Array Networks
Array Networks
Array Networks
4
CLI Handbook
Copyright Statement
Copyright Statement
Copyright©2000-2018 Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, California 95035,
USA. All rights reserved.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and compilation. No part of this document can be reproduced in any form by any
means without prior written authorization of Array Networks. Documentation is provided “as is”
without warranty of any kind, either express or implied, including any kind of implied or express
warranty of non-infringement or the implied warranties of merchantability or fitness for a
particular purpose.
Array Networks reserves the right to change any products described herein at any time, and
without notice. Array Networks assumes no responsibility or liability arising from the use of
products described herein, except as expressly agreed to in writing by Array Networks. The use
and purchase of this product does not convey a license to any patent copyright, or trademark rights,
or any other intellectual property rights of Array Networks.
Warning: Modifications made to the Array Networks unit, unless expressly approved by
Array Networks, could void the user’s authority to operate the equipment.
Declaration of Conformity
We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA 95035, 1-866-692-7729; declare
under our sole responsibility that the product(s) Array Networks, Array Appliance complies with
Part 15 of FCC Rules. Operation is subject to the following two conditions: (1) this device can not
cause harmful interference, and (2) this device must accept any interference received, including
interference that can cause undesired operation.
Warning: This is a Class A digital device, pursuant to Part 15 of the FCC rules. These
limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and
can radiate radio frequency energy, and if not installed and used in accordance with the
instruction manual, can cause harmful interference to radio communications. In a
residential area, operation of this equipment is likely to cause harmful interference in
which case the user can be required to take adequate measures. In a domestic environment
this product can cause radio interference in which case the user can be required to take
adequate measures.
Engineered for the modern data center, Array Networks application, desktop and cloud service
delivery solutions support the scalability, price-performance, software agility and leading-edge
feature innovation essential for successfully transforming today's challenges in mobile and cloud
computing into opportunities for mobilizing and accelerating business.
Website:
https://www.arraynetworks.com/
Telephone:
Phone: (408)240-8700
Fax: (408)240-8754
Telephone access to Array Networks is available Monday through Friday, 9 A.M. to 5 P.M. PST.
Email:
info@arraynetworks.com
Address:
Revision History
Date Description
July 4, 2016 9.4.0.49 GA release.
October 18, 2016 Updated for ArrayOS AG 9.4.0.66 patch release.
January 3, 2017 Updated for ArrayOS AG 9.4.0.94 patch release.
Februaray 27, 2017 Updated for ArrayOS AG 9.4.0.107 patch release.
April 24, 2017 Updated for ArrayOS AG 9.4.0.135 patch release.
August 21, 2017 Updated for ArrayOS AG 9.4.0.163 patch release.
October 30, 2017 Updated for ArrayOS AG 9.4.0.170 patch release.
January 2, 2018 Updated for ArrayOS AG 9.4.0.188 patch release
March 30, 2018 Updated for ArrayOS AG 9.4.0.201 patch release
Table of Contents
Copyright Statement ......................................................................................................................... I
Basic Commands....................................................................................................................... 6
SSL.......................................................................................................................................... 33
SM2 ................................................................................................................................. 52
Server ...................................................................................................................................... 59
LocalDB .......................................................................................................................... 60
LDAP .............................................................................................................................. 83
RADIUS .......................................................................................................................... 96
SMS............................................................................................................................... 113
HTTP............................................................................................................................. 122
WRM............................................................................................................................. 191
Administrators....................................................................................................................... 356
MDM..................................................................................................................................... 479
The AG appliance software has been designed with specific enhancements to make interaction
with the Appliance more user friendly, such as Shorthand. Shorthand is the intuitive method by
which the Appliance completes CLI commands based on the first letters entered. Other user
shortcuts are listed below:
The AG appliance CLI commands will generally adhere to the following style conventions:
Style Convention
Bold The body of a CLI command is in Boldface.
Italic CLI parameters are in Italic.
<> Parameters in angle brackets < > are mandatory.
Parameters in square brackets [ ] are optional.
[]
Subcommand such as “no”, “show” and “clear” commands.
Alternative items are grouped in braces and separated by vertical bars.
{x|y|…}
At least one should be selected.
Optional alternative items are grouped in square brackets and separated
[x|y|…]
by vertical bars. One or none is selected.
Note:
Please do not use “],” in the parameter value because the combination of these two
characters is resvered as the system’s separator.
For example:
The AG appliance provides the recovery mechanism for the “array” account to allow
administrators to:
Recover the password of the “array” account if changing the password of the “array”
administrator account and forgetting the new password.
To recover the password of the “array” account or the entire “array” account, please perform the
following steps:
3. Copy the challenge string generated by the AG appliance and paste it in an email sent to
Array Network Customer Support to request the response string. The challenge string is the
string behind “challenge:”, for example “challenge:waker Parma baker galah woke”.
4. Paste the entire response string returned by the Array Network Customer Support behind the
“response:” prompt and press “Enter”. The response string begins with “--begin--” and ends
with “--end--”.
After the preceding steps are performed, if the “array” account exists, the system will reset the
password of the “array” account to “admin” and the access privilege to “Config”; if the “array”
account does not exist, the system will create the “array” account with password “admin” and the
access privilege “Config”.
The first level of administration is the User level. At this level, the administrator is only authorized
to operate some very basic troubleshooting commands and non-critical functions such as ping and
traceroute. Here is how the User level prompt appears in the CLI.
AN>
The second level of administration is the Enable level. At this level, administrators have (in
addition to User level permissions) access to a majority of view only commands such as “show
version”. In order to gain access to this level of appliance management, the user must run the
“enable” command and supply a special “enable” password. If correct password is entered, the
CLI prompt will change from “AN>” to “AN#”, which means the administrator has been granted
access to the Enable level. The default password for the Enable level is null (i.e., leave the
password blank/empty).
AN>enable
Enable password:
AN#
The third level of administration is the Config level. At this level, the administrator can make
changes to the configuration of the AG appliance (in addition to all User and Enable level
permissions). No two administrators can access the Config level at the same time (whether they
are in global or virtual site shell). To gain full configuration access of the AG appliance, the
administrator must use the following command:
AN#config terminal
Once this command is entered, the CLI prompt will change to:
AN(config)#
In the event that another administrator is already in the Config level, the following command can
be run to kick that administrator out of Config level:
At any level, the administrator can type “?” to view the currently available commands. For
example, entering “AN(config)#system ?” will display all the commands starting with “system” in
the Config level.
AN(config)#system ? [enter]
command Set command execution timeout when loading configurations
component Component update commands
console Console operation
date Set system date
dump Determine whether system should do sysdump when panic
fallback Set fallback software version to boot if available
flexlicense Disable/enable Array Appliance pre-paid Flex License
interactive Set system interactive mode to control command output messages
license Setting Appliance License Key
mail System mail configuration
reboot Reboot the system
shutdown Shut down system
…
The first level of administration is the User level. At this level, administrators are only authorized
to operate some very basic commands. Here is how the User mode prompt appears in the CLI.
vs1%
The second level of administration is the Enable level. At this level, administrators have access to
a majority of view only commands such as “show user”. The cursor will display the
pre-configured name of the virtual site followed by “$” as such.
vs1$
The third level of administration is the Config level. At this level, administrators can make
changes to the configuration of the virtual site. No two administrators can access the Config level
at the same time (whether they are in global or virtual site shell). To gain full configuration access
for a specific virtual site of the AG appliance, the administrator must run the following command:
vs1$config terminal
Once this command is entered, the CLI prompt will change to:
vs1(config)$
Note: The global administrators have the ability to access to all virtual sites and global
configuration features and functionality.
For example, the administrator can switch from global scope to vs1 scope (e.g., a virtual site
named “vs1”) by running the following command:
AN#switch vs1
Once this command is entered, the CLI prompt will change to:
vs1$
To switch back to the global scope, the administrator can run the following command:
vs1$switch global
Once this command is entered, the CLI prompt will change to:
AN#
By default, when switching between the global scope and virtual site scope the administrator
privilege level (e.g., Enable level or Config level) will stay the same. However, if the
“enable|config” parameter is specified during the switch, the administrator’s privilege level will be
explicitly set accordingly.
Once this command is entered, the CLI prompt will change to:
vs1(config)$
Basic Commands
help
This command is used to display all available commands based on level and function. This
command can be executed at any level while configuring the AG appliance.
enable [recovery]
This command is used to access the Enable level of the AG appliance. When running this
command, the system will prompt the administrator to supply the Enable level password. The
default password is null (empty).
