USG Huawei Firewall and SSL VPN: Two Problems

Two problems are commonly encountered by customers when they take on the task of configuring SSL VPN on Huawei USG firewalls (SSL VPN gives secure access to the firewall’s internal resources over the Internet). The first problem: authentication does not pass when trying to log in through the web browser of the smartphone. Second: it is not possible to restrict access to certain users (the policer does not recognize username). This is not the fault of the customers, or the software’s product flaws, but rather the lack of clarity in the documentation.

The answer to the first question is that SSL VPN does not work through smartphone web browsers. Such a function is not supported, not tested and never developed (checked directly with Huawei TAC). The truth is that the user is given false hope when the firewall web page does open, prompts for a username/password, and then nothing – Authentication failed. There is a long list of software restrictions, but it doesn’t mention mobile browsers. On the contrary, in the SSL VPN overview there is a line about a mobile device, but it is not specified that we are talking about access through the Secoclient application.

Second question. The client has configured an SSL VPN, but all users have access to all internal resources. SSL VPN is built before the public firewall interface, the original package is encapsulated in this tunnel. If the authentication is successful, then the packet is decapsulated and the local firewall policers come into operation, the TCP session is established. If the user configures the policer and allows only certain users to access it, then access is lost for all users. And this happens because the firewall does not recognize the username after decapsulating the packet, which means it discards all packets that do not match the conditions of the policer. The reason for this is that the customizer skips the Authentication Policy configuration. It just gets lost in a complex and confusing list of documentation scripts: it was included in some scripts, and forgotten in the rest.

In the authentication policy, you need to specify the local addresses allowed for access.

auth-policy
rule name auth_policy_service
source address range 10.2.0.2 10.2.0.15 (permit local addresses for access via SSL VPN)
action exempt-auth

After that, the security policers will start working correctly. Two policers are configured: one for access according to the Internet Firewall scheme, the other according to the scheme: Firewall – Local Area Network.

security policy
rule name Internet Firewall
source zone untrust
destination zone local
destination-address firewall public
user user or group of users
service https
action permit
rule name Firewall – Local Area Network
source zone untrust
destination zone trust
source-address 172.16.1.0 mask 255.255.255.0 (address pool for SSL VPN clients)
destination address 10.2.0.0 mask 255.255.255.0
user user or group of users
action permit

Source-address 172.16.1.0 mask 255.255.255.0 (address pool for SSL VPN clients) these addresses are specified in the Network Extension settings. After authentication and decapsulation, one of the addresses of this pool is assigned to the remote client (connection initiator), the other acts as a firewall gateway for communication between the client and the local subnet (10.2.0.0/24).

Good luck building.

—

Details and screenshots on how Can’t connect to SSL VPN via mobile browser.

Case study Source user is not displayed when establishing an SSL VPN tunnel (USG6655E)

—