of the user is seen, as shown in the figure below:
End Session: Select a desired user and then click it, and the session(s) established between the selected user
and that server will be ended.
Applications: Mainly offers the information of the involved services that are being accessed by SSL VPN
users and presents the use of these services since they have been invoked by the requested resource. They are
the application programs configured in SSL VPN>Remote Servers, as shown below:
SANGFOR SSL M6.8EN User Manual
32
To view the
users accessing an application, click an application name or View User, information of the users involved are
as shown in the figure below:
SANGFOR SSL M6.8EN User Manual
33
System Settings
System settings refer to the settings under System module, including System, Network, Schedule, Administrator
and SSL VPN Options.
Configuring System Related Settings
Navigate to System>System and the five pages are seen, namely, Licensing, Date/Time, Console Options,
External Data Center, Device Certificate, SMTP, Syslog and SNMP, as shown below:
Configuring License of Device and Function Modules
Navigate to System>System>Licensing to activate the license or modify the license key related to this device and
each function module.
Under License of Device are the license of this Sangfor device and other authorization you have bought from
SANGFOR. Under License of Each Module are licenses that are optional for Sangfor device. Once license of
function modules activated and that feature is enabled, the corresponding module will work.
The following are the contents included on licensing page:
Cross-ISP Access Optimization: Cross-ISP access optimization function is an optional function offered by
SANGFOR SSL M6.8EN User Manual
34
SANGFOR SSL VPN, which helps to facilitate and optimize the data transmission among links provided by
different Internet Service Operators (ISP, in China, for example, there are China Telecom, China Netcom,
etc.).
Upgrade License: The license is used to update the current SANGFOR SSL VPN system with Sangfor
Firmware Updater 6.0 (for more details, refer to Appendix B: Sangfor Firmware Updater 6.0). Every upgrade
license has an expiry date, which means priorto this date you can update this device to keep the software
version up-to-date.
Device License: Indicates the license of this Sangfor device. The device license determines some other
authorization, more specifically, the maximum number of Internet lines and maximum number of connecting
VPN users.
Lines: Indicates the maximum number of Internet lines that this Sangfor device can be connected to.
SSL VPN Users: Indicates the maximum number of SSL VPN users that are allowed to access the SSL VPN
concurrently.
Mobile Sangfor VPN Users indicates the number of mobile users of Sangfor VPN (using the PDLAN client
software). This number plus the number of SSL VPN users equals to the total number of VPN users (which
decided by the license of the Sangfor device you have purchased from SANGFOR).
SSO: With this license, Single Sign-On (SSO) can apply to users’ access to the SSL VPN.
SMS Authentication: With this license, SMS authentication could be enabled to add variety to the
authentication methods applying to users' secure access to the SSL VPN. This type of authentication requires
the connecting users to enter SMS password that has been sent to their mobile phones.
Byte Cache: Byte cache is an additional but optional network optimization function offered by the
SANGFOR SSL VPN. With byte cache being enabled, time for data transmission and bandwidth consumption
will be dramatically reduced.
Cluster: This license allows you to enable cluster to couple some scattered Sangfor devices. It is known that
cluster can achieve unified management and greatly improve the performance, availability, reliability of the
“network” of Sangfor devices.
Secure Desktop: This license makes Secure Desktop feature available. If Secure Desktop is enabled, users’
access could be strictly restricted and consequently data related to the visited resources will not be disclosed.
One-Way Acceleration: This license is allow optimize transfer rate in high-latency and high packet loss
network.
Remote Application: With this license, applications launched by remote server can be accessed remotely
through SSL VPN by end users from any location, as if they are running on the end user’s local computer.
Max Remote App Users: Indicates the maximum number of users that can access the remote application
SANGFOR SSL M6.8EN User Manual
35
resources.
Modifying System Date and Time
1. Navigate to System>System>Date/Time to enter Date/Time page, as shown below:
2. Configure the following:
Date: Specifies the date. To select date, click the icon .
Time: Specifies the time. Enter the time into this field and set it as the current time of this Sangfor device.
Date format should be hh: mm: ss.
Sync with Local: Click this button to synchronize the date and time of the Sangfor device with your
computer.
3. Click the Save button to save the settings, or click the Cancel button not to save the changes.
Modifying system date or time requires all services to restart.
Configuring Console Options
1. Navigate to System>System>Console Options to enter Console Options page, as shown below:
SANGFOR SSL M6.8EN User Manual
36
2. Configure the following:
Device Name: Specifies the name of the Sangfor device, which helps to distinguish it from other
clustered nodes if this device joins cluster. Elaborate
HTTP Port: Specifies the HTTP port used for logging into this Sangfor device. The defaults 1000.
HTTPS Port: Specifies the HTTPS port used for logging into this Sangfor device. The defaults 4430.
Timeout: Specifies the period of time before administrator is forced to log out of the administrator
console if no operation is performed.
Remote Maintenance: Indicates whether to enable or disable administrator to manage this Sangfor
device via the WAN interface.
3. Click the Save button to save the settings on this page; otherwise,click the Cancel button.
External Data Center
External Data Center is for generation system logs, user logs, management logs, alarm logs synchronize to External
Data Center.
1. Navigate to System>System>External Data Center to enter External Data Center page, as shown
below:
37
2. Configure the following:
SANGFOR SSL M6.8EN User Manual
External Data Center: check the box “send logs to external data center “
Server IP: Specifies the IP Address for external data center
Port: Specifies the port of external data center. The default is 9501
Sync Password: Specified password login of the external data center, device and server must be
same
Generating Certificate for Sangfor Device
Device certificate is intended for establishing sessions between the Sangfor device and client. To view current
certificate of or to generate certificate for the Sangfor device, navigate to System>System>Device Certificate, as
shown in the figure below:
The following are the contents included on the Device Certificate page:
SANGFOR SSL M6.8EN User Manual
38
View: Click it to view the detailed information of the current certificate.
Download: Click it to download the current device certificate.
Update: Click it to import a new certificate to take the place of the current one.
Certificate/USB Key Based Authentication: Click it to configure Certificate/USB key-based authentication
(for more details, refer to the Certificate/USB Key Based Authentication sectioning Chapter 4).
Create CSR: Click this button to generate a certificate-signing request (CSR) which should be sent to the
external CA to generate the device certificate. For more details, please refer to Scenario 17: Using External
CA Root Certificate to Generate Device Certificate in Chapter 4.
Configure the required fields and then click the OK button.
Once the certificate signing request is generated, click the Download Link to download the request.The
contents of the downloaded request file are as shown below:
Update: Click it to import the new external-CA-issued device certificate into the Sangfor device to replace the
old one.
SANGFOR SSL M6.8EN User Manual
39
ConfiguringSMTP Server
1. Navigate to System>System>Sot to enter SMTP page, as shown below:
2. Configure the following:
SMTP Server IP: Specifies the IP address of the SMTP server.
Port: Specifies the port number used by this SMTP server to provide email delivery related services.
Authentication: Select Authentication required and then configures Username and Password, if this
SMTP server requires identity verification.
Mail Address: Fill in the e-email address to send email
Send Test Email: Click this button to send an email to the specified recipient (configured under
Status>Alarm Logs>Email Alarm) to check whether this SMTP server works normally.
3. Click Save to save the settings on this page; otherwise, click Cancel.
SANGFOR SSL M6.8EN User Manual
40
Network Settings
Device Deployment
Sangfor device can work in two modes, Single-Arm mode and Gateway mode. Deployment mode is configured in
System>Network>Deployment.