If the administrator forgets the Enable password, he can reset the password to the default null
(empty) value as follows:
4. The response code will be returned via email by the Customer Support personnel.
5. Copy and paste the response code into the CLI, and press “Enter”. The Enable level password
will then be reset to empty.
password Optional. This parameter specifies the new “Enable” password. Its
value must be a string of 1 to 8 characters. The default password is
empty.
configure terminal
This command is used for switching to the “Config” access mode.
disable
This command is used to return to the User mode from the current privileged mode.
exit
This command is used to return to the next lower-level mode from the current privileged mode. If
the current mode is the User mode, this command will kick the administrator out of the CLI shell
system.
quit
This command is used to leave the CLI shell system from any level.
When the yellow LED on the appliance is activated, the administrator can execute this command
to check whether one of the following errors is causing the problem:
4. One of the dual power supplies failed (If redundant power supply applies to the appliance).
Note: If the error is recovered, the warning message will be cleared. But it still can be
traced in system logs.
Compared with the “show memory” output, the “TIME_WAIT” value is the same as “USED”
TCP small pcb. All the rest, from “LISTEN” value to “FIN_WAIT” value, add up to “USED”
TCP pcb.
hostname <host_name>
This command is used to set or change the given host name for an AG appliance.
host_name This parameter defines the host name of the AG appliance. The host
name can be entered as a single set of continuous alphanumeric
characters or a set of alphanumeric characters housed within double
quotation marks. Currently, the maximum length for the host name
is 64 characters.
show hostname
This command is used to display the given host name for an AG appliance.
no hostname
This command is used to clear an AG appliance’s host name. After the host name is cleared, the
default name “AN” will be used as the host name.
%% A literal percent.
host_name This parameter specifies the assigned name of the relay host.
host_name This parameter specifies the assigned name of the relay host.
The AG appliance will send emails using “relay.com” with the host name of
“arraynetworks.com.cn”. Please note that the “relay.com” server must be reachable by the AG
appliance.
system interactive on
This command is used to enable CLI command interactive mode. If this command is executed,
more command result messages to be displayed.
timeout This parameter specifies the timeout value in seconds. Its value
should be 0 or an integer ranging from 30 to 65,535. The default
value is 0.
virtual_site This parameter specifies the name of the virtual site that the
administrator wants to switch to. To switch to the global scope, set
this parameter to “global”.
enable|config This parameter specifies the desired access level when switching to
the target virtual site scope. If this parameter is not specified, then
the current access level will be assumed.
who [virtual_site]
This command is used to display the active administrators in the target virtual site. If the
“virtual_site” parameter is not specified, all active administrators will be displayed.
whoami
This command is used to display the current administrator's information.
configure terminal
This command is used to gain access to the Config level to configure the AG appliance.
system serialnumber
This command is used to generate vxAG’s serial number. Please provide the vxAG serial number
to the support team to obtain the system license.
Note:
When the vxAG is installed on your virtual environment and started up for the first
time, the system will automatically generate a serial number for the vxAG.
Under certain circumstances, the serial number on the vxAG may be invalid, for
example the serial number on the cloned vxAG. In this case, run this command to
manually generate a valid serial number.
registration_status
This parameter sets the registration status of the AG appliance as
“incomplete”, “complete” or “never”. “incomplete” indicates that
you will register later, “complete” indicates that you will register
now and “never” indicates to never register.
registration status
This command is used to display the registration status of the AG appliance, which is
“incomplete”, “complete” or “never”.
system_ifname|vlan_ifname| This parameter specifies the name of the existing interface. Its value
bond_ifname|mnet_ifname must be:
ip_address This parameter specifies the IP address of the interface. Its value
must be an IPv4 or IPv6 address.
Example:
version Optional. This parameter specifies the version of the IP protocol. Its
value must be:
show ip address
This command is used to display the IP-related configurations of all interfaces.
clear ip address
This command is used to clear all the IP-related configurations of all interfaces.
mac_address This parameter specifies the MAC address. The MAC address
should follow the format “XX: XX: XX: XX: XX: XX”.
no ip arp <ip_address>
This command is used to delete an ARP entry.
clear ip arp
This command is used to clear all ARP entries.
show ip dhcp
This command is used to display the DHCP status of all system interfaces.
show ip route
This command is used to display the static routing table.
clear ip route
This command is used to remove both default route and static routes.
clear droute
This command is used to clear all the Direct Route statistics.
This command is used to display the gathered information for the specific IP address. If no IP
address is assigned, this command displays all relevant statistics for all configured IP addresses.
interface_name This parameter specifies a unique name for the physical interface.
This name should be an alphanumeric string of up to 32 characters.
The default interface names are “port1”, “port2”, “port3”,
“port4”,…“port8”.
speed_option This parameter can be10half (10 Mbps Ethernet half duplex
communications), 100half (100 Mbps Ethernet half duplex
communications), 100full (100 Mbps full duplex communications),
1,000full (1,000 Mbps Ethernet full duplex communications) or
auto.
Note: The AG appliance sets the interface speeds to auto by default. If any interface is
setup to be connected to a device, such as a router or switch with a specific speed and
duplex mode, users will need to set the AG appliance to match those requirements. Run
the “show interface” command to view the current speed settings.
Note: If the IP statistics function is off, the number of the WebWall permit or drop
packages will be 0 in the output of “show interface” command. The IP statistics function
is disabled by default. But, you can enable it via the “ip statistics on” command.
protocol This parameter specifies the protocol. It can be set to “tcp”, “udp”
or “any”.
ip statistic {on|off}
This command is used to enable/disable the IP statistics.
show ip statistic
This command is used to display IP statistics.
ip ipflow {on|off}
This command is used to enable/ disable the IP flow.
time This parameter defines the expiration time. It can be set between 1
to 86,400 seconds. The default value is 60 seconds.
priority This parameter defines the IP flow priority. It can be set between 0
to 1999 seconds. The default value is 1,000.
clear ip ipflow
This command is used to reset the IP flow settings to their default.
show ip ipflow
This command is used to display the IP flow settings.
interface_name This parameter specifies the name of an existing interface. Its value
must be a system or bond interface.
vlan_interface_name This parameter specifies a name for the VLAN interface. Its value
no vlan <vlan_interface_name>
This command is used to delete the specified VLAN interface.
show vlan
This command is used to display the configuration for all VLAN interfaces.
clear vlan
This command is used to remove the configurations for all VLAN interfaces.
local_port This parameter specifies the connections’ local port. This parameter
is optional, and the default value is “0”.
ip_address Optional. This parameter specifies the local or remote IP address for
which the related connections will be shown. It can be IPv4 or IPv6
address.
system_ifname|bond_ifname This parameter specifies the name of the existing interface. Its value
must be:
mnet_interface_name This parameter specifies the name of the MNET interface. Its value
must be a string of 1 to 32characters.
no mnet <mnet_ifname>
This command is used to delete a specified MNET interface.
show mnet
This command is used to display the configurations of all MNET interfaces.
clear mnet
This command is used to clear the configurations of all MNET interfaces.
DNS Settings
ip dns cache {on|off}
This global command is used to enable/disable the DNS cache. The default value is off.
seconds.
ip_address This parameter specifies the IPv4 address of the IPv4 DNS name
server.
ip_address This parameter specifies the IPv6 address of the IPv6 DNS name
server.
This global command is used to enable or disable the DNS server redundancy function for every
virtual site. When this function is enabled, if the “dns useglobal off” command is configured to
instruct a virtual site to use the custom DNS settings to resolve the DNS query, the system will
first try to use the virtual site’s DNS server with the highest priority to resolve the DNS query; if
this DNS server fails to resolve the DNS query, the system will then try to use the virtual site’s
DNS server with the second highest priority to resolve the DNS query; if the second DNS server
still fails to resolve the DNS query, the system at last will try to use the virtual site’s DNS server
with the lowest priority to resolve the DNS query. The earlier the DNS server is configured for the
virtual site, the higher the priority of the DNS server will be. By default, this function is disabled
and only the virtual site’s DNS server with the highest priority can be used to resolve the DNS
query.
path This parameter specifies the domain to add to the resolver search
path.
path This parameter specifies the domain to remove from the resolver
search path.
second This parameter specifies the DNS request time out in seconds.
millisecond This parameter specifies the DNS request time out in milliseconds.
ip_address This parameter specifies the IPv4 address of the IPv4 DNS name
server.
