{"id":6869,"date":"2022-04-22T14:25:30","date_gmt":"2022-04-22T21:25:30","guid":{"rendered":"https:\/\/www.xh86.me\/?p=6869"},"modified":"2022-04-22T14:25:30","modified_gmt":"2022-04-22T21:25:30","slug":"%e4%b8%80%e7%af%87%e8%83%bd%e8%a7%a3%e5%86%b390%e4%bb%a5%e4%b8%8assl-vpn%e9%97%ae%e9%a2%98%e7%9a%84%e6%ad%a6%e6%9e%97%e7%a7%98%e7%b1%8d","status":"publish","type":"post","link":"https:\/\/www.xh86.me\/?p=6869","title":{"rendered":"\u4e00\u7bc7\u80fd\u89e3\u51b390%\u4ee5\u4e0aSSL VPN\u95ee\u9898\u7684\u6b66\u6797\u79d8\u7c4d"},"content":{"rendered":"
\n
<\/section>\n

\u524d\u9762\u6211\u4eec\u5df2\u7ecf\u901a\u8fc7\u51e0\u7bc7\u6587\u7ae0\u628aSSL VPN\u76843\u79cd\u63a5\u5165\u65b9\u5f0f\u548c\u5bf9\u5e94\u7684\u5de5\u4f5c\u673a\u5236\u4e86\u89e3\u4e86\uff0cIP\u63a5\u5165\u65b9\u5f0f\u8bf7\u67e5\u770b\uff08<\/strong>VSR\u767d\u9001\u7684SSL VPN\u529f\u80fd\uff0c\u4f60\u8981\u4e0d\u8981\uff1f<\/strong>\uff09<\/strong><\/p>\n

\u73b0\u5728\u6211\u4eec\u56de\u8fc7\u5934\u6765\u8865\u5145\u4e00\u4e9b\u548c\u5b9e\u9645\u4f7f\u7528\u76f8\u5173\u7684\u7ec6\u8282\u95ee\u9898\u3002<\/p>\n

\u9996\u5148\u770b\u4e00\u4e0bSSL VPN\u7f51\u5173\u7684\u90e8\u7f72\u65b9\u5f0f\uff0c\u4e3b\u8981\u6709\u4e24\u79cd\uff1a\u7f51\u5173\u6a21\u5f0f\u548c\u65c1\u8def\u6a21\u5f0f<\/strong>\u3002<\/p>\n

\u5148\u770b\u6211\u4eec\u5728\u4e91\u4e0a\u90e8\u7f72VSR\u65f6\u4f7f\u7528\u7684\u65c1\u8def\u6a21\u5f0f<\/strong>\uff0c\u53c8\u79f0\u5355\u81c2\u65c1\u6302\u3001\u5355\u81c2\u6a21\u5f0f<\/strong>\u3002\u6b64\u65f6SSL VPN\u7f51\u5173\u548c\u5185\u7f51\u7684\u4e1a\u52a1\u7f51\u5173\u4e0d\u662f\u540c\u4e00\u53f0\u8bbe\u5907\uff0cSSL VPN\u76f8\u5173\u7684\u4e1a\u52a1\u6d41\u91cf\u9700\u8981\u7ecf\u4e1a\u52a1\u7f51\u5173\u7ed5\u8f6c\u5230SSL VPN\u7f51\u5173\u3002\u56e0\u4e3aSSL VPN\u7f51\u5173\u4e0d\u5904\u5728\u4e1a\u52a1\u6d41\u91cf\u8f6c\u53d1\u7684\u5173\u952e\u8def\u5f84\u4e0a\uff0c\u6027\u80fd\u53ea\u9700\u6ee1\u8db3SSL VPN\u7684\u4e1a\u52a1\u6027\u80fd\u5373\u53ef\uff0c\u5373\u4f7f\u6027\u80fd\u4e0d\u8db3\u4e5f\u4e0d\u4f1a\u5f71\u54cd\u5176\u4ed6\u5185\u5916\u7f51\u901a\u4fe1\u3002\u751a\u81f3\u8bbe\u5907\u5b95\u673a\u4e5f\u53ea\u662f\u5f71\u54cdSSL VPN\u4e1a\u52a1\u3002<\/p>\n

