WIXLIB

Sangfor vSSL VPNQuick GuideMay 2020

Table of ContentsTable of Contents . 1Declaration . 4Chapter 1Install vSSL VPN VM . 5Prepare Virtual Machine . 5Install Image for Virtual Machine . 5Initialize Network . 6Chapter 2Login to Admin Console . 8Logging in to Admin Console . 8Modifying Administrator Password . 8Chapter 3System and Network Settings . 10System Settings . 11Configuring License . 11Upgrade License: The license is used to update the current SANGFOR SSL VPN system withSangfor Firmware Updater 6.0 (for more details, refer to Appendix A: End Users Accessing SSLVPN . 12Required Environment . 12Configuring Browser and Accessing SSL VPN . 12Configuring Browser. 12Using Account to Log In to SSL VPN . 16Using USB Key to Log In to SSL VPN . 18Using VPN Client to Log In SSL VPN . 19Network Settings . 26Device Deployment. 26Configuring Route. 31SSL VPN Options . 33General Settings . 33Configuring User Login Options . 33Configuring Local DNS Server . 36Chapter 4SSL VPN . 40SSL VPN Users . 40Adding User Group . 41Adding User . 47Searching for Users . 53Managing Hardware IDs . 55Importing User to Device . 57Importing Users from File. 58Importing Users from LDAP Server . 60Moving Users to Another Group . 62Exporting Users. 63Associating Roles with User . 64Resources . 661

SANGFOR vSSL VPN User ManualAdding/Editing Resource Group . 67Adding/Editing Web Application . 68Adding/Editing TCP Application . 75Adding/Editing L3VPN . 81Adding/Editing Remote Application . 85Roles . 89Adding Role . 90Authentication Options . 93Primary Authentication Methods . 94Local Password Based Authentication. 94LDAP Authentication . 95Configuring LDAP Server . 95RADIUS Authentication . 103Configuring RADIUS Server. 103Certificate/USB Key Based Authentication . 106Configuring Local CA. 107Configuring External CA. 109Configuring USB Key Model. 114Client-Side Domain SSO . 115Secondary Authentication Methods . 117SMS Authentication. 117Using SMS Gateway of ISP to Send SMS Message . 119Using Webservice Based SMS Platform to Send SMS Message . 119Using Jasson MAS to Send SMS Message. 120Hardware ID Based Authentication . 121Dynamic Token Based Authentication . 122Other Authentication Options . 123Priority of LDAP and RADIUS Servers . 123Password Security Options . 124Anonymous Login . 125Policy Sets . 128Adding Policy Set . 129Remote Servers . 139Adding Remote Application Server . 141Adding Remote Storage Server . 144Chapter 5System Maintenance . 149Backing Up/Restoring Configurations . 149Restarting/Shutting Down Device or Services . 150Chapter 6 Scenarios . 153Device Deployment. 153Deploying Device in Gateway Mode with Single Line . 153Deploying Device in Gateway Mode with Multiple Lines . 156Deploying Device in Single-Arm Mode With Single Line . 160Deploying Device in Single-Arm Mode With Multiple Lines . 1622

SANGFOR vSSL VPN User ManualConfiguring System Route . 165Adding User . 167Adding User Logging in with Local Password . 167Adding User Logging in with Certificate . 167Configuring VPN Resource . 169Adding Web Application . 169Masquerading Resource Address . 172Adding FileShare Type of Web Application . 173Adding Web Application Enabling Site Mapping . 176Configuring TCP Application . 179Configuring URL Access Control Feature . 181Adding L3VPN Application . 182Adding Remote Application . 184Configuring Authentication with External CA. 193Using External CA Root Certificate to Generate Device Certificate . 193Mapping User to Local Group Based on External Certificate . 196Configuring Resource Enabling SSO. 198Adding TCP Application Enabling SSO . 198Adding Remote Application Enabling SSO . 202Mobile Users Accessing SSL VPN . 219Configuring Firewall Rule . 224Adding SNAT Rule . 224Adding DNAT Rule. 226Typical Case Study. 228Required Environment . 228Configuring Sangfor Device . 228Appendix A: End Users Accessing SSL VPN . 234Required Environment . 234Configuring Browser and Accessing SSL VPN . 234Configuring Browser. 234Using Account to Log In to SSL VPN . 238Using USB Key to Log In to SSL VPN . 240Using VPN Client to Log In SSL VPN . 2413

SANGFOR vSSL VPN User ManualDeclarationCopyright 2016 Sangfor Inc. All rights reserved.No part of the contents of this document shall be extracted, reproduced or transmitted in any formor by any means without prior written permission of SANGFOR.SINFOR, SANGFOR and the Sangfor logoare the trademarks or registered trademarks ofSangfor Inc. All other trademarks used or mentioned herein belong to their respective owners.This manual shall only be used as usage guide, and no statement, information, or suggestion in itshall be considered as implied or express warranty of any kind, unless otherwise stated. Thismanual is subject to change without notice. To obtain the latest version of this manual, pleasecontact the Customer Service of Sangfor.4