This command is used to delete the specified IPv4 DNS name server.
ip_address This parameter specifies the IPv6 address of the IPv6 DNS name
server.
path This parameter specifies the domain to add to resolver search path.
path This parameter specifies the domain to add to resolver search path.
dns useglobal on
This command is used to instruct the AG appliance to use the global DNS settings for a virtual
site.
This command allows users to change the default policy from NewReno to Adaptive for starting
TCP fast retransmission. It is recommended that the default settings not be changed without
contacting Array Support.
value, NAT entries for the VPN Netpool NAT function will be cleared. If this command is not
configured, the default maximum timeout for the VPN Netpool NAT function is 300 seconds.
timeout This parameter specifies the maximum timeout in seconds. Its value
must be an integer ranging from 1 to 100,000.
AN(config)#system date 11 10 20
show date
This command is used to view the current system date and time of the AG appliance.
AN(config)#system time 23 33 51
Note: At any time during the time zone setup, users can enter “0” to return to the
previous option (e.g., entering “0” on the country list page will return users to the
continent page).
ntp {on|off}
This command is used to enable/disable synchronizing the AG appliance clock with the NTP
server. The NTP server settings and NTP time setting received by the AG appliance will preempt
the CLI date and time settings. The “ntp server” command must be configured before the NTP
feature can be enabled.
ip This parameter specifies the IP address of the NTP server. Its value
must be an IPv4 or IPv6 address.
version Optional. This parameter specifies the NTP version. Its value must
be 1, 2, 3 or 4. The default value is 4.
show ntp
This command is used to display the current NTP configuration. This command will also display
the time dispersion and association of the current server.
clear ntp
This command is used to clear the NTP configuration.
Virtual Site
virtual site name <virtual_site> [description] [type] [parent_site]
This global command is used to create a virtual site.
virtual_site This parameter specifies the name of the virtual site. Its value
must be a string of 1 to 63 characters. Only 0-9, a-z, A-Z and
characters “_” and “-” are supported.
If the virtual site is used for the MotionPro feature, the parameter
value should only be “motionPro_dedicated”.
type Optional. This parameter specifies the type of the virtual site. Its
value must be “exclusive”, “shared”, or “alias”. The default
value is “exclusive”.
parent_site Optional. This parameter specifies the name of the parent virtual
site.
virtual_site Optional. This parameter specifies the name of the virtual site. If
this parameter is not specified, the configurations of all virtual sites
will be displayed.
show info
This command is used to display the name, IP and domain configurations of the virtual site.
SSL
ssl csr [key_length] [signature_algorithm]
This command is used to generate a CSR (Certificate Signing Request) and an SSL key pair for
the current virtual site. After this command is executed, the administrator will be led through a
series of prompts so that the system can gather the required information to generate the CSR. The
administrator can choose to set the private key as exportable and set the passphrase for the private
key to protect it.
In addition, this command also generates a “test” certificate for the virtual site. If the administrator
has not uploaded the intermediate CA certificates and root CA certificate of this “test” certificate
using the “ssl import interca” command, a warning message indicating an incomplete certificate
chain will be displayed.
key_length Optional. This parameter specifies the length of the generated SSL
key pair in bits. Its value must be 1024, 2048 or 4096. The default
value is 2048.
vs(config)$ssl csr
Type 'YES' to generate a new key and overwrite the existing key file.
Type 'NO' will just generate CSR file[YES/(NO)]:YES
Generating key for "vs"...please wait
We will now gather some required information about your ssl virtual site,
This information is encoded into your certificate
Two character country code for your organization (eg. US):
State or province:
Location or local city:
Organization Name:
Organizational Unit:
Do you want to use the domain name "vs" as the Common Name (recommended)?(Y/N):
Email address of administrator:
Do you want the private key to be exportable [Yes/(No)]:
Enter passphrase for the private key:
Confirm passphrase for the private key:
Once the above information has been provided, the AG appliance will display a data message that
should be copied over an email and sent to CA (Certificate Authority) for certificate signing. The
lengths of these subject fields in the CSR should conform to the following limits:
Note:
Entered characters for the subject fields “Country Code”, “State or Province”,
“Location or Local City”, “Organization Name”, “Organizational Unit”, and
“Common Name” (available when “Site FQDN as Common Name” is set to “No”)
only support a-z, A-Z, numbers, space and characters “'”, “(”, “)”, “+”, “-”, “=”, “,”,
“.”, “:”, “/” and “?”.
The subject field “Email Address for Administrator” cannot contain any of the
characters “!”, “#”, “$”, “%”, “^”, “*”, “(”, “)”, “~”, “?”, “>”, “<”, “&”, “/”, “\”, “,”,
“"” and “'”.
The test certificate generated by the “ssl csr” command is only used for testing
purposes, not for production systems.
In addition, this command also generates a “test” certificate for the virtual site. If the administrator
has not uploaded the intermediate CA certificates and root CA certificate of this “test” certificate
using the commands “ssl import interca” and “ssl import rootca”, a warning message indicating
an incomplete certificate chain will be displayed.
curve_name Optional. This parameter specifies the elliptic curve name. Its value
must be “prime256v1”, “secp384r1”, or “secp521r1”.
signature_algorithm_index Optional. This parameter specifies the index of the CSR signature
algorithm. Its value must be sha256, sha384, sha512, and sha1.
Note: If the elliptic curve field in the ClientHello message does not match the elliptic
curve in the ECC certificate activated for the virtual site, the SSL handshake will fail.
csr_type Optional. This parameter specifies the type of the CSR. Its value
must be:
csr_type Optional. This parameter specifies the type of the CSR. Its value
must be:
This command is used to import a private key for the current virtual site. The administrator can
import three private keys at most.
The administrator can execute this command and copy-n-paste the private key directly into the
CLI. The system also supports importing private keys from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the key on the
remote TFTP server, which is required only when the private key is
imported via TFTP. Its value must be a string of 1 to 256 characters,
and defaults to “<host_name>.key”.
key_index Optional. This parameter specifies the index of the imported key to
be exported. Its value must be 1, 2 or 3. If this parameter is not
specified, the active key will be displayed.
key_type Optional. This parameter specifies the type of the private key to be
displayed. Its value must be:
all: indicates that both RSA and ECC private keys will be
displayed.
The administrator can execute this command and copy-n-paste the PEM format certificate directly
into the CLI. The system also supports importing PEM, DER and PFX formats as well as the
certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the certificate on
the remote TFTP server, which is required only when the certifcate
is imported via TFTP. Its value must be a string of 1 to 256
characters, and defaults to “<host_name>.crt”.
cert_index Optional. This parameter specifies the index of the certificate. Its
value must be 1, 2 or 3. The default value is 1.
cert_type Optional. This parameter specifies the type of the certificate. Its
value must be:
Note:
For each type of certificate, only one certificate/key (with the same index) pair can
stay active in the system. The certificate/key pair generated by the command “ssl
csr” is active by default. The certificate/key pair generated by the command “ssl ecc
csr” is active by default. The certificate/key pair generated by the “ssl sm2 csr”
command is inactive by default.
If the elliptic curve field in the ClientHello message does not match the elliptic
curve in the ECC certificate activated for the virtual site, the SSL handshake will
fail.
For example:
Under the virtual site scope, this command is used to import a trusted CA certificate for the
current virtual site.
The administrator can execute this command and copy-n-paste the trusted CA certificate of PEM
format directly into the CLI. The system also supports importing trusted CA certificate of PEM
and DER formats from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the trusted CA
certificate on the remote TFTP server, which is required only when
the trusted CA certificate is imported via TFTP. Its value must be a
Under the virtual site scope, this command is used to delete an imported trusted CA certificate
from the current virtual site.
certificate_number Optional. This parameter specifies the serial number of the trusted
CA certificate to be deleted. Administrators can find the serial
number of the certificate via the “show ssl rootca” command. If
this parameter is not specified, all the trusted CA certificates will be
deleted.
Under the virtual site scope, this command is used to display the trusted CA certificate imported
for the current virtual site.
The administrator can execute this command and copy-n-paste the intermediate CA certificate of
PEM format directly into the CLI. The system also supports importing intermediate CA certificate
of PEM and DER formats from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the intermediate
CA certificate on the remote TFTP server, which is required only
when the intermediate CA certificate is imported via TFTP. Its
value must be a string of 1 to 256 characters, and defaults to
“<host_name>.crt”.
file_name This parameter specifies the file name. Its value must be a string of
1 to 256 characters, which is recommended to be enclosed by
double quotes. Only numbers, letters and underscore “_” are
supported.