<\/div><\/p>\n

\u6240\u4ee5\uff0c\u524d\u9762\u4ecb\u7ecd\u7684\u4e91\u4e0a\u90e8\u7f72VSR\u7684\u573a\u666f\uff0c\u5b9e\u9645\u4e1a\u52a1\u6a21\u578b\u662f\u4e0a\u56fe\u8fd9\u6837\u7684\uff0cGW\u8bbe\u5907\u662f\u4e91\u4e3b\u673a\u7684\u7f51\u5173\u8bbe\u5907\uff0cPC\u548cVSR\u76f4\u63a5\u5efa\u7acbSSL VPN\u96a7\u9053\u8fde\u63a5\u3002VSR\u548c\u670d\u52a1\u5668\u4e4b\u95f4\u8def\u7531\u53ef\u8fbe\uff0cPC\u548cServer\u4e92\u8bbf\u7684\u6d41\u91cf\u5747\u9700\u8981\u7ed5\u8f6cVSR\u8bbe\u5907\uff1b\u800cServer\u548c\u516c\u7f51\u5176\u4ed6\u4e3b\u673a\u901a\u4fe1\u7684\u6d41\u91cf\u76f4\u63a5\u901a\u8fc7\u7f51\u5173\u8bbe\u5907GW\u8f6c\u53d1\uff0c\u65e0\u9700\u7ed5\u8f6cVSR\u3002\u8fd9\u6837\uff0c\u5373\u4f7fVSR\u5b95\u673a\uff0c\u4e5f\u53ea\u662f\u5f71\u54cdSSL VPN\u7528\u6237\u7684\u8bbf\u95ee\u6d41\u91cf\u3002<\/p>\n

\u800c\u7f51\u5173\u6a21\u5f0f\u662f\u6307\u8bbe\u5907\u4f5c\u4e3a\u5185\u7f51\u7f51\u5173\u4e32\u63a5\u5728\u5185\u5916\u7f51\u4e4b\u95f4\uff0c\u5185\u5916\u7f51\u4e92\u901a\u7684\u6240\u6709\u6d41\u91cf\u9700\u8981\u901a\u8fc7SSL VPN\u7f51\u5173\u8fdb\u884c\u8f6c\u53d1\u3002\u4f18\u52bf\u662f\u7f51\u5173\u6a21\u5f0f\u53ef\u4ee5\u63d0\u4f9b\u5bf9\u5185\u7f51\u7684\u5b8c\u5168\u4fdd\u62a4\uff0c\u4f46\u662f\u7531\u4e8eSSL VPN\u7f51\u5173\u5904\u5728\u5185\u7f51\u4e0e\u5916\u7f51\u901a\u4fe1\u7684\u5173\u952e\u8def\u5f84\u4e0a\uff0c\u5176\u6027\u80fd\u5bf9\u5185\u5916\u7f51\u4e4b\u95f4\u7684\u6570\u636e\u4f20\u8f93\u6709\u5f88\u5927\u7684\u5f71\u54cd\u3002<\/p>\n

<\/div><\/p>\n

\u8fd8\u662f\u524d\u9762\u4ecb\u7ecd\u7684\u4e91\u4e0a\u90e8\u7f72VSR\u7684\u573a\u666f\uff0c\u56e0\u4e3a\u6ca1\u6709\u529e\u6cd5\u66ff\u6362\u6389GW\u8bbe\u5907\uff0c\u6240\u4ee5\u53ea\u80fd\u662f\u628aVSR\u4e32\u5728GW\u548cServer\u4e2d\u95f4\u3002\u5982\u679c\u662f\u7269\u7406\u8bbe\u5907\u573a\u666f\uff0c\u5728SSL VPN\u7f51\u5173\u80fd\u6ee1\u8db3\u4e1a\u52a1\u9700\u6c42\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u4ee5\u5c06SSL VPN\u7f51\u5173\u590d\u7528\u4e3a\u4e1a\u52a1\u7f51\u5173\uff0c\u964d\u4f4e\u90e8\u7f72\u6210\u672c\u3002\u4f46\u5982\u679cSSL VPN\u7f51\u5173\u5b95\u673a\uff0c\u6240\u6709\u4e1a\u52a1\u5747\u53d7\u5f71\u54cd\u3002<\/p>\n