If Single-arm mode is selected, the Deployment page is as shown in the figure below:
The following are the contents included on the Deployment page when Single-arm is selected:
(LAN) IP Address: Configures the IP address of the internal interface, LAN. This IP address must be
identical as the physical LAN interface IP of the Sangfor device.
Netmask: Configures the netmask of the LAN interface IP.
Default Gateway: Configures the default gateway of the LAN interface.
(DMZ) IP Address: Configures the IP address of the internal interface, DMZ.
Netmask: Configures the netmask of the DMZ interface IP.
Link Status: Indicates the connection status of internal and external interfaces of the Sangfor device, whether
the network cables are plugged in.
Preferred DNS: Configures the primary DNS server.
SANGFOR SSL M6.8EN User Manual
41
Alternate DNS: Configures the secondary DNS server.
If Gateway mode is selected, the Deployment page is as shown in the figure below:
The following are the contents included on the Deployment page when Gateway is selected:
(LAN) IP Address: Configures the IP address of the internal interface, LAN. This IP address must be
identical as the physical LAN interface IP of the Sangfor device.
Netmask: Configures the netmask of the LAN interface IP.
(DMZ) IP Address: Configures the IP address of the internal interface, DMZ.
Netmask: Configures the netmask of the DMZ interface IP.
Link Status: Indicates the connection status of internal and external interfaces of the Sangfor device, whether
the network cables are plugged in.
External Interfaces: External interfaces are WAN interfaces of the Sangfor device. To set a WAN interface,
click on the name and the attributes of the corresponding Internet line appears, as shown in the figure below:
SANGFOR SSL M6.8EN User Manual
42
The following are the contents included on the Edit Line page, when line type is Ethernet:
Enable this line: Select this option and this line will be enabled.
Line Type: Options are Ethernet or PPPoE.
If line type Ethernet is selected, the fields under Ethernet Settings should be configured, so that the
Internet line would be assigned IP address and DNS server.
IP address and DNS server could be assigned automatically or configured manually. The former is
achieved by selecting the option Obtain IP and DNS server using DHCP, and the latter means that
administrator needs to select the option Use the IP and DNS server below and configure they address,
default gateway and DNS servers.
Multi-IP: This button is only available for Ethernet type of Internet line, which means multiple IP
addresses can be set on WAN interface. Click this button and the following dialog pops up, as shown
below:
To add a new IP address entry, click Add.
To remove an IP address from the list, select the desired entry and click Delete.
SANGFOR SSL M6.8EN User Manual
43
The IP address added should reside in the same network segment as that of the WAN interface IP address,
directing to a same gateway. Otherwise, it will turn out to be invalid for this Internet line.
If line type PPPoE is selected, the fields under PPPoE Settings should be configured, as shown in the
figure below:
Username, Password: Configure the ADSL account to get dial up access.
Automatically connect: Select the checkbox next to this option if Sangfor device automatically
dials up when Internet connection is dropped.
The changes apply after settings are saved (click the Save button) and services restart. Once the
changes have applied, go to this page again to and click the Connect button to dial up immediately.
For detailed information of dial up, click More Details.
Options: Click this button to enter the PPPoE Properties page and configure the parameters for
dial up, such as handshake time, timeout, and max tries. Defaults are recommended to be adopted.
Scenario 1: Deploying Device in Gateway Mode
Background:
One network segment of a local area network is 192.200.200.0/24
SANGFOR SSL M6.8EN User Manual
44
A Sangfor device is to be deployed in Gateway mode
External network is an Ethernet network; the IP address assigned by the Internet server operator is 10.1.1.254.
Perform the following steps:
1. Deploy and connect the related devices as shown in the figure below:
2. Log in to the administrator console (for detailed guide, refer to the Logging in to Admin Consolesectioning
Chapter 2).
3. Configure network interfaces of the device (for detailed guide, refer to the Device Deploymentsectioning
Chapter 3).
If there are multiple Internet lines (which should be authorized), perform the steps followed to continue to
configure the other line(s).
4. Configure the second Internet, its IP address, net mask, default gateway, DNS server, etc. (for detailed guide,
refer to the Device Deployment sectioning Chapter 3).
5. Configure multi-line options (for detailed guide, refer to the Setting Multiline Options sectioning Chapter 3).
6. Click the Save button to save the settings and restart the Sangfor device.
SANGFOR SSL M6.8EN User Manual
45
Scenario 2: Deploying Device in Single-Arm Mode
Background:
One network segment of a local area network is 192.200.200.0/24
A Sangfor device is to be deployed in the local area network, in Single-arm mode
The front-end firewall is connected to external networks through an Internet line
Perform the following steps:
1. Deploy and connect the related devices, as shown in the figure below:
2. Log in to the administrator console (for detailed guide, refer to the Logging in to Admin Consolesectioning
Chapter 2).
3. Go to System>Network>Deployment page and configure the network interfaces of the device (for detailed
guide, refer to the Device Deployment section in Chapter 3).
4. Click the Save button to save the settings and restart the Sangfor device.
5. Configure the front-end firewall, and make sure that the corresponding ports (80 and 443 by default) of the
front-end firewall are mapped to those on the Sangfor device.
If the front-end device is connected to two Internet lines, enable the multi-line policy of SSL VPN and
configure the second line by performing the following two steps.
6. Go to System>Network>Multiline Options page. Select the option Allow SSL VPN to Use Multiple Lines
and select SSL VPN users connect in via front-end device (local device owns no public IP address), and
then add the two Internet lines into the line list and click the Save button to save the settings.
SANGFOR SSL M6.8EN User Manual
46
7. Configure the front-end firewall again, so that the two ports (TCP 80 and 443) of the public network IP
addresses (of the second Internet line) can be mapped to the Sangfor device.
Setting Multiline Options
If the Sangfor device needs more than one lines to connect to its WAN interfaces (including the case that Sangfor
device is deployed in Single-arm mode), multiline policies should be enabled and configured, more exactly, all the
internet lines should be configured.
1. Navigate to System>Network>Multiline Options to configure the multiline options.
The Multiline Options Pages as shown below, when deployment mode is Single-arm:
The Multiline Options page is as shown below, when deployment mode is Gateway:
SANGFOR SSL M6.8EN User Manual
47
2. Configure the Multiline Policy of Sangfor VPN.
Allow Sangfor VPN to Use Multiple Lines: Select this option under Multiline Policy of Sangfor VPN,
the configured Internet lines will be availbe for users’ access to Sangfor VPN.
To add a line, click Add. The following figure shows the Add Line for Sangfor VPN page while the
deployment mode is Gateway:
SANGFOR SSL M6.8EN User Manual
48
Name the line, enter the IP address and gateway and specify whether or not this line uses a static IP
address. If the line is to use a static Internet IP address, configure IP Address field.
Enable extra net connection detection: Select this option and configure Interval, and connection status
of this line will be detected periodically.
3. Configure Multiline Policy of SSL VPN.
Allow SSL VPN to Use Multiple Lines: Select this option to enable the multiline policy of SSL VPN, if
the SSL VPN is to use multiple lines. Then add the lines into the line list, as shown below:
Once multiline policy of SSL VPN is enabled, theline selection policywillhelp the system automatically
detect the lines and choose the optimal one to let the user connect in faster when it accesses the SSL VPN,
improving the data transfer and stability of SSL VPN connections.