To store the backup file locally, use a valid local file name
password This parameter specifies the password that allows access to the
backup file. Its value must be a string of 1 to 128 characters, which
is recommended to be enclosed by double quotes. Only numbers,
letters and underscore “_” are supported.
password This parameter specifies the password that allows access to the
specified backup file.
version This parameter specifies the SSL protocol version. Its value must
be:
ALL: indicates that the above four SSL protocols are all
supported.
To use more than one protocol, use colon “:” to separate each
other.
For example:
cipher_string This parameter specifies the cipher suite. To use more than one
cipher suite, use colon “:” to separate each other.
DES-CBC3-SHA
RC4-SHA
RC4-MD5
EXP-RC4-MD5
AES128-SHA
AES256-SHA
AES128-SHA256
AES256-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECC-SM4-SM3
ECDHE-SM4-SM3
Note: Only experienced administrators should use this command. If you have any
questions regarding these settings, please call customer support BEFORE using this
command.
If the signature algorithm field in the ClientHello message matches multiple configured signature
algorithms, the first one configured in this command will be used. If the signature algorithm field
in the ClientHello message does not match any configured signature algorithm, the SSL
handshake will fail. Please note that this configuration takes effect only when the TLSv1.2
protocol is used.
signature_algorithm This parameter specifies the signature algorithm that will be used in
the ServerKeyExchange message generated during SSL handshake.
Its value must be “sha256ECDSA”, “sha256RSA”,
“sha384ECDSA”, “sha384RSA”, “sha512ECDSA”, “sha512RSA”,
“sha224ECDSA”, “sha224RSA”, “sha1ECDSA”, and “sha1RSA”.
Multiple signature algorithms can be configured. To use more than
one signature algorithm, use colon “:” to separate each other.
If the elliptic curve field in the ClientHello message matches multiple configured elliptic curves,
the first one configured in this command will be used. If the elliptic curve field in the ClientHello
message does not match any configured elliptic curve, the SSL handshake will fail.
curve_name This parameter specifies the name of the elliptic curve that will be
used in the ServerKeyExchange message generated during SSL
For TLSv1.2, the signature algorithm field in the CertificateRequest message contains all
configured signature algorithms. For other SSL versions lower than TLSv 1.2, the configured
signature algorithm must contain sha1RSA or sha1ECDSA; otherwise, the SSL handshake will
fail.
signature_algorithm This parameter specifies the signature algorithm that will be used in
the CertificateRequest message generated during SSL handshake.
Its value must be “sha256ECDSA”, “sha256RSA”,
“sha384ECDSA:”, “sha384RSA:”, “sha512ECDSA”,
“sha512RSA:”, “sha224ECDSA:”, “sha224RSA”, “sha1ECDSA”
and “sha1RSA”. Multiple signature algorithms can be configured.
To use more than one signature algorithm, use colon “:” to separate
each other.
In addition to basic client certificate validation, the SSL virtual site can also perform pattern
matching of the certificate “Subject” field against a set of configured filter rules. If no match is
found, client access will be denied.
The filter rules can be configured with any of the RDNs (Relative Distinguished Name) supported
by the AG appliances, including:
For example:
In this example, all client certificates with the country name of “US”, organization name of
“Array”, organizational unit name of “QA” and email address of “admin@arraynetworks.com” in
the certificate “Subject" field will pass the subject filter.
In this example, the OID “2.5.4.6” represents “Country Name”. All client certificates with the
OID “2.5.4.6” of “JP” in the certificate “Subject” field will pass the subject filter.
After this command is executed, the AG appliance will first attempt to validate client certificates
online through the OCSP server specified in the client certificate. If this validation fails, the AG
appliance will then attempt to validate the client certificate online through the OCSP server
configured by this command.
ocsp_server This parameter specifies the IP address of the OCSP server. Its
value must be an IPv4 address.
Note: If both the OCSP server and CRL check are configured, only the OCSP server will
be used to validate the certificate.
When the AG appliance attempts to validate client certifiates using the CRL (Certificate
Revocation List) issued by CA, CRL CA certificate is needed to verify the validity of the CRL
files.
The administrator can execute this command and copy-n-paste the CRL CA certificate of PEM
format directly into the CLI. The system also supports importing CRL CA certificate of PEM and
DER formats from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the CRL CA
certificate on the remote TFTP server, which is required only when
the CRL CA certificate is imported via TFTP. Its value must be a
string of 1 to 256 characters, and defaults to “<host_name>.crt”.
certificate_number Optional. This parameter specifies the serial number of the CRL CA
certificate to be deleted. Administrators can find the serial number
of the certificate via the “show ssl crlca” command. If this
parameter is not specified, all the CRL CA certificates will be
deleted.
After this command is executed, the AG appliance will attempt to validate the certificate using the
CRL downloaded from the CDP (CRL Distribution Point) specified in the client certificate. This
command will take effect only when the client authentication feature is enabled.
Note: This command cannot be used together with the “ssl settings crl offline” command.
After this command is executed, the AG appliance will attempt to validate the certificate using the
CRL downloaded from the configured CDP at the desired time interval. HTTP, FTP and LDAP
are supported protocols to fetch the CRL files. For each virtual site, the administrator can
configure ten CDPs. This command will only take effect when the client authentication feature is
enabled.
cdp_name This parameter specifies the name of the CDP. Its value must be a
string of 1 to 32 characters. Only 0-9, a-z, A-Z and underscore “_”
are supported.
crl_distribution_point This parameter specifies the URL address of the CDP. Its value
must be a string of 1 to 512 characters.
time_interval Optional. This parameter specifies the time interval between CRL
file downloads in minutes. Its value must be an integer ranging
from 1 to 65,535, and defaults to 1440.
delay_time Optional. This parameter specifies the delay time of the CRL file
expiration in minutes. Its value must be an integer ranging from 1 to
Note: Before executing this command, you must first import the CRL CA certificate via
the “ssl import crlca” command.
cdp_name Optional. This parameter specifies the name of the CDP. Its value
must be:
ALL: indicates that the CRL files will not be downloaded from
any CDP.
cdp_name Optional. This parameter specifies the name of the CDP. Its value
must be:
the CDP name: indicates that the system will display the CRL
files downloaded from the specified CDP.
ALL: indicates that the system will display the CRL files
downloaded from all the CDP.
This command is used to enable the client mandatory authentication mode. By default, the client
mandatory authentication mode is enabled.
Note: The SM2v1.1 protocol does not support the SSL renegotiation function.
This command is used to enable the SSL session reuse function. By default, the SSL session reuse
function is enabled.
If this function is enabled, the AG appliance will ignore SSL close notify errors when a client
does not terminate an SSL connection correctly (or terminates an SSL connection without
sending the Close Notify Alert). Consequently, the AG appliance will continue to reuse the
associated SSL sessions.
If this function is disabled, the AG appliance will require the connection to be closed with the
Close Notify Alert. In this case, if a client does not send the Close Notify Alert before closing
a connection then the associated SSL session will be marked as invalid and flushed.
Note: When any virtual site uses certificate authentication, the SSL renegotiation
function needs to be enabled globally.
This global command is used to set the SSL session cache timeout value.
timeout This parameter specifies the timeout value in seconds. Its value
must be an integer ranging from 60 to 86,400 characters.
ssl start
This command is used to enable SSL service for a specific host. All services associated with this
specified SSL virtual site will be affected. The AG appliance will check the certificate chain for
the SSL virtual site when starting the virtual site. A warning message, stating that the certificate
chain is incomplete will be displayed if the certificate chain cannot be formed using the
intermediate CA file and global trusted CA file.
Note: SSL virtual site settings cannot be changed while SSL is enabled. To make
changes, SSL must first be disabled (see the “ssl stop” command below).
ssl stop
This command is used to disable the SSL service for a specific host. It will not remove the
associated information such as key and certificate data.
clear ssl
This command is used to clear the SSL configurations, including the key and certificate pair. If
this command is executed, there is no way to retrieve the key even if there is a copy of the CSR.
To reconfigure SSL for this virtual site, a new key and a replacement certificate will need to be
created.
Note: To execute this command, all services associated with this specified SSL virtual
site will be affected.
SM2
Please refer to the “ssl csr” command for the requested data and other details displayed after this
command is executed.
curve_name Optional. This parameter specifies the curve name used by the SM2
algorithm. Its value must only be “sm2”. The default value is
“sm2”.
csr_format Optional. This parameter specifies the CSR format. Its value must
be “SCCA” or “CFCA”. The default value is “SCCA”.
