Hillstone Networks Inc.

Hillstone SSLVPN Two-Factors +USB-Key

Authentication
Hillstone Networks Inc.
2016-04-26
Author Auditor Version Date
Ziliang Zhang 2016.4.26
Xinyu Ding 2016.4.28

Contents
1 Requirement Analysis...........................................................................................3
2 Solution..................................................................................................................3
2.1 Authentication Base on Username/Password.....................................4
2.2 Authentication base on username/password + USB-Key..................9
2.3 Authentication Base on Username/Password + Software Certificate
17
3 Achievement........................................................................................................22

2 / 24
1 Requirement Analysis

Two-Factor Authentication means to combine password and material

object(such as cretidit card, SMS cellphone, token or fingerprint etc) two
conditions to have the authentication for users.
Hillstone NGFW have four methods to achieve the authentication for SSL
VPN security connection. The first one is the basic method of username and
password. The second one is the combination of username, password and USB-
Key. The third one is the combination of username, password and software
certificates. The last one is the combination of username, password and text
message.
In this document, we will introduce two authentication methods,
authentication base on USB-Key and authentication base on software
certificate. Each USB-Key comes with the hardware protection PIN, the PIN
and hardware constitutes the two necessary factors that why the user uses USB-
Key, which means two-factor authentication.

2 Solution

Hillstone firewall was deployed on the network egress interface by route

mode, the device model is SG-6000-T5060 ， and the firmware version is
SG6000-T-5.5R2.bin.

3 / 24
2.1 Authentication Base on Username/Password

（1） Configure the basic SSLVPN（Base on username/password withtout USB-

Key authentication）
According to the normal SSLVPN configuration to configure it in caose of
any configuration mistakes to cause the access of SSLVPN.

4 / 24
5 / 24
6 / 24
7 / 24
（2） Access from client, use username/password to login, then download and
install the SSLVPN client software.
Firstly，use https://x.x.x.x:4433 (x.x.x.x is firewall IP address of internet
egress interface) ， input username and password to download the client
software.

Secondly，download the SSLVPN client

8 / 24
 Thirdly ， use the username and password to login, verify if the normal
configuration of Username/Password is correct.

Above two steps that could verify if the SSLVPN works and the client
installed successfully.

2.2 Authentication base on username/password + USB-Key

Now testing the authentication base on USB-Key certificate （ Need to

generate electronic certificate ahead of time, which was generated by the
Professional Certification Authorizing Server, and export the client certificate
and CA root certificate which were using for UBS-Key and Firewall

9 / 24
 respectively）.
1) Please follow the above steps to finish the basic configuration of SSLVPN and
login successfully, then enable the authentication of certificate method,
otherwise it will be hard to define the root cause while errors happen.
2) Enter into firewall webui System page, under PKI trusted domain, create new
trust domain and import the CA root certificate.
Notice: Here is to import the CA root certificate, the target is to make the
firewall authenticate the USB-Key.

10 / 24
3) Edit the configuration of SSLVPN again, and use the authentication base
on certificate.

11 / 24
4) Install USB-Key drive in the SSLVPN client
12 / 24
 Insert the Ukey of Hillstone into PC, install the drive, and then find it from
the windows program, to open USB-Key Token management tool USB-Key
Manager tool, login and input the default PIN:1234.

13 / 24
 Must import the certificate which was published by the CA server, need to
set personal certificate protection password while export from server.

The personal certificate protection passoword was set by the Certification

Authority, if select from the Windows CA certification server, then need to
input the protection password while export the personal certification.

14 / 24
15 / 24
5) Login SSLVPN client, change the mode as authentication base on
username/password +Digital Certification

Using the default certificate and USB-Key.

16 / 24
17 / 24
2.3 Authentication Base on Username/Password + Software

Certificate

For this chapter, we will still use the authentication method but without
USB-Key hardware verification method, we are importing the certificate to
the Windows system, which is called software Authentication method.

（1） Please take Chapter 2.1 as the reference for the basic configuration of

SSLVPN。

（2） Please take the first step, second step and the third step of chapter 2.2 as
reference, create trust domain in the device, import CA root certificate, and
enable the certificate authentication method in the configuration of SSLVPN
.
（3） Find the client certificate, double click to install it, or you can install the
electronic certificate in the IE browser and Chrome browser.

18 / 24
The personal certificate protection passoword was set by the Certification
Authority, if select from the Windows CA certification server, then need to

19 / 24
input the protection password while export the personal certification.

20 / 24
21 / 24
 Install the certificate successfully.

（4） Login SSLVPN client, change the mode as username/password +Digital

certificate authentication method.

22 / 24
23 / 24
3 Achievement

Certificate.rar

24 / 24