tencent cloud

Feedback

SSL VPN Access Control and Portal Login Guide

Last updated: 2022-08-09 19:07:45

    This document describes how to use EIAM and SSL VPN to implement access control to improve your business security.

    Note:

    Currently, the SSO authentication feature is in beta test and is available only in Singapore region. To try it out, submit a ticket for application.

    Process

    EIAM Verification Configuration

    This section only describes the main steps of verification configuration in EIAM.

    Creating a user

    1. Log in to the EIAM console, select User management > Organization management > Root node on the left sidebar, and click Create user.
    2. On the Create user page, configure the required parameters.
      Here, the username and password will be used to log in to the Tencent Cloud Client VPN Self-Service Portal.

    Creating a user group and adding the following members

    1. Select User management > User group management on the left sidebar. On the User group management page, click Create user group, configure the parameters, and click OK.
    2. In the section of the created user group, click Add user.
    3. On the Add user page, add members to the user group and click OK.

    Creating an EIAM application

    1. Select Application management on the left sidebar and click Create from Application Marketplace. On the Create from Application Marketplace page, select Tencent Cloud VPN and click Next: Edit application information.

    2. On the Edit application information tab, enter the relevant information as prompted and click Next: Complete.

    Granting permissions to the EIAM application

    1. Select Application authorization on the left sidebar. On the Application authorization page, click User group authorization > Add authorization.
    2. On the Add Authorization page, select the EIAM application just created and click Next: Select user group.
    3. On the Select user group tab, select the user group to be authorized and click Next: Complete.

    SSL VPN Configuration

    Creating an SSL VPN gateway

    1. Log in to the VPC console and select VPN Connections > VPN gateway on the left sidebar to enter the management page.
    2. On the VPN gateway management page, click + New. On the Create VPN gateway page, configure the SSL VPN gateway parameters.
    3. Click Create.

    Creating an SSL VPN server

    1. Click VPN Connections > SSL VPN server on the left sidebar to enter the management page.
    2. On the SSL VPN server management page, click + New. In the Create an SSL VPN server pop-up window, configure the SSL VPN server parameters.
      Parameter Description
      Name Enter the SSL VPN server name (up to 60 characters).
      Region Select the region of the SSL VPN server.
      VPN gateway Select an existing VPN gateway.
      Local IP address range Tencent Cloud IP ranges accessed by mobile clients.
      Client IP range Enter the IP range assigned to the mobile client for communication. The IP range shall not conflict with the VPC CIDR block of Tencent.
      Protocol Transmission protocol of the server
      Port Enter the SSL VPN server port used for data forwarding.
      Verification algorithm Supported authentication algorithms: SHA1 and MD5.
      Encryption algorithm Supported encryption algorithms: AES-128-CBC, AES-192-CBC, and AES-256-CBC.
      Compressed No
      Access control Enable it.
      Note

      If you want to try out this feature, contact Tencent Cloud technical support for application.

      Verification method Select Certificate verification + Identity verification.
      EIAM application Select an application created in EIAM.

    Configuring an access control policy

    1. Click VPN Connections > SSL VPN server on the left sidebar to enter the management page.
    2. In the SSL VPN server list, click the ID of the target instance.
    3. On the SSL VPN server details page, click Access control > Add policy and configure the policy information as prompted.
      Parameter Description
      Destination Enter the local IP range, i.e., IP range for accessing the cloud.
      Note

      The destination IP range needs to be in the same IP range as the local IP range. If you change the local IP range, you need to modify the destination address of the access control.

      Access permission Select Specific user group. After selecting this option, you need to configure the access group ID.
      Access group ID Select a user group to be granted the access permission.
      Notes Enter the policy remarks, which are required and make it easier for you to find the policy.
    4. Click OK.

    (Optional) Creating an SSL VPN client

    Note:

    To download the SSL VPN client configuration and connect to the server, create an SSL VPN client as needed.

    1. Click VPN Connections > SSL VPN client on the left sidebar to enter the management page.
    2. In the Create an SSL VPN client pop-up window, set the client name, select the SSL VPN server to connect to, and click OK.

    Downloading an SSL VPN Client Configuration File and Client on the Client VPN Portal

    1. Log in to the Tencent Cloud Client VPN Self-Service Portal.
    2. In the SSL VPN server ID input box, enter the ID of the created SSL VPN server and click Next to access the login page.
    3. Log in to the Tencent Cloud Client VPN Self-Service Portal.
    • Login with account and password:
      Use the username and password set in EIAM for login.
    • Automatic SAML authentication
      If you are in a user group in EIAM associated with an SSL VPN access control policy, you can directly click for SAML authentication and click Go to SAML for login.
    1. In the Download SSL VPN client configuration file section, find the target configuration file and click Download.
    2. In the Download SSL VPN client section, find an appropriate SSL VPN client and click Download.
      This document takes macOS as an example. After you click Download, you will be redirected to the official website of OpenVPN, where you can download the client.

    SSL VPN Client Installation and Connection

    1. Decompress the installation package locally and double-click the installer to install the client as prompted.
    2. After the SSL VPN client is installed, select Import Profile > FILE to upload the downloaded SSL VPN client configuration file (.ovpn file).
    3. After successful upload, select CONNECT for connection.
    4. Wait for the connection configured by the profile to be established.
    5. Verify the login information.
    6. The connection is established successfully.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support