The administrator can execute this command and copy-n-paste the private key directly into the
CLI. The system also supports importing private keys from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the SM2
encryption key on the remote TFTP server. This parameter needs to
be specified when you want to import the SM2 encryption key from
a remote TFTP server. Its value must be a string of 1 to 256
characters. The default value is “<host_name>.key”.
key_index Optional. This parameter specifies the index of the imported SM2
encryption key to be exported. Its value must be 1, 2 or 3. If this
parameter is not specified, the active key will be displayed.
The administrator can execute this command and copy-n-paste the SM2 digital envelope directly
into the CLI. The system also supports importing private keys from a remote TFTP server.
digital_envelope_format Optional. This parameter specifies the format of the SM2 digital
envelope obtained from the trusted CA. Its value must be “SCCA”
or “CFCA”. The default value is “SCCA”.
file_name Optional. This parameter specifies the file name of the SM2 digital
envelope on the remote TFTP server. This parameter needs to be
specified when you want to import the SM2 digital envelope from a
remote TFTP server. Its value must be a string of 1 to 256
characters. The default value is “<host_name>.evp”.
The administrator can execute this command and copy-n-paste the PEM format certificate directly
into the CLI. The system also supports importing PEM, DER and PFX formats as well as the
certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the SM2
encryption certificate on the remote TFTP server. This parameter
needs to be specified when you want to import the SM2 encryption
certificate from a remote TFTP server. Its value must be a string of
1 to 256 characters. The default value is “<host_name>.crt”.
The administrator can execute this command and copy-n-paste the private key directly into the
CLI. The system also supports importing private keys from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the SM2
signature key on the remote TFTP server. This parameter needs to
be specified when you want to import the SM2 signature key from a
remote TFTP server. Its value must be a string of 1 to 256
characters. The default value is “<host_name>.key”.
key_index Optional. This parameter specifies the index of the imported SM2
signature key to be exported. Its value must be 1, 2 or 3. If this
parameter is not specified, the active key will be displayed.
The administrator can execute this command and copy-n-paste the PEM format certificate directly
into the CLI. The system also supports importing PEM, DER and PFX formats as well as the
certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server.
file_name Optional. This parameter specifies the file name of the SM2
signature certificate on the remote TFTP server. This parameter
needs to be specified when you want to import the SM2 signature
certificate from a remote TFTP server. Its value must be a string of
1 to 256 characters. The default value is “<host_name>.crt”.
Chapter 4 AAA
The AAA module provides user authentication, authorization and accounting functions. The
commands in this chapter illustrate how to deploy this module.
General Settings
aaa {on|off}
This command is used to enable or disable the AAA function for the virtual site. When this
function is enabled, users will have to log in before gaining access to internal resources; when this
function is disabled, users will automatically pass authentication and obtain authorized resources
according to their assigned roles. Note that any roles depending on “Group Name” conditions will
no longer work. Roles depending on other conditions still work as before such as “Username” (all
users will be assigned the same “guest” username), AAA method, Source IP, and Login Time. By
default, this function is enabled.
AAA Lockout
Note:
If AAA lockout and LocalDB lockout are both configured, only the configurations of
AAA lockout will take effect.
The AAA lockout function cannot take effect for the certificate authentication.
For the two-step SMS authentication, the AAA lockout function takes effect only for
the static authentication, such as LocalDB and LDAP, and cannot take effect for the
SMS verification code authentication.
ForAAA servers with multiple AAA methods configured, the AAA lockout function
takes effect for all AAA methods in the rank list.
With the system reboot, the recorded number of login failures of all AAA accounts
will be cleared.
This command is used to enable automatic login-failure lockout for all AAA accounts. A AAA
account will be locked out after the number of login failures using this account reaches the
specified value of the parameter “failure_times”. By default, this function is disabled.
failure_times Optional. This parameter specifies the number of login failures for
locking out AAA accounts. Its value must be an integer ranging
from 1 to 65,535. The default value is 10.
account_name This parameter specifies the name of the AAA account to be locked
out.
lockout_type Optional. This parameter specifies the type of the locked AAA
accounts. Its value must be “auto”, “manual” or “all”. The default
value is “all”, indicating that all types of locked AAA accounts will
be displayed.
account_name Optional. This parameter specifies the name of the locked AAA
account. Its value must be a case-sensitive string of 1 to 64
characters.
start Optional. This parameter specifies the start of locked AAA accounts
from which to be displayed. Its value must be an integer ranging
from 1 to 4,294,967,295 and the default value is 1.
account_name Optional. This parameter specifies the name of the AAA account to
be unlocked. The default value is empty, indicating all locked AAA
accounts will be unlocked.
Server
aaa server name <type> <server_name> [description]
This command is used to define a AAA server of a particular type.
type This parameter specifies the type of the AAA server. Its value must
only be:
localdb
ldap
radius
certificate
sms
smx
http
server_name This parameter specifies the name of the AAA server, which must
be unique among all servers in the same virtual site. Its value must
be a string of 1 to 32 characters.
For LocalDB, the server name must be the same as the virtual site
name. In addition, only one LocalDB server can be defined per
virtual site.
For SMX, the characters for the server name must only contain 0-9,
a-z, A-Z, and characters “_” and “-”.
description Optional. This parameter specifies the server description. Its value
must be a string of 1 to 127 characters. If it is not specified, the
default description will be the value of “server_name”.
Note: Please ensure that the SSL renegotiation feature has been enabled both globally
and for the virtual site under the following conditions:
Multiple AAA methods are configured and one of them uses the Certificate
authentication (no matter the AAA method includes the Certificate authentication
only or is multi-factor authentication including Certificate authentication)
LocalDB
LocalDB Server
Note: Please delete LocalDB accounts with usernames different only in case sensitivity
before this command is configured.
default_group This parameter specifies the name of the default LocalDB group. Its
value must be a string of 1 to 80 characters.
This command is used to enable or disable the dynamic code rebinding for LocalDB accounts.
With this function enabled, after logging into the MotionProOTP application in one mobile client,
the user can also log into the MotionProOTP application in another mobile client with the same
LocalDB account. The old registered credential of the user will be replaced by the new registered
credential. By default, this function is disabled.
LocalDB Account
If the administrator wants to use LocalDB authentication or the Site2Site VPN function, this
command must be configured. For the Site2Site VPN function, a LocalDB account should be
configured for each spoke to log into the virtual site.
password This parameter specifies the password of the LocalDB account. Its
value must be a case-sensitive string of 1 to 32 characters enclosed
by double quotes. Only 0-9, a-z, A-Z, the space character and some
special printable ASCII characters such as ! @ # $ % ^ & * ( ) _ - ~
= { } [ ] | \ / ? : ; ’ ` < > , . are allowed.
mail Optional. This parameter specifies the mail address of the LocalDB
account in the format of “abc@xyz.com”. Its value must be a string
of 1 to 128 characters enclosed by double quotes. The default value
is empty.
nfs_group Optional. This parameter specifies the NFS (Network File System)
group ID of the LocalDB account. Its value must be an integer
ranging from 0 to 65,535. The default value is 0.
nfs_account Optional. This parameter specifies the NFS (Network File System)
account of the LocalDB account. Its value must be an integer
ranging from 0 to 65,535. The default value is 0.
group_name Optional. This parameter specifies the name of the LocalDB group
to which the LocalDB accounts to be displayed belongs to.
group_name Optional. This parameter specifies the name of the LocalDB group
to which the LocalDB accounts to be displayed belongs to.
new_account_name This parameter specifies the new account name for the LocalDB
account. Its value must be a string of 1 to 64 characters.
new_password This parameter specifies the new password of the LocalDB account.
Its value must be a case-sensitive string of 1 to 32 characters
enclosed by double quotes. Only 0-9, a-z, A-Z, the space character
and some special printable ASCII characters such as ! @ # $ % ^ &
* ( ) _ - + = { } [ ] | \ / ? : ; ’ < > , . are allowed. The string cannot
contain any of the characters “ ~ `”.
LocalDB Group
group_name This parameter specifies the name of the LocalDB group. Its value
must be a case-sensitive string of 1 to 64 characters.
nfs_group Optional. This parameter specifies the name of the NFS file share
group. Its value must be an integer ranging from 0 to 65,535. The
default value is 0.
group_name This parameter specifies the original name of the LocalDB group.
Its value must be a string of 1 to 64 characters.
new_groupname This parameter specifies the new name of the LocalDB group. Its
value must be a string of 1 to 64 characters.
group_name This parameter specifies the name of the LocalDB group. Its value
must be a string of 1 to 64 characters.
account_name This parameter specifies the name of the LocalDB account. Its
value must be a string of 1 to 64 characters.