SANGFOR vSSL VPN User ManualChapter 1 Install vSSL VPN VMThis chapter introduces how to install vSSL VPN VM in public Cloud.Prepare Virtual MachineResource RequirementsSSL Encryption ThroughputConcurrent User2 CPU, 2G RAM, 64G Disk200M5002 CPU,4G RAM, 64G Disk300M10004 CPU,4G RAM, 64G Disk350M20004 CPU,8G RAM, 64G Disk540M50008 CPU,8G RAM, 64G Disk580M100008 CPU,16G RAM, 64G Disk640M20000Install Image for Virtual MachineMethod 1:Search “sangfor” in marketplace and select Sangfor vSSL VPN Image5

SANGFOR vSSL VPN User ManualMethod 2:Request Image from Sangfor and install Image from private image or shared imageInitialize NetworkStart vSSL VPN Virtual Machine and remote login from public cloud console.1. Set intranet IP for vSSL VPN: vSSL VPN will automatically get IP address from DHCP server by default and we can showcurrent network settings. We can also modify network by Network Setup Wizard2. Associate EIP with vSSL VPN intranet IP or make DNAT policy in VPC NAT Gateway3. Set Security Group in VPCvSSL VPN Default Service Port:6

SANGFOR vSSL VPN User ManualPortFunctionMandatory or notModifiable or notTCP 80Path selection in multi-line networkenvironmentNoSupportTCP 443User accessYesSupportTCP 4430Management port for AdministratorNoSupportTCP 51111Firmware upgrades portNoN/ATCP 22Shell port only for Sangfor engineertroubleshootingNoN/A7

SANGFOR vSSL VPN User ManualChapter 2 Login to Admin ConsoleSANGFOR SSL VPN system provides Web-based administration through HTTPS port 4430. Theinitial URL for administrator console access is https://EIP:4430.Logging in to Admin Console1.Open the IE browser and enter the SSL VPN address and HTTPS port (https://EIP:4430) intothe address bar. Press Enter key to visit the login page to SSL VPN administrator Webconsole, as shown below:You also can scan the QR code on above page to follow SANGFOR.2.Enter the administrator username and password and click the Log In button. The defaultadministrator username and password are admin (case-sensitive). You can also choose pagelanguage at the upper right corner of the login page as per your need .3.For version information of the software package, click on Version below the textboxes.Modifying Administrator PasswordWe strongly recommend you to change the administrator password after initial login, so as toprevent others from logging in to the administrator Web console and using default Admincredentials to make unauthorized changes on the administrator account and initial configurations.To modify default administrator password, perform the following steps:1.Navigate to System Administrator to enter the Administrator Management page. The8

SANGFOR vSSL VPN User Manualdefault administrator account (super administrator) is as seen in the figure below:2.Click the account name Admin to enter the Add/Edit Administrator page (as shown below):3.Modify the password and click the Save button on the above page. Password of the account Admin should not be shared with anyone. If the Sangfor device is to be maintained by several administrators, create multipleadministrator accounts for segregation of duty.9

SANGFOR vSSL VPN User ManualChapter 3 System and Network SettingsAfter logging in to the administrator console, status of this SSL VPN and some function modulesare seen at the right side of the page, and a tree of configuration modules are seen at the left sideof the page.There are five configuration modules in all: Status: Shows the running status of the Sangfor deviceand the related modules. System: Configures the related licenses of the device,network settings and other global settings such asschedule, administrator, SSL VPN options, etc. SSL VPN: Configures the SSL VPN related settings, suchas SSL VPN account, resources, roles, policy sets, remoteservers and endpoint security rules and policies. Firewall: Configures the internal firewall rule or policy of the Sangfor device. Maintenance: Shows the logs, backups. It also enables administrator to restore configuration,restart service, reboot or shut down device.10

SANGFOR vSSL VPN User ManualSystem SettingsSystem settings refer to the settings under System module, including System, Network, Schedule,Administrator and SSL VPN Options.Configuring LicenseNavigate to System System Licensing to activate the license or modify the license key relatedto this device and each function module.There are two methods to get a trial license.Method 1：Online Authorization (Requires a Chinese phone number to receive SMS from SangforAuthorization server)Method 2: Contact with local Sangfor teams get a trial license.Under License of Device are the license of this Sangfor device and other authorization you havebought from SANGFOR. Under License of Each Module are licenses that are optional forSangfor device. Once license of a function module is activated and that feature is enabled, thecorresponding module will work.The following are the contents included on Licensing page: Cross-ISP Access Optimization: Cross-ISP access optimi

May 26, 2020 · schedule, administrator, SSL VPN options, etc. SSL VPN: Configures the SSL VPN related settings, such as SSL VPN account, resources, roles, policy sets, remote servers and endpoint security rules and policies. Firewall: Configures the internal firewall rule or policy of the Sangfor device.