SANGFOR SSL M6.8EN User Manual
49
If the login policy selected is Users use different login pages (under System>SSL VPN
Options>Logging in>Login Policy), multiline policy of SSL VPN is disabled by default and unavailable,
which means SSL VPN cannot use multiple lines.
If the Sangfor device is deployed in Single-arm mode and needs to use multiple Internet lines, map the
front-end network device’s public addresses to the Sangfor device and launch the ports, simply by
configuring port mapping rules under Lines Of Front-End Device. To do that, click Add to enter the
Edit Line for SSL VPN page, as shown below:
Configure the fields included onthe Add Line for SSL VPN page:
Line IP/Domain: Specifies the IP address or domain name of the Internet line.
Priority: Specifies the priority of this line. The higher the priority is, this line is more likely to be
used.
HTTP Port: Specifies the HTTP port of the front-end device that is to be mapped to the Sangfor
device.
HTTPS Port: Specifies the HTTPS port of the front-end device that is to be mapped to the Sangfor
device.
4. Configure the Line Selection Policy, which will apply to the Internet access data sent from/to computers in
the local area network and handled by the Sangfor device.
This is available when Sangfor device is deployed in Gateway mode, as shown below:
The following are the four line selection methods:
Select the line that owns the largest remaining inbound bandwidth: Indicates that the system will
SANGFOR SSL M6.8EN User Manual
50
automatically select the line that owns the largest remaining inbound bandwidth, to make full use of the
remaining bandwidth.
Select the line that owns the largest remaining outbound bandwidth: Indicates that the system will
automatically select the line that owns the largest remaining outbound bandwidth, to make full use of the
remaining bandwidth.
Evenly assign the sessions to each line: Indicates that the system will evenly assign the sessions to each
line automatically, without considering the remaining bandwidth.
Select the firstly enabled line preferentially (for VPN deployment): Indicates that the system will
select the valid line that has been firstly enabled. In case that line fault or unavailability appears, it
automatically switches to the next available line.
5. Click the Savebutton and that Apply button to save and apply the settings.
Configuring Route
Route can route data of the Sangfor device itself, and route the data (either VPN data or VPN irrelevant data) to the
Sangfor device, which then will forward the data to destination.
To add a new route, perform the steps below:
1. Navigate to System>Network>Routes to enterRoutespage, as shown below:
2. Click Add>Routes or Multiple routes to add a single route or a batch of routes, as shown below:
3. Enter the destination subnet, network mask and gateway. The following two figures show the two cases of
adding a single route and a batch of routes.
SANGFOR SSL M6.8EN User Manual
51
Configuring Host Mapping Rule (HOSTS)
HOSTS files the built-in host file (more specifically, the mapping information of the IP addresses and domain
name/hostnames) on the Sangfor device. This file works when SSL VPN users need to access Web resources using
domain name or host name, generally in the situation that the internal network (where the Sangfor device resides) is
using MS Active Directory.
To add a new Host entry or a batch of Host entries:
1. Navigate to System>Network>Hosts toenter Hosts page, as shown below:
2. Click Add>Host entry or Multiple host entries, as shown below:
SANGFOR SSL M6.8EN User Manual
52
If Host entry is selected, the page pops up as follows. Specify the fields on this page.
The following are the contents included on the Add Host Entry page:
IP Address: Indicates the IP address of the server providing resources.
Host Name: Indicates the host name of the server providing resources.
Comment: Description to this host mapping rule.
If multiplehost entries is selected, the pop-up page is as shown below. Enter the IP address and domain into
the text box in the format as required.
SANGFOR SSL M6.8EN User Manual
53
Configuring IP Assignment Options (DHCP)
Navigate to System>Network>DHCP>Options to view Status of DHCP service and configure the Options.
Status tab shows the running status of the DHCP service, the IP addresses that are assigned through each network
interface, the related hostname, MAC address, and lease time left; while Options tab contains the DHCP related
settings, as shown below:
The following are the contents included on Options tab:
DHCP Service: Click Enabled or Disabled to enable or disable the DHCP service.
Lease: Indicates the DHCP IP address lease, the life cycle that an assigned IP address will be used by the
corresponding user.
IP Address Assignment: Configure the IP address range that can be assigned to the SSL VPN users by each
interface.
To view and assign IP address to a network interface, perform the steps below:
1. Click on the name of a network interface to enter the IP Address Assignment page;
2. Configure the IP range, gateway and DNS server address, as shown below:
SANGFOR SSL M6.8EN User Manual
54
3. Click the OK button to save the settings.
In case that some LAN computers are using static private IP addresses, the IP address range configured
above should not cover any of those static IP addresses, otherwise, IP address conflict will occur after
those IP addresses are assigned to VPN users automatically.
Generally, the IP address range configured above should not cover the first and the last IP address of a
network segment, for these two IP addresses are network address and broadcast address of a network
segment. The correct input is like 192.168.1.1 -192.168.1.254.
Reserved IP Address: The address is reserved IP address (range) for specific host. To reserve IP address for a
user, click Add to enter the Reserve New IP Address page, as shown below:
The fields on this page are described as follows:
Interface: Specifies the network interface of this DHCP rule.
SANGFOR SSL M6.8EN User Manual
55
IP Address: Specifies the IP address that to be served for certain computer. The reserved IP address will
not be assigned to VPN users.
Obtain Host Name/MAC: Click this button to obtain the MAC address and host name of the host for
which this IP address is reserved.
Configuring Local Subnet
Local subnets are subnets thought in the LAN where this Sangfor device resides. Configuring local subnet is
intended for the case that the VPN users want to communicate with the other subnets of the headquarters (HQ)
network.
Assume that the HQ has two subnets (192.200.200.x and 192.200.254.x); the subnet 192.200.200.x is a network
segment that is directly connected to the Sangfor device, while the subnet 192.200.254.x is indirectly connected to
the Sangfor device. To add a local subnet entry,
1. Navigate to System>Network>Local Subnet stouter Local Subnets page, as shown below:
2. Click Add>Subnet or Multiple subnets, as shown below:
If Subnet is selected, the Add Subnet page appears. Configure the subnet, as shown below:
SANGFOR SSL M6.8EN User Manual
56
Since the subnet, 192.200.254.x indirectly connects to the Sangfor device (which resides in a different
network segment), enter the IP address and netmask into the corresponding fields and then click the Save
button.
If multiple subnets is selected, one subnet or multiple subnets can be added at one step. The Add Multiple
Subnet– Edit Subnet Info page is as shown in the figure below:
The local subnets are deemed as network segments of VPN by the Sangfor device and the client software,
which means all the data sent from (or to) these network segments through the Sangfor device or software will
be encapsulated into and transmitted through the VPN tunnels. For this reason, if you want to allow the VPN
users to access certain subnet, add the related subnet into the list on the Local Subnets page and then go tithe
Routes page to configure a corresponding route.
SANGFOR SSL M6.8EN User Manual
57
Schedules
A schedule is a combination of time segments, which can be referenced by SSL VPN account settings, firewall
filter rules, user privilege settings and endpoint security rules. The date and time are based on the system time of
the Sangfor device.