This command is used to disassociate an existing LocalDB account from an existing LocalDB
group.
This command is used to enable the password checking policy requiring a minimum password
length. By default, this policy is disabled. After this command is configured, to update the
password of the existing LocalDB account or create a new account, the length of the new
password must be greater than or equal to the value specified by the parameter “length”.
This command is used to enable the password checking policy requiring at least one
non-alphanumeric character in the LocalDB account password. By default, this policy is disabled.
After this command is configured, to update the password of the existing LocalDB account or
create a new account, the new password must include at least one non-alphanumeric character.
duration Optional. This parameter specifies the expiration age (counted from
the last password change) of the LocalDB account password in
seconds. Its value must be an integer ranging from 1 to
2,147,483,647. The default value is 99,999,999.
This command is used to delete the password expiration age configuration for all LocalDB
accounts.
LocalDB Lockout
idle_time Optional. This parameter specifies the idle time after which the
LocalDB account will be locked out, in seconds. Its value must be
integer ranging from 1 to 4,294,967,295. The default value is
99,999,999.
failure_times Optional. This parameter specifies the number of login failures after
which the LocalDB account is locked out. Its value must be an
integer ranging from 1 to 65,535. The default value is 10.
type Optional. This parameter specifies the lockout type of the locked
LocalDB accounts to be displayed. Its value must only be:
account_name Optional. This parameter specifies a string to match the account. All
LocalDB accounts including the string will be matched. If the
parameter “account_name” is not specified, the lockout statistics for
all LocalDB accounts will be displayed.
backup_name This parameter specifies the name of the LocalDB backup. Its value
must be a string of 1 to 32 characters.
Note: For the MotionPro-type virtual site, this command will back up all the data in the
LocalDB including the MDM data but excluding the MDM CLI configurations.
time Optional. This parameter specifies the time for the auto-backup in
“HH:MM” (24-hour) format, for example, 6:23, 05:05, 23:59. The
default value is 0:00.
dayofweek Optional. This parameter specifies the day of the week for the
auto-backup. Its value must be an integer ranging from 0 to 7. The
default value is 0, indicating the LocalDB database will be backed
up on a daily basis.
backup_name This parameter specifies the name of the LocalDB backup database.
Its value must be a string of 1 to 32 characters.
file_name This parameter specifies the name of the file on the system. Its
value must be a string of 1 to 32 characters.
member: indicates that only the account and group name will
be exported.
Note: The files exported from LocalDB directly are in the UTF-8 encoding format. To
read or edit the exported file, make sure that your file viewer or editor supports UTF-8
encoding.
member: indicates that only the account and group name will
be exported.
server_name This parameter specifies the name of the server to which data will
be exported. Its value must be a string of 1 to 128 characters.
user_name This parameter specifies the name of the remote user on the SCP
server. Its value must be a string of 1 to 64 characters.
file_path This parameter specifies the path, which must include the file name,
to export the file on the SCP server. Its value must be a string of 1
to 256 characters.
Note: The files exported via SCP are in the UTF-8 encoding format. To read or edit the
exported file, make sure that your file viewer or editor supports UTF-8 encoding.
member: indicates that only the account and group name will
be exported.
file_name This parameter specifies the name of the file to export data on the
TFTP server. Its value must be a string of 1 to 256 characters.
Note: The files exported via TFTP are in the UTF-8 encoding format. To read or edit the
exported file, make sure that your file viewer or editor supports UTF-8 encoding.
file_name This parameter specifies the name of the file to be imported into
LocalDB. Its value must be a string of 1 to 127 characters.
member: indicates that only the account and group name will
be imported.
Note: The files imported to LocalDB directly must be in the UTF-8 encoding format.
Otherwise, the importing might fail.
member: indicates that only the account and group name will
be exported.
url This parameter specifies the URL of the HTTP resource. Its value
must be a string of 1 to 64 characters.
Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the
importing might fail.
member: indicates that only the account and group name will
be imported.
server_name This parameter specifies the name of the server from which data
will be imported. Its value must be a string of 1 to 127 characters.
user_name This parameter specifies the name of the remote user on the SCP
server. Its value must be a string of 1 to 64 characters.
file_path This parameter specifies the path, which must include the file name,
to import the file from the SCP server. Its value must be a string of
1 to 256 characters.
Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the
importing might fail.
member: indicates that only the account and group name will
be imported.
file_name This parameter specifies the name of the file to import data from on
the TFTP server. Its value must be a string of 1 to 256 characters.
overwrite|ignore This parameter specifies how to handle conflict, e.g., duplicate data.
Its value must be “overwrite” and “ignore”.
Note: The files imported via TFTP must be in the UTF-8 encoding format. Otherwise,
the importing might fail.
LocalDB IP
For users accessing the backend resources through the L3VPN tunnel, the system will assign
the fixed IP address to the LocalDB account while ignoring the IP address assignment by the
Netpool authorized to the LocaDB account.
For users accessing the backend resources through the Site2Site VPN tunnel, the system will
assign the fixed IP address (tunnel IP) to the LocalDB account.
LocalDB SSO
account_name This parameter specifies the LocalDB account name. Its value must
be a string of 1 to 64 characters.
sso_account This parameter specifies the account name of the application login
credential used for Application SSO. Its value must be a string of 1
to 64 characters.
Note:
The portal login username must be the same as the LocalDB account username
associated with the application login credential.
LocalDB Status
LocalDB Statistics
LDAP
ldap_server_name This parameter specifies the name of an existing LDAP server. Its
value must be a string of 1 to 32 characters.
ip This parameter specifies the IP address of the LDAP host. Its value
must be an IPv4 address.
port This parameter specifies the port of the LDAP host. Its value must
be an integer ranging from 1 to 65,535.
timeout This parameter specifies the timeout value of the search in seconds.
Its value must be an integer ranging from 1 to 65,535.
index Optional. This parameter specifies the host index. Its value must be
1, 2 or 3. The default value is 1.
“tls”: indicates that the LDAP server is accessed over the TLS
protocol.
filter_string This parameter specifies a filter string used to search for the LDAP
entries. Its value must be a string of 1 to 80 characters enclosed by
double quotes.
Please refer to the RFC for details of the LDAP filter string.
Note: If this command is not configured for the specified LDAP server, AAA uses
“uid=<USER>” as the default search filter string.
For example:
Search an entry with objectClass being Person and with sn being the real username or cn being a
value containing the real username:
attribute This parameter specifies the name of the attribute used to obtain the
external LDAP group of the user from the LDAP entry. Its value
must be a string of 1 to 80 characters.
attribute This parameter specifies the name of the attribute used to obtain the
mobile phone number of the user from the LDAP entry. Its value
must be a string of 1 to 80 characters.
This command is used to delete the configuration of the attribute used to obtain the mobile phone
number of the user from the LDAP entry for the specified LDAP server.
group This parameter specifies the default group name for the user for
whom no LDAP group is obtained. Its value must be a string of 1 to
80 characters.
After the “dynamic” LDAP bind mode is enabled, AAA sends a bind request containing the end
user’s username and password to the LDAP server and then a search request containing the search
filter string configured by the command “aaa server ldap searchfilter” to obtain the LDAP entry
of the end user. Then AAA sends the DN obtained from the LDAP entry together with the
password of the end user in another bind request to the LDAP server. After the end user passes the
authentication, AAA reuses the obtained LDAP entry to authorize the end user.
“<dn_prefix><USER><dn_suffix>”. <USER> is the username used to log into the virtual site.
“<dn_prefix>” and “<dn_suffix>”must be the same for all users using the same virtual site.
After the “static” LDAP bind mode is enabled, AAA sends the DN
(<dn_prefix><USER><dn_suffix>) together with the password of the end user in a bind request to
the LDAP server. After the end user passes the authentication, AAA sends a search request
containing the search filter string configured by the command “aaa server ldap searchfilter” to
obtain the LDAP entry of this end user. Then, it authorizes the end user based on the obtained
LDAP entry.
dn_prefix This parameter specifies the DN prefix extracted from the LDAP
server. Its value must be a string of 1 to 80 characters.
dn_suffix This parameter specifies the DN suffix extracted from the LDAP
server. Its value must be a string of 1 to 80 characters.
For example:
Note: The “static” and “dynamic” LDAP bind function cannot be enabled at the same
time.
ldap_server_name This parameter specifies the name of the existing LDAP server.
Note:
Before using the LDAP password change function, please make sure that:
On related LDAP servers, the lifetime of LDAP passwords has been configured.