\u7efc\u4e0a\uff0c\u5728\u5b9e\u9645\u90e8\u7f72\u65f6\uff0c\u8fd8\u662f\u5efa\u8bae\u4f18\u5148\u8003\u8651\u91c7\u7528\u65c1\u8def\u6a21\u5f0f\u90e8\u7f72<\/strong>\u3002<\/p>\n

\u7136\u540e\u5c31\u662fSSL VPN\u7f51\u5173\u7684\u914d\u7f6e\u4e86\u3002\u6211\u4eec\u524d\u9762\u662f\u628a3\u79cd\u63a5\u5165\u65b9\u5f0f\u5206\u5f00\u8bb2\u7684\uff0c\u5176\u5b9e\u4e5f\u662f\u53ef\u4ee5\u7ec4\u5408\u5728\u4e00\u8d77\u8fdb\u884c\u4f7f\u7528\u7684\u3002<\/p>\n

\u53ef\u4ee5\u53d1\u73b0\uff0c3\u79cd\u63a5\u5165\u65b9\u5f0f\u4e2dSSL\u670d\u52a1\u5668\u7aef\u7684\u7b56\u7565\u914d\u7f6e\u90fd\u662f\u4e00\u6837\u7684\u3002<\/p>\n

\u9996\u5148\u914d\u7f6ePKI\u57df\uff0c\u5e76\u5bfc\u5165CA\u8bc1\u4e66\u548c\u670d\u52a1\u5668\u8bc1\u4e66\uff0c\u8bc1\u4e66\u7684\u751f\u6210\u65b9\u5f0f\u8bf7\u53c2\u8003\u6587\u7ae0\uff08Windows Server\u914d\u7f6e\u751f\u6210\u8ba4\u8bc1\u8bc1\u4e66\uff09\u3002\u7136\u540e\u914d\u7f6eSSL\u670d\u52a1\u5668\u7aef\u7b56\u7565\uff0c\u5e76\u7ed1\u5b9aPKI\u57df\u3002<\/p>\n