To create a schedule, for example, named Office hours that consists of time segments 8: 00-12: 00 and 14: 00-18:
00, from Monday to Friday:
1. Navigate to System>Schedule, as shown in the figure below:
2. Click Add to add a new schedule, as shown below:
3. Enter the name into the Name field (in this scenario, it is Office hours). Descriptions optional.
4. Click and drag over the grids to select the desired time segment (8: 00-12: 00, from Monday to Friday). A
prompt dialog will display the exact time segment selected, as shown below:
SANGFOR SSL M6.8EN User Manual
58
5. Click the Select button to select the time segment, as shown below:
6. Go on to select the other time segment (14: 00-18: 00, from Monday to Friday) in the same way, as shown
below:
7. Click the Select button to select the time segment, as shown below:
SANGFOR SSL M6.8EN User Manual
59
8. Click Save to save the settings on this page. The newly-created schedule will show in the schedule list, as
shown below:
To deselect and remove a time segment from the schedule, perform the steps below:
1. Click on and drag over the green grids (selected time segments) to select the time segment that you want to
deselect. A prompt dialog will display the exact time segment selected, as shown below:
2. Click Deselect to deselect the time segment that has turned to light blue (while green grid indicates that the
time segments reselected and white grid indicates that the time segments are unselected).
3. In case that the selected time segment (in green) and the desired time segment (in light blue) lap, as shown
below:
SANGFOR SSL M6.8EN User Manual
60
To select this part, click the Select button, and the grids in light blue (including the overlapped part) will
turn to green, being selected, as shown below:
Or click Deselect, the grids in light blue(including the overlapped part) will turn to white, being removed,
as shown below:
SANGFOR SSL M6.8EN User Manual
61
Administrator
Through administrator management feature, super administrator of the Sangfor device can create administrators for
others to maintain the SSL VPN server.
An administrator can be put into certain group and so be granted with restricted administrative privileges. The
Administrator Management page is shown in the figure below:
The following
are some contents included on Administrator Management page:
Unfold All: Select the checkbox next to it andthe subgroups and individual administrators of the selected
administrator group (in the left pane) will be seen on the right pane.
Edit, Delete: To edit or delete an administrator or administrator group, select that administrator or
administrator group and click Edit orDelete.
View Active Administrators: Click this link to view the administrators that are accessing the administrator
Web console currently.
Adding Administrator Group
1. Click Add>Admin group to enter Add/Edit Administrator Group page, as shown below:
2. Configure Basic Attributes and Administrative Privileges and Realms of the administrator group, as shown
below:
SANGFOR SSL M6.8EN User Manual
62
The following are the information of administrator group:
Name: Specifies the username of the administrator group.
Description: Descriptive information of the administrator group.
Added To: Specifies the administrator group to which this administrator group will be added. This group
determines the administrative privileges and realms of this administrator group.
Administrative Privileges: Specifies the configuration modules that the administrator in this group
could maintain. Select the checkbox next to each module name and the administrators in this
administrator group will be authorized to configure that module.
Realms: Specifies the administrative realms (users, resources and roles) for the administrators in this
administrator group, as shown below:
SANGFOR SSL M6.8EN User Manual
63
3. Click the Save button to save the settings.
Adding Administrator
1. Click Add>Admin to enter Add/Edit Administrator page, as shown below:
2. Configure Basic Attributes and Login IP Address of the administrator, as shown below:
The following are the information of administrator:
Name: Specifies the username of the administrator account that can used to log in to the administrator
console of SSL VPN.
Description: Descriptive information of the administrator account.
Type: Specifies the account type. Options are Admin and Guest. Administrators of Admin type have the
specified administrative privileges to configure some modules through the administrator console; while
the administrators of Guest type only have read-only privilege to view the configurations of modules that
are specified for that administrator group.
Password, Confirm: Respectively specifies and confirms password of the account that is used by
administrator to log in to SSL VPN administrator console.
Added To: Specifies the administrator group to which this administrator account will be added. This
group determines the administrative privileges and realms of this administrator.
Login IP Address: Specifies the IP address on which this account can be used by the administrator to log
in to the SSL VPN administrator console.
SANGFOR SSL M6.8EN User Manual
64
4. Click the Save button to save the settings.
The administrative privilege of an administrator group will never be higher than its parent administrator group.
That is to say, administrators’ privilege of maintaining SSL VPN users, resources and roles is authorized by
the parent group and will not be more or higher than that.
SANGFOR SSL M6.8EN User Manual
65
SSL VPN Options
General Settings
The basic (SSL VPN related) settings under System>SSL VPN Options > General are global settings, including
user login options, client options, virtual IP address pool, Single Sign-On (SSO) and resource options.
Configuring User Login Options
1. Navigate to System>SSL VPN Options > General>Login, as show in the figure below:
2. Configure the following field sunder Login Port.
Login Port: Specifies the HTTPS and HTTP port on which the SSL VPN service is being listened.
HTTPS Port: Specifies the HTTPS listening port. It is TCP 443 by default. Enter the port(s) into the
field (ports should be separated by comma) or click the Configure button.
HTTP Port: Select this option and enter the HTTP listening port. It is TCP 80 by default.
SANGFOR SSL M6.8EN User Manual
66
Do not modify the ports unless it is absolutely necessary. Once the port is altered, the new port number
should be entered to the end of the URL address when endpoint use renters the address to connectSSL
VPN.
If the checkbox next to HTTP Port is selected, user can use HTTP protocol to communicate with the
SSL VPN. Access to SSL VPN is achieved by redirecting HTTP to HTTPS, for instance,
http://202.96.137.75is redirected to https://202.96.137.75. If HTTP Port is selected and configured, user
can only use HTTPS protocol, in which case, he/she needs tovisithttps://202.96.137.75.
3. Configure PPTP/L2TP connection options
PPTP/L2TP connection:
Prohibit PPTP/L2TP incoming connection: configure as disallow PPTP/L2TP connection.
Permit PPTP incoming connection: allow phone users able access L3VPN resource.
Permit L2TP incoming: set the share key, phone users ca through L2TP VPN access L3VPN resource
from system.
If you enable L2TP access service, then automatically turn off SSL standard IPSecVPN device user
access. But won’t impact Sangfor IPSec VPN access.
4. Encryption protocol for data encrypt algorithms.
SSL/TLS Algorithm:
RSA: International encrypts Algorithm.
SM2: China encryption Algorithm
5. Configure Web Agent Settings. Select Enable Web Agent for dynamic IP support to enable this feature,
and the Sangfor device will be able to get an IP using Web Agent dynamic addressing if it is not using a static
Internet IP address. To add a Web agent entry:
a. Click Add to enter the Add Web Agent page, as shown below:
b. Enter the Web Agent address into the Address field and click the OK button.
c. To check connectivity of a Web Agent, select a Web Agent and click Test. If the address is correct, the
Sangfor device then can connect to this Web Agent; otherwise, connecting will fail, as shown in the
SANGFOR SSL M6.8EN User Manual
67
figure below:
Before test begins, certain ActiveX control may need be installed (as shown below).
Click the Check ActiveX Status button to check whether ActiveX control has been installed. If not, click
the Install button and follow the instructions to install the ActiveX control.
d. To remove or edit a Web Agent entry, select the desired entry and click Delete or Edit.
e. To modify password of a Web Agent select the desire entry and click Modify PWD. Modifying password
can prevent unauthorized user from using and updating a false IP address into the Web Agent page,
f. To refresh the status of the Web Agent, click Refresh.
6. Configure Defense Against Man-in-the-Middle Attack option.
Select Enable defense against man-in-the-middle attack option and the user will be required to enter the
word verification code and be forced to install the related controls. This feature protects the transmitted data
from being altered or intercepted by unauthorized user.
