To Next Page

To Previous Page

759

Usage guidelines

You can specify both an advanced ACL and a URI ACL for TCP access filtering.

For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to

forward a TCP access request:

1. Matches the request against the authorized port forwarding list.

 If the request matches a port forwarding entry in the list, the gateway forwards the request.

 If the request does not match any port forwarding entries in the list, the gateway proceeds to

step 2.

2. Matches the request against the rules in the URI ACL:

 If the request matches a permit rule, the gateway forwards the request.

 If the request matches a deny rule, the gateway drops the request.

 If the request does not match any rules in the URI ACL or if no URI ACL is available, the

gateway proceeds to step 3.

3. Matches the request against the rules in the advanced ACL:

 If the request matches a permit rule, the gateway forwards the request.

 If the request matches a deny rule, the gateway drops the request.

 If the request does not match any rules in the advanced ACL or if no advanced ACL is

available, the gateway drops the request.

For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only

the TCP resources authorized to them through the TCP port forwarding list.

You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify

multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent

IPv4 or IPv6 ACL configuration takes effect.

Examples

# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for TCP access filtering.

<Sysname> system-view

[Sysname]sslvpn context ctx1

[Sysname-sslvpn-context-ctx1] policy-group pg1

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access acl 3000

[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access ipv6 acl 3500

Related commands

filter tcp-access uri-acl

Use filter tcp-access uri-acl to specify a URI ACL for TCP access filtering.

Use undo filter tcp-access uri-acl to remove the URI ACL configuration for TCP access filtering.

Syntax

filter tcp-access uri-acl uri-acl-name

undo filter tcp-access uri-acl

Default

A user can access only the TCP resources in the TCP port forwarding list authorized to the user.

Views

SSL VPN policy group view

Other manuals for H3C MSR Series

Manual33 pages

Probe Command Reference28 pages

Configuration Guide80 pages

Troubleshooting Guide28 pages

User Guide26 pages

Questions and Answers:

Need help?

Do you have a question about the H3C MSR Series and is the answer not in the manual?

H3C MSR Series Specifications

General

Category	Network Router
IPv6 Support	Yes
Dimensions	Varies by model
Weight	Varies by model
Product Type	Modular Router
Ports	Varies by model
WAN Interfaces	Varies by model
Firewall	Yes
QoS	Yes
Wireless Support	Varies by model
USB Ports	Varies by model
Console Port	Yes
Power Supply	Varies by model
Redundancy	Varies by model
Operating Temperature	0°C to 45°C
Storage Temperature	-40°C to 70°C
Humidity	5% to 95% non-condensing
Series	MSR
Certifications	CE, FCC, RoHS