\n
#<\/span><\/span><\/code>pki domain guotiejun<\/span><\/code> public-key rsa general name guotiejun<\/span><\/code> undo crl check<\/span> enable<\/span><\/span><\/code>pki import<\/span> domain<\/span> guotiejun pem ca filename certguo.cer<\/span><\/code>pki import<\/span> domain<\/span> guotiejun p12 local<\/span> filename serverguo.pfx<\/span><\/code>#<\/span><\/span><\/code>ssl\u00a0server<\/span>-policy<\/span>\u00a0guotiejun<\/span><\/code> pki-domain<\/span> guotiejun<\/span><\/code><\/pre>\n<\/section>\n
SSL VPN\u7f51\u5173\u914d\u7f6e\u7684IP\u5730\u5740\u548c\u7aef\u53e3\u53f7\u53ef\u4ee5\u5408\u5e76\u4e3a\u4e00\u4e2a\u3002<\/p>\n
\n
#<\/span><\/span><\/code>sslvpn<\/span> gateway guotiejun<\/span><\/span><\/code> ip<\/span> address 172.30.1.19 port 10086<\/span><\/span><\/code> ssl<\/span> server-policy guotiejun<\/span><\/span><\/code> service<\/span> enable<\/span><\/span><\/code><\/pre>\n<\/section>\n
IP\u63a5\u5165\u65b9\u5f0f\u9700\u8981\u521b\u5efaSSL VPN AC\u63a5\u53e3\uff0c\u4ee5\u53ca\u4e3aSSL VPN\u5ba2\u6237\u7aef\u5206\u914d\u5730\u5740\u7684\u5730\u5740\u6c60\uff0c\u8fd8\u8981\u521b\u5efa\u5141\u8bb8SSL VPN\u5730\u5740\u6c60\u8bbf\u95ee\u8d44\u6e90\u7684ACL\u3002<\/p>\n
\n
#<\/span><\/code>interface<\/span> SSLVPN-AC1<\/span><\/span><\/code> ip<\/span> address<\/span> 10.1<\/span>.1<\/span>.1<\/span> 255.255<\/span>.255<\/span>.0<\/span><\/span><\/code>#<\/span><\/code>sslvpn<\/span> ip<\/span> address-pool<\/span> tiejun<\/span> 10.1<\/span>.1<\/span>.100<\/span> 10.1<\/span>.1<\/span>.200<\/span><\/span><\/code>#<\/span><\/code>acl<\/span> advanced<\/span> 3402<\/span><\/code> rule<\/span> 0 permit<\/span> ip<\/span> source<\/span> 10.1<\/span>.1<\/span>.0<\/span> 0.0<\/span>.0<\/span>.255<\/span> destination<\/span> 172.30<\/span>.1<\/span>.0<\/span> 0.0<\/span>.0<\/span>.255<\/span><\/span><\/code><\/pre>\n<\/section>\n
\u7136\u540e\u5c31\u662f\u628a3\u79cd\u63a5\u5165\u65b9\u5f0f\u7684\u8bbf\u95ee\u5b9e\u4f8b\u914d\u7f6e\u878d\u5408\u5230\u4e00\u8d77\u3002IP\u63a5\u5165\u65b9\u5f0f\u6dfb\u52a0\u8d44\u6e90172.30.1.0\/24\uff0cWeb\u63a5\u5165\u65b9\u5f0f\u6dfb\u52a0\u8d44\u6e90172.30.1.17\u7684HTTP\u548cHTTPS\u7ba1\u7406\u9875\u9762\uff0cTCP\u63a5\u5165\u65b9\u5f0f\u6dfb\u52a0\u8d44\u6e90172.30.1.17\u7684SSH\u3001FTP\u3001Telnet\u3001HTTP\u548cHTTPS\u7aef\u53e3\u3002<\/p>\n
\n
#<\/span><\/span><\/code>sslvpn<\/span> context guotiejun<\/span><\/span><\/code> gateway<\/span> guotiejun<\/span><\/span><\/code> ip-tunnel<\/span> interface SSLVPN-AC1<\/span><\/span><\/code> ip-tunnel<\/span> address-pool tiejun mask 255.255.255.0<\/span><\/span><\/code> port-forward-item<\/span> ftp17<\/span><\/span><\/code>  local-port<\/span> 17021 local-name 127.0.0.1 remote-server 172.30.1.17 remote-port 21<\/span><\/span><\/code> port-forward-item<\/span> http17<\/span><\/span><\/code>  local-port<\/span> 17080 local-name 127.0.0.1 remote-server 172.30.1.17 remote-port 80<\/span><\/span><\/code> port-forward-item<\/span> https17<\/span><\/span><\/code>  local-port<\/span> 17443 local-name 127.0.0.1 remote-server 172.30.1.17 remote-port 443<\/span><\/span><\/code> port-forward-item<\/span> ssh17<\/span><\/span><\/code>  local-port<\/span> 17022 local-name 127.0.0.1 remote-server 