7. Click the Save button to save the settings.
Configuring Client Related Options
Client related options are settings related to the SSL VPN Client software and end users’ access to SSL VPN at the
endpoint.
Navigate to System>SSL VPN Options>General>Client Options to configure client related options, as shown in
the figure below:
SANGFOR SSL M6.8EN User Manual
68
The following are the contents under SSL VPN Client Options:
Enable system tray: System tray is a taskbar status area showing status of and configure SSL VPN on the
client end. Select this option and the browser window can minimize to a system tray when Resource page is
closed.
Put the cursor on the System Tray icon and the brief information of SSL VPN connection status is seen, as
shown in the figure below:
SANGFOR SSL M6.8EN User Manual
69
Right-click on the System Tray icon and the Floating Window appears, as shown below:
Password can be remembered: Select the checkbox next to this option and the SSL VPN Client will
remember the SSL VPN login account (username and password) user entered if user selects the option
Rememberme when he/she uses SSL VPN Client program to connect SSL VPN (for more details, refer to the
Client in Chapter 3), as shown in the figure below:
Allow automatic login: Select this option to allow connecting users to use automatic login feature when they
connect to SSL VPN (for more details, refer to the Client in Chapter 3), as shown below:
SANGFOR SSL M6.8EN User Manual
70
Allow begin online: once disconnected, it will attempt to reconnect again and again; suitable for endpoint
watched by no one
Auto install TCP and L3VPN components: Select the checkbox next to this option and the components
related to TCP application and L3VPN will be enabled and installed when users log in to the SSL VPN.
Otherwise, the users need tomanually install and install the component if they want to access TCP or L3VPN
resources when logging in to SSL VPN for the first time.
To have the detailed addresses of TCP applications and L3VPNs seen by users after they log in to the SSL
VPN, select the checkbox next to Show host address for TCP/L3VPN resource.
Display resource the moment user logs in using SSL VPN Client
Install Client Software Installer when required: Configures the way how the components are installed on
the client side if the endpoint has not installed the required components. Options are Automatically and
Manually.
Automatically: Indicates that the components will be distributed and installed automatically on the client side,
assuming that the user applies hardware ID based authentication or go through pre-authentication security
check prior to access to SSL VPN. For details about hardware ID based authentication and pre-authentication
security check, refer to the Authentication section and Settings section in Chapter 4 respectively.
Manually: Indicates that the user will be prompted to install the components if user applies hardware ID
based authentication or pre-authentication security check (which is conducted before login). The user decides
whether or not to install the related components.
If Client Software Installer is not installed, or user fails to pass user-level endpoint security check: If
hardware ID based authentication is applied and user fails to pass the pre-authentication security check, he/she
maybe prohibited from logging in or allowed to log in but can only access the Web resources. What will
happen to user is subject to the option selected, Disallow user to login or Allow user to login but access Web
resources only.
Change JRE Location: Click this link and enter the addresses into the fields Windows Platform and Linux
Platform respectively. Connecting users can download the JRE installation package and log in to SSL VPN
when they uses non-IE browser. The Change JRE Location page is as shown in the figure below:
SANGFOR SSL M6.8EN User Manual
71
Client on Windows PC: Specifies a shortcut icon of System Tray that appears on the taskbar, and able to
upload icon the figure as shown below:
Client on Mobile Device: remote access such as hand phone, Ipad etc..the figure shown below:
SANGFOR SSL M6.8EN User Manual
72
The functionalities provided by floating window and system tray are the same.
If Enable system tray is not selected but connecting user can access any TCP and/or L3VPN resource,
the connecting user can still use the floating window after login to SSL VPN.
If Enable system tray is not selected and connecting users can only access Web resource, the floating
window will not be available to the connecting user.
32bitMAC OS only supports floating window, not supporting system tray.
The floating window and system tray are attachments of SSL VPN Client. If the Client Software Installer
is not installed, both floating window and system tray are not available.
The following are the menus included on the floating window:
Connection: Click it to view the real-time SSL VPN connection status, IP address, current connecting
user, online duration, virtual IP address, overall traffic and speed, as shown in the figure below:
SANGFOR SSL M6.8EN User Manual
73
Optimization Effect: Click it to view the optimization effect.
History Message: Click it to view the message(s) received.
Resource Path: Click it to view the mapping between resource and application path.
SANGFOR SSL M6.8EN User Manual
74
Proxy Options: Click it to configure whether to use IE proxy settings, as shown below:
Remote Application Options: Click it to view the options related to remote application. This menu is
only available when there is Remote Application resource accessible to the connecting user.
Private Directory: Click it to view and access the private directory assigned to the connecting user. This
menu is only available when there is remote storage server providing remote application resource and a
private directory is accessible to the connecting user.
Public Directory: Click it to view and access the public directory assigned to the connecting user. This
menu is only available when there is remote storage server providing remote application resource
SANGFOR SSL M6.8EN User Manual
75
and a public directory is accessible to the connecting user.
Show Resource: Click it to enter the Resource page to view and access the available internal resources.
Exit: Click it to exit from the SSL VPN.
Personal Setup: Click it to set the personal information of the connecting user, as shown in the figure
below:
The following are the contents included on the User Account page:
Username: Name of the connecting user, not editable.
Password: Password of the connecting user.
Description: Descriptive information of this user.
Modify: Click it to modify the corresponding information.
The following are the contents included on the SSO Options page:
Resource Name: Name of the resource available to the connecting user.
SSO User Account: SSO user account that the connecting user can use to access a resource.
Edit: Select an entry and click Edit to modify the SSO user account of the corresponding resource.
SANGFOR SSL M6.8EN User Manual
76
The following are the contents included on the Login Options page:
Minimize Resource page after login: Indicates that the resource page will not show up after user
logs in to SSL VPN through the SSL VPN Client.
Automatic Login Options: The settings under it decide whether user can directly access the SSL
VPN by double-clicking the shortcut icon on the desktop. If enabled, the VPN URL, username and
passwords configured hereunder will be filled in automatically when user uses SSL VPN Client to
access SSL VPN.
VPN URL: Specifies the IP address or domain name of the SSL VPN that user is to access.
Username: Specifies the username of the account that user uses to access the SSL VPN.
Password: Specifies the password of the account that user uses to log in to the SSL VPN
automatically.
Confirm: Retype the password into this field. This password must be identical with the password
entered in Password field.
Auto log in to VPN on computer startup: With this option being selected, the user will
automatically logs in to the SSL VPN while its computer starts up, without entering username and
password manually.
Auto reconnect if connection drops: If this option is selected, the connecting user can reconnect
SSL VPN automatically once the connection is dropped.
Create Shortcut on Desktop: If this option is selected, a shortcut of SSL VPN Client program
named Start VPN will be created on desktop. This option, in association with the settings under
Automatic Login Options, enables user to connect to SSL VPN when user double-clicks the
SANGFOR SSL M6.8EN User Manual
77
shortcut icon.
Scenario3:Enabling Automatic Access Using SSL VPN Client
1. Navigate to Start>Programs>SSL VPN Client to start SSL VPN, as shown below:
The first time user accesses the SSL VPN through browser, SSL VPN Client is installed on the user’s PC
automatically.
2. Click SSL VPN Client to open the SSL VPN Clientwindow, as shown below:
3. Enter the address of the SSL VPN, as shown below:
4. Click the Proxy Options button and decide whether to use IE proxy settings. To use IE HTTP proxy server to
connect TCP applications, select the option Use IE proxy settings and enter the username and password of the
proxy server, as shown in the figure below:
SANGFOR SSL M6.8EN User Manual
78
5. Click the Connect button to enter the login page. On the login page, there are three tabs and contents on
different tabs vary from authentication methods.