For the OpenLDAP server, the external default policy has been configured.
For the Windows Active Directory (AD) server, its system time must be the same as
the system time of the AG appliance.
On the AG appliance, the related Windows AD servers have been configured to use
port 636 and to be accessed using the TLS protocol.
Before configuring password expiry warning for the OpenLDAP server, you must execute this
command to set the policy DN first. Otherwise, the password expiry warning configuration will
not be accepted by the OpenLDAP server.
ldap_server_name This parameter specifies the name of an existing LDAP server. Its
value must be a string of 1 to 32 characters.
password_policy_DN This parameter specifies the policy DN. Its value must be a string of
1 to 32 characters and must be the same as the default policy DN
set on the OpenLDAP server.
For example:
This command is used to delete the configuration of the policy DN for the specified LDAP server.
aaa group in dn
This command is used to enable the function of extracting the DN as the user’s group. The
administrator can use the command to “aaa group regex” to define which part of the DN will be
extracted as the user’s group. By default, this function is disabled.
no aaa group in dn
This command is used to disable the function of extracting the DN as the user’s group.
expression This parameter specifies a regular expression that indicates the part
of the DN to be extracted as the user’s group. Its value must be a
string of 1 to 64 characters. The “()” meta-character is supported. At
most five “()” meta-characters can be configured.
For example,
LDAP Autosearch
profile_name This parameter specifies the name of the LDAP auto-search profile.
Its value must be a string of 1 to 32 characters.
This command is used to configure an LDAP host for the specified LDAP auto-search profile. The
LDAP host must be configured before the profile is enabled using the command “aaa server ldap
autosearch on <profile_name>”.
ip This parameter specifies the IP address of the LDAP host. Its value
must be an IPv4 address.
port This parameter specifies the port of the LDAP host. Its value must
be an integer ranging from 1 to 65,535.
base_dn This parameter specifies the DN of the LDAP entry at which to start
the search for users. Its value must be a string of 1 to 900
characters.
timeout This parameter specifies the maximum timeout in seconds. Its value
must be an integer ranging from 1 to 65,535.
“tls”: indicates that the LDAP server is accessed over the TLS
protocol.
This command is also used to modify the existing configuration of the search filter for the
specified LDAP auto-search profile.
profile_name This parameter specifies the name of the LDAP auto-search profile.
filter_string This parameter specifies a filter string used to filter the LDAP
entries. Its value must be a string of 1 to 128 characters, which must
be enclosed by double quotes.
This command is also used to modify the existing configuration of the LDAP attribute to be
searched for the specified LDAP auto-search profile.
This command is used to display the configuration of the LDAP attribute to be searched for the
specified LDAP auto-search profile.
This command is also used to modify the existing configuration of the daily auto-search frequency
for the specified LDAP auto-search profile.
hour This parameter specifies the hour when the daily auto-search is
carried out. Its value must be an integer ranging from 0 to 23,
indicating the hour ranging from 0:00 to 23:00.
This command is also used to modify the existing configuration of the weekly auto-search
frequency for the specified LDAP auto-search profile.
hour This parameter specifies the hour when the weekly auto-search is
carried out. Its value must be an integer ranging from 0 to 23,
indicating the hour ranging from 0:00 to 23:00.
day This parameter specifies the day when the weekly auto-search is
carried out. Its value must be “Monday”, “Tuesday”, “Wednesday”,
“Thursday”, “Friday”, “Sataurday” and “Sunday”, which is
case-insensitive.
This command is also used to modify the existing configuration of the monthly auto-search
frequency for the specified LDAP auto-search profile.
hour This parameter specifies the hour when the monthly auto-search is
carried out. Its value must be an integer ranging from 0 to 23,
indicating the hour ranging from 0:00 to 23:00.
date This parameter specifies the date when the monthly auto-search is
carried out. Its value must be an integer ranging from 1 to 31.
If a month does not have the specified date, such as 31 in June, the
search will not be carried out in this month.
profile_name This parameter specifies the name of the LDAP auto-search profile.
email_address This parameter specifies the email address. Its value must be a
string of 1 to 128 characters enclosed by double quotes.
This command is used to configure the email subject for the specified LDAP auto-search profile.
The subject will be used for sending emails to all the email addresses of this profile. This
command configuration is optional for every profile.
profile_name This parameter specifies the name of the LDAP auto-search profile.
email_subject This parameter specifies the email subject. Its value must be a
string of 1 to 256 characters enclosed by double quotes.
This command is used to acknowledge the search result changes of the specified LDAP
auto-search profile.
RADIUS
authentication_port This parameter specifies the port number used for RADIUS
authentication. Its value must be an integer ranging from 1 to
65,535.
secret This parameter specifies the shared secret text string used by the
AG appliance and the RADIUS server to encrypt passwords and
exchange responses.
retries This parameter specifies the retry times to connect the RADIUS
server. Its value must be an integer ranging from 1 to 65,535.
timeout This parameter specifies the timeout value of the search in seconds.
Its value must be an integer ranging from 1 to 65,535.
index Optional. This parameter specifies the host index. Its value must be
1, 2 or 3. The default value is 1.
accounting_port Optional. This parameter specifies the port number used for
RADIUS accounting. Its value must be an integer ranging from 1 to
65535. The default value is 1813.
attribute This parameter specifies the ID of the attribute used to obtain the
external RADIUS group of the user from the RADIUS entry. Its
value must be an integer ranging from 1 to 63. For details of each
attribute, please refer to the following list.
Please note that the attributes may vary depending on the individual
network requirements.
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor Specific
27 Session Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
Note: To modify the existing attribute, please delete the existing configuration using the
command “no aaa server radius attribute group” first.
attribute_ip This parameter specifies the ID of the attribute used to obtain the
VPN client IP of the user from the RADIUS entry for the specified
RADIUS server.
attribute_netmask This parameter specifies the ID of the attribute used to obtain the
VPN netmask of the user from the RADIUS entry for the specified
RADIUS server.
This command is used to delete the attribute used to obtain the mobile phone number of the user
from the RADIUS entry for the specified RADIUS server.
group This parameter specifies the default RADIUS group name. Its value
must be a string of 1 to 80 characters.
nasip This parameter specifies the NAS IP address for the RADIUS
server. Its value must be an IPv4 address.
Note: The “NAS-IP-Address” attribute must be specified if only the bond or VLAN
interface is configured with the IP address but no system interface is configured with the IP
address on the AG appliance.
This command is used to display the setting of the “NAS-IP-Address” attribute for the specified
RADIUS server.
Certificate
Note: For the authentication types “challenge” and “nochallenge”, the administrator needs
to set the type of the AAA server assisting this Certificate server in authentication using
the “aaa server certificate authenticate server” command and configure other related
settings. For the authentication types “challenge”, after passing the certificate
authentication, the user will be directed to the challenge page, requiring the user to enter
the (username and) password. For details, please refer to the command “aaa server
certificate authenticate userid”.
The value of the specified certificate field will be used as the account name of the user and will be
displayed on the portal welcome page when the user passes the certificate authentication.
cert_field This parameter specifies the certificate field used to obtain the
username of the user account from the certificate. Its value must be
a string of 1 to 256 characters and must be:
The following table describes the values of the “cert_field” parameter in detail.
Value Description
The “cert_field” parameter supports the following standard
certificate field names:
subject and
subject.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/s
urname/givenname/initials/dnqualifier/gq/dn/dc (certificate’s
Standard certificate field subject field)
names
issuer and
issuer.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/su
rname/givenname/initials/dnqualifier/gq/dc (certificate’s
issuer field)
Value Description
notbefore (certificate’s not before field)
2.5.29.35
2.5.29.14
2.5.29.15
2.5.29.32
2.5.29.33
2.5.29.17
2.5.29.19
2.5.29.30
2.5.29.36
2.5.29.37
2.5.29.31
2.5.29.54
2.5.29.46
Value Description
certificate’s issuer field.
ext.issuerAltName
This command is also used to modify the existing configuration of the user ID action of the
specified Certificate server used for authentication.
id_action This parameter specifies the user ID action for the Certificate
server. Its value must be:
server_type This parameter specifies the type of the AAA server assisting the
Certificate server for authentication. Its value must be:
When the authentication type of the Certificate server is “nochallenge” or “challenge”, the LDAP
attribute specified by the “ldap_attribute” parameter and the value of the certificate field specified
by the “cert_field” parameter in the client certificate will constitute the search filter. For the
authentication type “nochallenge”, if any LDAP entry on the LDAP server matches this search
filter, the user passes the authentication and the value of the certificate field specified by the
“cert_field” parameter in the client certificate will be displayed as the username in the portal
welcome page. For the authentication type “challenge”, if any LDAP entry on the LDAP server
matches this search filter and the username and password on the Certificate challenge page, the
user passes the authentication and the value of the LDAP attribute specified by the “user_id”
parameter in the retrieved LDAP entry will be displayed as the username in the portal welcome
page.
cert_field This parameter specifies the certificate field used to obtain the
username of the user account from the certificate. Its value must be
a string of 1 to 256 characters. Its value must be:
ldap_attribute This parameter specifies the LDAP attribute used to constitute the
search filter. Its value must be a string of 1 to 80 characters.