172.30.1.17 remote-port 22<\/span><\/span><\/code> port-forward-item<\/span> telent17<\/span><\/span><\/code>  local-port<\/span> 17023 local-name 127.0.0.1 remote-server 172.30.1.17 remote-port 23<\/span><\/span><\/code> port-forward<\/span> tcp<\/span><\/span><\/code>  resources<\/span> port-forward-item ftp17<\/span><\/span><\/code>  resources<\/span> port-forward-item http17<\/span><\/span><\/code>  resources<\/span> port-forward-item https17<\/span><\/span><\/code>  resources<\/span> port-forward-item ssh17<\/span><\/span><\/code>  resources<\/span> port-forward-item telent17<\/span><\/span><\/code> ip-route-list<\/span> guotiejun<\/span><\/span><\/code>  include<\/span> 172.30.1.0 255.255.255.0<\/span><\/span><\/code> url-item<\/span> http17<\/span><\/span><\/code>  url<\/span> http:\/\/172.30.1.17<\/span><\/span><\/code> url-item<\/span> https17<\/span><\/span><\/code>  url<\/span> https:\/\/172.30.1.17<\/span><\/span><\/code> url-list<\/span> web<\/span><\/span><\/code>  heading<\/span> WebManagement<\/span><\/span><\/code>  resources<\/span> url-item http17<\/span><\/span><\/code>  resources<\/span> url-item https17<\/span><\/span><\/code> policy-group<\/span> guotiejun<\/span><\/span><\/code>  resources<\/span> port-forward tcp<\/span><\/span><\/code>  filter<\/span> ip-tunnel acl 3402<\/span><\/span><\/code>  ip-tunnel<\/span> access-route ip-route-list guotiejun<\/span><\/span><\/code>  resources<\/span> url-list web<\/span><\/span><\/code> default-policy-group<\/span> guotiejun<\/span><\/span><\/code> service<\/span> enable<\/span><\/span><\/code><\/pre>\n<\/section>\n
\u6700\u540e\u5c31\u662f\u521b\u5efa\u6388\u6743\u6709\u7b56\u7565\u7ec4\u7684\u7528\u6237\u7ec4\uff0c\u5e76\u521b\u5efa\u672c\u5730SSL VPN\u7528\u6237\u3002<\/p>\n
\n
#<\/span><\/span><\/code>user-group<\/span> sslvpn<\/span><\/span><\/code> authorization-attribute<\/span> sslvpn-policy-group guotiejun<\/span><\/span><\/code>#<\/span><\/span><\/code>local-user<\/span> guotiejun class network<\/span><\/span><\/code> password<\/span> simple guotiejun<\/span><\/span><\/code> service-type<\/span> sslvpn<\/span><\/span><\/code> group<\/span> sslvpn<\/span><\/span><\/code> authorization-attribute<\/span> user-role network-operator<\/span><\/span><\/code><\/pre>\n<\/section>\n
\u7136\u540e\u5c31\u53ef\u4ee5\u767b\u5f55\u5230SSL VPN\u7f51\u5173\u4e86\u3002<\/p>\n
\n
https:\/\/bj.h3cadmin.cn:10086\/<\/span><\/span><\/code><\/pre>\n<\/section>\n
<\/div><\/p>\n
\u6211\u4eec\u770b\u5230\u9875\u9762\u4e2d\u8fd8\u6709\u4e00\u4e2a\u542f\u52a8IP\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\u7684\u5730\u65b9\uff0c\u9ed8\u8ba4\u662f\u6ca1\u6709\u5ba2\u6237\u7aef\u8f6f\u4ef6\u7684\u3002\u6b64\u65f6\u6211\u4eec\u9700\u8981\u5f00\u542f\u8bbe\u5907\u7684\u8f7b\u91cf\u7ea7Web\u670d\u52a1\u5668\u529f\u80fdLighttpd\uff0c\u5e76\u5c06\u5b9a\u5236\u597d\u7684iNode\u5ba2\u6237\u7aef\u91cd\u547d\u540d\u540e\u4e0a\u4f20\u5230\u6307\u5b9a\u8def\u5f84\u3002<\/p>\n
<\/div><\/p>\n
\u7b80\u5355\u89e3\u91ca\u4e00\u4e0b\uff0c\u4e3a\u4ec0\u4e48\u8981\u6307\u5b9a\u8def\u5f84\u3002\u56e0\u4e3a\u76ee\u524d\u6682\u65f6\u4e0d\u652f\u6301\u4fee\u6539\u4e0b\u8f7d\u94fe\u63a5\uff0c\u9ed8\u8ba4\u7684\u4e0b\u8f7d\u94fe\u63a5\u5982\u4e0b\uff1a<\/p>\n
\n