For authentication based on username and password, select Account. The Account tab is as shown in the
figure below:
The following are the contents included on the Account tab:
Address: Address of the SSL VPN.
Modify: Click this button to modify the address of SSL VPN.
Username, Password: Enter the username and password of the SSL VPN account respectively.
Anonymous: If this option is selected, the user will use the default anonymous login account to access
the SSL VPN.
Remember me: If it is selected, the username and password will be automatically filled into the fields
when user uses SSL VPN Client to connect SSL VPN next time.
SANGFOR SSL M6.8EN User Manual
79
Auto login: If it is selected, the user will connect to SSL VPN directly next time when start SSL VPN.
This option works in association with the Remember me option.
Please note that word verification must not be enabled; otherwise, auto-login feature will not take effect.
For authentication based on certificate, select Certificate. The Certificate tab is as shown in the figure below:
The following are the contents included on the Certificate tab:
Address: Address of the SSL VPN.
Modify: Click this button to modify the address of SSL VPN.
Cert File: Browse and select the certificate used for SSL VPN access. This certificate should be the
certificate binding to the SSL VPN account.
Cert Pwd: Enter the password of the certificate file.
Anonymous: If this option is selected, the user will use the default anonymous login account to access
the SSL VPN.
Auto login: If it is selected, the user will connect to SSL VPN directly next time when start SSL VPN.
For authentication based on USB key, select USB Key. The USB Key tab is as shown below:
SANGFOR SSL M6.8EN User Manual
80
The following are the contents included on the USB Key tab:
Address: Address of the SSL VPN.
Modify: Click this button to modify the address of SSL VPN.
PIN: Enter PIN of the USB key after inserting the USB key into PC’s USB port.
Download USB Key Driver: For non driver-free USB key, connecting user needs to download and
install the USB key driver to have USB key based authentication method work.
Configuring Virtual IP Pool
Virtual IP addresses are assigned to users who are to access L3VPN, Web and TCP applications over SSL VPN.
Navigate to System>SSL VPN Options>General>Virtual IP Pool and the Virtual IP Pool page appears, as
shown in the figure below:
The following are the contents included on the Virtual IP Pool page:
IP Range: Range of IP addresses included in the virtual IP pool. The IP addresses should be rarely used IP
address, such as 2.0.1.1 - 2.0.1.254.
SANGFOR SSL M6.8EN User Manual
81
Assigned To: Indicates the user group whose users will be assigned IP addresses from this IP address pool.
Description: Description of the IP address pool.
Select: Click it and then click All or Deselect to select all the IP address pools or deselect all the selected
ones.
Delete, Edit: Select the desired IP range and click it to delete or edit the IP pool.
Add: Click it to create a IP address pool and enter Virtual IP Pool page, as shown below:
When configuration is completed, apply the settings by clicking theApply button that appears after any change is
made.
The IP ranges should not cover IP address of any network interface of the Sangfor device, or conflict with IP
address of any running machine in the local area network.
Configuring Local DNS Server
In an enterprise network, local DNS server works well if some internal resources are only accessible to users who
request resources by domain names, for local DNS server can provide domain name resolving services when users
request resources by domain name.
That is the same with such kind of resource access over SSL VPN. If this type of resources exists in local area
network, local DNS servers could provide domain name resolving services to the connecting users.
1. Navigate to System>SSL VPN Options>General>Local DNS to enter the Local DNS page, as shown in the
figure below:
SANGFOR SSL M6.8EN User Manual
82
2. Configure the following under Local DNS:
Primary DNS: This is the primary local DNS server that is preferred to solve domain names.
Alternate DNS: This is the secondary local DNS server that is used to solve domain names when the
primary DNS is unavailable.
If there is only one local DNS server, enter the server address into the Primary DNS field.
3. Configure Client PC uses the above DNS servers option.
With this option selected, address of primary and secondary local DNS servers will be distributed to the
network adapter of the SSL VPN client end. The reason to prefer using the local DNS servers is to avoid such
conflict when the domain controller also works as a local DNS server but the local DNS server needs to be
authenticated by the domain controller after the user connects to ssl VPN.
If this option is not selected and many application resources are using domain names their addresses,
administrator needs to add the address(in form of domain name) of resource into the list followed after
specifying the local DNS servers. Later on, once a user accesses any of these resources by domain name, the
local DNS server will resolve the requested domain name first, according to the local DNS server and domain
names configured on this tab.
4. Configure Local Domain Name of Resource. This table is available when Client PC uses the above DNS
servers option is not selected.
SANGFOR SSL M6.8EN User Manual
83
To select all or deselect the selected the entries, click Select>All or Deselect.
To delete or edit the domain name, select a domain name and click Delete or Edit.
To add an entry, click Addend add enter the domain name of a resource, as shown below:
Make sure that the address is in form of IP address when configuring the address of the resource (refer to the
Resource sectioning Chapter 4).
5. Click the Save button and Apply button to save and apply the settings.
Once the local DNS server is configured and domain name of resources are added, the configuration will work
and provide DNS service to the connecting users who request for the resource by domain name.
Beyond local DNS, the internal HOSTS file will also help to resolve the matching domain name and return the
resolving result to user (refer to the Configuring Host Mapping Rule (HOSTS)sectioning Chapter 3).
If address of some resources are domain names and there is a specific DNS server in the local area
SANGFOR SSL M6.8EN User Manual
84
network providing domain name resolving services, the domain name of that resource is recommended to
be added to the list. That will have the requests of DNS handled preferentially by the local DNS server.
In other cases, do not add any domain name into the list.
Domain supports wildcards * and?. * indicates any character string, while? indicates any character. For
example, *.com stands for any domain name ending with .com. b?s.SANGFOR.com indicates that the
second character of that domain name can be any character, such as bbs.SANGFOR.com.
Maximum 100 entries support.
Configuring SSO Options
SSO (Single Sign-On) is a one-off authentication method. It means that once a user successfully logs in to the SSL
VPN and is authorized the right to access certain resource, system or application software, that user does not need
to enter the required usernames and passwords ever after when accessing that resource, system or application
software over the SSL VPN. That is because the system will automatically fill in the usernames and passwords for
that user every time.
1. Navigate to System>SSL VPN Options>General>SSO and the SSO page appears, as shown below:
2. Configure the fields under SSO and Upload SSO Configuration File.
SSO: To enable user to access the corporate resources over SSL VPN without entering
username/password, select the option Enabled; or else, select Disabled to disable SSO.
Download SSO Assistant: Click this link to download the SSO Assistant program. This assistant will
help the administrator to record the SSO file if user uses the login method Auto fill in form (specified on
the SSO tab when creating the resource) to access the SSL VPN resources.
SANGFOR SSL M6.8EN User Manual
85
Download SSL Config File:Click this link to download the configuration file of SSO. This file should
be downloaded after the SSO page has been configured. The SSO information of a user can be recorded
into the downloaded configuration file, with the help of SSO Assistant.
Upload SSO Configuration File:It is used to upload the SSO configuration file into the Sangfor device.
Browse and upload the configuration file (containing the recorded SSO information) to the device.
Allow user to modify SSO user account: To allow user to modify the SSO user account (username and
password) after successful access to SSL VPN, select this option.
Then connecting users can modify the SSO user account by performing the steps below:
a. Log in to the SSL VPN and enter the Resource page, as shown below:
b. Click Settings to enter Personal Setup page and selects SOOptions in the left pane. The right pane
shows the SSO resources and user accounts, as shown below:
c. Click Edit to edit the SSO user account, as shown below:
d. Enter the new username and password into Username, Password and Confirm fields.
e. Click Save to save the changes.
86
Only one type of users can configure SSO page on the Resource page, that is, the private users who have
associated with the resources that have applied SSO.
3. Configure Web SSO Options.
SANGFOR SSL M6.8EN User Manual
There are three tabs under Web SSO Options, namely, Web SSO Encryption, Basic SSO and NTLM SSO.
Web Encryption: Configures the options applied to some B/S applications. To add security to SSO to
internal resources, the transmitted data (username or password) is better encrypted first when they are
submitted from the client side and then be decrypted by the server using the corresponding algorithm. To
achieve that, configure the correct JavaScript function on this tab.
Basic SSO: Configures the Basic SSO policy. The policies could be referenced as SSO policy when
administrator configures SSO options of a Web resource and chooses Basic SSO as the Login Method.
NTLM SSO: Configures the NTLM SSO policy. The policies could be referenced as SSO policy when
administrator configures SSO options of a Web resource and chooses NTLM SSO as the Login
Method.
4. Click the Save button and Apply button to save and apply the settings.
Configuring Resource Options
Resource options include access mode for each application (Web, TCP and L3VPNs) and allow administrator to
customize access-denied prompt page to inform user of the access failure.
SANGFOR SSL M6.8EN User Manual
87
Web App Resource Options
Navigate to System>SSL VPN Options>General>Resource Options>Web Aptos configure the parameters
related to Web resource access and object rewritten rule, as shown in the figure below:
The following are the contents included on the Resource Options page:
Access Mode: This determines the source IP address that connecting users will use to access the server
resources. The source IP address could be the interface IP address of the Sangfor device or an assigned virtual
IP address (to configure virtual IP address, refer to the Configuring Virtual IP sectioning Chapter 3).
To have the connecting users take the IP address of the Sangfor device as the source address to visit the server
resources, select Take device IP address as source.
To have the connecting users take the assigned virtual IP address as the source to visit the server resources,
select Take virtual IP address as source (to configure virtual IP address, refer to the Configuring Virtual IP
sectioning Chapter 3).
Add Rule: Add a rule and some paths of resources being cited by controls (Flash, Java, Applet, video players)
of the Web application will be rewritten so that these resources can be accessed. Click Add Rule and the Add
Rule page appears, as shown below:
SANGFOR SSL M6.8EN User Manual
88
The following are the contents included on Add Rule page:
HTML Tag: Specifies the HTML tag used for rewriting webpage objects. Options are Object, Applet
and Embed.
Object Identifier: Specifies the identifier (name) of this rule.
Description: Brief description of this rule.
Tag Param: Specifies the parameters in the codes that should be rewritten to revise the webpage.
Object Property: Specifies the object properties in the codes that should be rewritten to revise the
webpage.
Object Method: Specifies the object method in the codes that should be rewritten to revise the webpage.
Query String(<Embed>):Specifies the Query strings in the codes that should be rewritten to revise the
webpage.
Delete, Edit: Select a rule and click Delete or Edit to remove or modify an entry.
Select: Click Select>All or Deselect to select all rules or deselect the selected rules.
Save: Click this button to save the settings.
TCP App Resource Options
Navigate to System>SSL VPNOption>System>Resource Options>TCP Appto configurethe parameters related
to TCP resource access and smart recursion feature, as shown below:
SANGFOR SSL M6.8EN User Manual
89
The following are the contents included on TCP App tab:
Access Mode: Specifies the source IP address that connecting users will use to access the server resources,
whether it is the interface IP address of the Sangfor device or an assigned virtual IP address (to configure
virtual IP address, refer to the Configuring Virtual IP sectioning Chapter 3).
To have the connecting users take the IP address of the Sangfor device as the source address to visit the server
resources, select Take device IP address as source.
To have the connecting users take the assigned virtual IP address as the source address to visit the server
resources, select Take virtual IP address as source (to configure virtual IP address, refer to the Configuring
Virtual IP sectioning Chapter 3).
Max Sessions Per User: Specifies a maximum of sessions that one user can establish to access TCP resources
concurrently.
Enable: Select this option to enable smart recursion feature for access to TCP resources.
Please note that, to have smart recursion feature take effect, Enable option should be selected, and option
Apply smart recursion on Others tab should also be selected when editing the TCP resource.
Applicable Address: The addresses to which the smart recursion feature will apply. If The addresses below
is selected, smart recursion will apply to all the URL addresses in the list; if Other addresses rather than the
ones below is selected, smart recursion will apply to all other URL addresses except those in the list.
SANGFOR SSL M6.8EN User Manual
90
To add a URL address, click Add. The Add Address page is as shown below:
To remove or modify the rule, select a rule and click Delete or Edit.
To select all rules or deselect the selected rules, click Select>All or Deselect.
Save: Click this button to save the settings.
Background Knowledge: What is Smart Recursion?
It is common that on the homepage of some websites there are many links. If a user wants to visit those link and
therefore access the corresponding servers over the SSL VPN, the addresses of those servers must be available on
Resource page; otherwise, those server resources will be inaccessible to the user.
However, it is an immense task and tedious work for the administrator to add all those addresses one by onein to
the resource address list by hand when editing a resource, and most likely, some of the addresses may be left
outside the list. Without a complete list of link resources, connecting user still cannot visit some resources.
Smart recursion functionality is intended for solving the aforementioned troubles. With the help smart recursion,
administrator needs only to,
1. Navigate toss VPN>Resources>Resource Management page to add a TCP resource. Add the homepage
address of a website to the Address field, and select the option Apply smart recursion on Others tab.
2. Navigate to the System >SSL VPN Options>General>Resource Options>Others. Select The addresses
below as the applicable addresses and add the URL addresses of the links to the list.
Without taking the links as TCP resources and adding their URL addresses to the resource address list, all the link
resources on that homepage will be available for connecting users.
Scenario 4: Configuring and Applying Smart Recursion
Background:
The homepage of a library website is www.library.com. The website contains a great many links to other servers
SANGFOR SSL M6.8EN User Manual
91
and databases.
Purpose:
Enable users to remotely and securely access the homepage of the library and the links to other servers and
databases.
Analysis and Solution:
To meet the requirements, firstly create TCP resource(address of the resource is homepage of the library,
www.library.com) and enable smart recursion, secondly configure smart recursion on Resource Options page.
Below is the configuration procedure:
1. Navigate to SSL VPN>Resources, and click Add>TCP app to add the TCP resource of library homepage.
2. Configure the required fields and add library homepage (www.library.com) into the textbox next to the
Address field.
3. Click Others tab and select the option Apply smart recursion.
4. Navigate to System>SSL VPN Options>General>Resource Options>TCP App and select Enable.
5. Specify the applicable addresses by selecting The addresses below.
6. Add the URL address of the library website into list (*.library.*). If the homepage library contains other URL
links, add them into this list.
7. Click Save to save the settings and then click the Apply button on the next page.
8. Edit the user and associate this library resource with the user.
Currently, smart recursion is applied only to TCP-supported HTTP and HTTPS.
While user is visiting the resource that applies smart recursion, to access the links, he/she must click on the
links on the “root” resource page; however, if the “root” resource page is closed, it can still click the link on
the links on the “links” page.
L3VPN Resource Options
Navigate toSystem>SSL VPN Option>System>Resource Options>L3VPNto configure the parameters related to
L3VPN resource, as shown in the figure below:
92
The following are the contents included on L3VPN tab:
SANGFOR SSL M6.8EN User Manual
Access Mode: Specifies the source IP address that connecting users will use to access the server resources,
whether it is the interface IP address of the Sangfor device or an assigned virtual IP address (refer to the
Configuring Virtual IP sectioning Chapter 3).
To have the connecting user take the IP address of the Sangfor device as the source address to visit the server
resources, select Take device IP address as source.
To have the connecting user take the assigned IP address as the source address to visit the server resources,
select Take virtual IP address as source(refer to the Configuring Virtual IP sectioning Chapter 3).
Transfer Protocol: Specifies the transfer protocol used while L3VPN resource is accessed.
Select TCP and only TCP will be used to transfer data while user is using L3VPN resources; while Auto
select makes it apt to start UDP to transfer data.
UDP Port: Indicates the UDP port used for transferring data. It is 442 by default. Assume that the Sangfor
device sin Single-arm mode, this port should be mapped from the front-end firewall to the Sangfor device.
Advanced: Click this button and optional advanced options appears, ax Concurrent Users andIP of Local
Virtual NIC. The latter specifies the server-end IP address range to which the virtual NIC is applied.
Changing advanced options may severely affect the performance of the system, therefore, it is recommended to
adopt the defaults.
Other Resource Options
Navigate to System>SSL VPN Option>System>Resource Options>Others tab. This tab configures
access-denied prompt page that will appear in front of the users when they visit an unauthorized URL address
93
(resource), as shown in the figure below:
SANGFOR SSL M6.8EN User Manual
The following are the contents included on Others tab:
Page File: For users accessing unauthorized URL of Web application resource, upload a prompt page through
Page File field. When any user accesses authorized URL, he/she will be notified that access is denied.
For the users accessing unauthorized URL address of TCP or L3VPN resource, enter the words into the text
box to inform user that access is denied because they are visiting unauthorized page.
The compressed file should be in format of .zip, smaller than 1M and contain the file warrant_forbidden.tml.
Unauthorized or authorized URL addresses are configured on URL Access Control tab while editing a
Web/TCP/L3VPN resource (refer to the Resource sectioning Chapter 4).
SANGFOR SSL M6.8EN User Manual
94
Network Optimization Related Settings
Navigate to System>SSL VPN Options>Network Optimization and four pages are seen, namely, Application
Access, Data Transfer, Webpage Access and Web Cache, which configure the optimization options in terms of
data transfer, webpage access and Web cache.
Application Access
Navigate to System>SSL VPN Options>Network Optimization enter the page. The page shown below:
Loss Compression Options – After enable, Remote application displayed image will be compressed according to
the quality level is set to improve the transmission efficiency.
Image Cache Options – After enable, Remote application will image cache to refresh the effect of improving the
image scrolling.
Dynamic Image Filter - For remote applications, FLASH animation motion picture will be filtered in order to save
bandwidth and improve application access speed.
95
Data Transfer Optimization
The Data Transfer page is as shown below:
SANGFOR SSL M6.8EN User Manual
The following are the contents included on Data Transfer page:
Enable HTP: Select this option if the client end is in a wireless network or in poor network environment.
HTP is the short name of High-Speed Transfer Protocol, which can optimize data transfer over the involved
networks.
At the client end, after user logs in to SSL VPN, he/she needs to enable HTP on Optimization page.
Advanced: Click this button to enter the HTP Advanced Settings page, as shown below:
SANGFOR SSL M6.8EN User Manual
96
Startup Mode indicates the way that HTP is to start up, automatically or manually.
If Manuals selected, HTP needs to be started by hand. If Automatics selected, HTP will start up
automatically according the network state(good, wireless or poor) of the endpoint detected by SSL VPN client
software when users connect to SSL VPN.
Network state detection is based on the two conditions: a). Packet loss rate is or over 7%; b).Packet loss
rate is or over _ % and latency is or over _ ms. Either condition may trigger start up of HTP. Generally,
defaults are recommended to be adopted.
Enable HTP option only takes effect when users access TCP resources over SSL VPN via IE browser(other
kinds of browsers are not supported).
Applying HTP needs the support of UDP port 443. If the Sangfor device is deployed in Single-arm mode, do
remember to configure the front-end firewall to map this UDP port to the Sangfor device.
One-Way Acceleration: Select this option will get optimize transfer rate in high-latency and high packet
loss network.
Enable Byte Cache: Select this option so that redundant data will be compressed and that data transmission
time and bandwidth consumption could be minimized.
SANGFOR SSL M6.8EN User Manual
97
Compression Options: Select Enable compression for Web application and/or Enable compression for
TCP application according. The former mean data related to Web applications will be compressed, while the
latter means data related to TCP applications will be compressed.
Advanced: Click this button to specify the compression algorithm for TCP application access,LZO or
GZIP/ZLIB, as shown in the figure below:
Webpage Access Optimization
This kind of optimization utilizes system resources of the Sangfor device to handle images and therefore reduce
data stream from/to public networks. It isan ideal feature for the users who are using PDA (Personal Digital
Assistant) to access SSL VPN or the user’s computer is inpoor network. This feature should not be enabled for
users in good network environment.
Navigate to System>SSL VPN Options>General>Network Optimization>Webpage Access and the Webpage
Access page is as shown in the figure below:
SANGFOR SSL M6.8EN User Manual
98
The following are the contents included on Webpage Access page:
Enable webpage access optimization: It is a global switch for webpage access optimization. Select this
option and webpage access optimization feature will be enabled.
To optimized access to webpage, set the image size limit, that is, configure Images smaller than_ KB and or
larger than _ KB.
Enable image display: Uncheck this option to disable image display and therefore enhance the access speed.
Enable image display only applies to the images with any of the following extensions:.jpg, .png and .gif.
Enable image display achieves the opposite optimization effect, comparing with the effect that Adjust
image quality achieves.
Reduce image size:Select it and then select Dynamically or To certain size _% of the original imageto
reduce the image size and data. This feature applies to the images with any of the following
extensions: .jpg, .png and .gif.
Dynamically indicates that the system will dynamically adjust the image size in accordance with the original
size.
To certain size, _ % of the original image indicates that image will shrink based on the original image and
the proportion configured.
SANGFOR SSL M6.8EN User Manual
99
Adjust image quality: This option leads to quality deterioration of image (jpg image supported only), though
ithelps to reduce the image data. Four options are available, namely, Smartly blurred, Slightly blurred,
Blurred and Heavily blurred. This feature applies to .jpg images only.
Advanced: Click this button and the Webpage Access Optimization Advanced Settingspage appears, as
shown in the figure below:
Restrictions: Indicates the thresholds determining when webpage access optimization functionality will
start up. These thresholds could minimize the impact that webpage access optimization poses on the
running and performance of other modules. The restrictions include those on system memory usage and
Cubage. Each threshold has a default. Select the option Adopt Defaults if you want to.
In no case will any of the thresholds be disabled.
Network Environment Support: This part specifies the types of services and client-end network
environment (PDA, PC client, Web app access and/or TCP app access) that can support webpage access
optimization.
Applicable Address of Webpage Access Optimization: Configure the URL addresses to have the access to
them optimized or not optimized.
Loading...