For the authentication type “nochallenge”, if the username of any LocalDB account on the
LocalDB server matches the value of the certificate field specified by the “cert_field” parameter in
the client certificate, the user passes the authentication and the certificate field specified by the
“cert_field” parameter in the client certificate will be displayed as the username in the portal
welcome page. For the authentication type “challenge”, if the username and password of any
LocalDB account on the LocalDB server match the username and password on the certificate
challenge page, the user passes the authentication and the username used by the certificate
Challenge page will be displayed as the username in the portal welcome page.
cert_field This parameter specifies the certificate field used to obtain the
username of the user account from the certificate. Its value must be
a string of 1 to 32 characters and must be:
The following commands are used to configure authorization using the Certificate server.
During the authorization using the Certificate server, the external group name of the user can be
obtained from three ways:
LDAP server
LocalDB
The three ways are mutually exclusive for one Certificate server used for authorization.
cert_field This parameter specifies the certificate field used to obtain the
external group name in the client certificate. Its value must be a
string of 1 to 64 characters. Its value must be:
default_group This parameter specifies the default group name. Its value must be a
string of 1 to 64 characters.
server_type This parameter specifies the type of the AAA server assisting the
specified Certificate server in authorization. Its value must be:
Note: If the “server_type” parameter is set to “ldap” and the system fails to obtain the
external group name for the user from the LDAP server, the system will use the default
group setting configured for the LDAP server itself using the command “aaa server ldap
attribute defaultgroup”.
default_group This parameter specifies the name of the default group in LocalDB.
cert_field This parameter specifies the certificate field used to obtain mobile
phone numbers of users. Its value must be a string of 1 to 80
characters and must be:
attribute This parameter specifies the LDAP entry’s attribute from which the
AAA obtains mobile phone numbers of users. Its value must be a
string of 1 to 80 characters.
SMS
host_ip This parameter specifies the IP address of the SMS host. Its value
must be an IPv4 address.
host_port This parameter specifies the port used by the host to communicate
with the AAA. Its value must be an integer ranging from 0 to
65535.
protocol This parameter specifies the protocol type used by the SMS server.
Its value is case-insensitive and must be:
user_name Optional. This parameter specifies the username used to log into the
host of the SMS server. Its value must be enclosed by double quotes
when beginning with a non-alphabetical character.
password Optional. This parameter specifies the password used to log into the
host of the SMS server. Its value must be enclosed by double quotes
when beginning with a non-alphabetical character.
service_id Optional. This parameter specifies the ID of the SMS service. Its
value must be a string of 1 to 10 characters.
tls_flag Optional. This parameter specifies whether to access the SMS host
over the TLS protocol. Its value must be:
“tls”: indicates that the TLS protocol is used to access the SMS
host.
empty: indicates that the TLS protocol is not used to access the
SMS host.
company_name This parameter specifies the company name. Its value must be a
string of 1 to 60 characters enclosed by double quotes when
beginning with a non-alphabetical character.
contactor This parameter specifies the name of the contact person of the
company. Its value must be a string of 1 to 20 characters enclosed
by double quotes when beginning with a non-alphabetical character.
phone_number This parameter specifies the telephone number of the company. Its
value must be a string of 1 to 20 characters enclosed by double
quotes when beginning with a non-alphabetical character.
mobile_number This parameter specifies the mobile phone number of the company.
Its value must be a string of 1 to 15 characters enclosed by double
quotes when beginning with a non-alphabetical character.
email This parameter specifies the email of the company. Its value must
be a string of 1 to 60 characters enclosed by double quotes when
beginning with a non-alphabetical character.
fax This parameter specifies the fax of the company. Its value must be a
string of 1 to 20 characters enclosed by double quotes when
beginning with a non-alphabetical character.
address This parameter specifies the address of the company. Its value must
be a string of 1 to 60 characters enclosed by double quotes when
beginning with a non-alphabetical character.
postcode This parameter specifies the postcode of the company. Its value
must be a string of 1 to 6 characters enclosed by double quotes
when beginning with a non-alphabetical character.
string This parameter specifies the content of the short message sent to the
mobile phone. Its value must be a string of 1 to 60 characters
enclosed by double quotes.
For example:
vs(config)$aaa server sms message sms_server "Hi <USER>, the verification code is
<OTP>" 0
vs(config)$aaa server sms message sms_server "Verification code is <OTP>" 0
This command is used to display the content of the short message sent to the mobile phone for the
specified SMS server.
character_type This parameter specifies the character type of verification codes. Its
value must be:
time This parameter specifies the effective time of verification codes for
the SMS server in seconds. Its value must be an integer ranging
from 5 to 600.
This command is used to reset the expiration time of verification codes to the default value 300
seconds for the specified SMS server.
url This parameter specifies the HTTP or FTP URL from which the
custom SMS authentication request template is imported. Its value
must be a string of 1 to 256 characters.
When preparing the SMS authentication request template, please bear the following information in
the mind:
The field <SMS server IP> and <SMS server port> will be replaced by the IP address and
port of the SMS host selected by AG.
The <CONTENT_LENGTH> field will be filled with the value of the transfer-length of the
HTTP request body.
The fields <USERNAME> and <PASSWORD> will be filled with the username and
password used to log into the host of the SMS server. The <phone> field will be filled with
the mobile phone number of the end user.
The field <MESSAGE> will be replaced by the message configured via the “aaa server sms
message” command by AG.
The field <SEQID> will be filled by AG according to the request ID of the SMS
authentication request.
The fields <RT_USERNAME> and <RT_PASSWORD> will be filled with the username
and password of the user used to log into the virtual site.
Note: The SMS authentication request template must be a plain text file.
type This parameter specifies the file type of the custom SMS
authentication request template. Its value must be “request”.
end_flag Optional. This parameter specifies the end location of the SMS
authentication response. Its value must be a string of 1 to 256
characters.
Note: The SMS authentication response must include the request ID <SEQID> of the SMS
authentication request.
SMX
host_name This parameter specifies the host name or IP address of the host.
For the host name, its value must be a string of 1 to 128 characters;
for the IP address, its value must be an IPv4 address enclosed by
double quotes.
host_port This parameter specifies the port number used by the host. Its value
is an integer ranging from 0 to 65535.
host_index Optional. This parameter specifies the index of the host among
hosts of the SMX server. Its value must be:
The secondary host is used only when the user fails the
authentication performed by the primary host or when the primary
host is unavailable.
host_index This parameter specifies the index of the host among hosts of the
SMX server.
user@remote_host This parameter specifies the remote host from which the certificate
file is imported and the username for logging into the remote host.
Its value must be a string of 1 to 512 characters in the format of
“user@remote_host”, which must be enclosed by double quotes.
password This parameter specifies the password for logging into the remote
host.
file_path This parameter specifies the path, which includes the certificate file
name, of the certificate file on the remote host. Its value must be a
string of 1 to 1024 characters. The certificate file is a .zip file
HTTP
http_server_name This parameter specifies the name of an existing HTTP AAA server.
host_name This parameter specifies the host name or IP address of the HTTP
host. For the host name, its value must be a string of 1 to 128
characters; for the IP address, its value must be an IPv4 address
enclosed by double quotes.
host_port Optional. This parameter specifies the port of the HTTP host (The
HTTP host of the HTTP AAA server can be an HTTP or HTTPS
server used for authentication/authorization). Its value must be an
integer ranging from 0 to 65,535.
The default value is 0, indicating the default port. For the HTTP
server, “0” indicates the port 80; for the HTTPS server, “0”
indicates the port 443.
tls_flag Optional. This parameter specifies whether to access the HTTP host
over the TLS protocol. Its value must be:
timeout Optional. This parameter specifies the maximum time that AG waits
for the HTTP response, in seconds. If not receiving the HTTP
response in the specified time, AG will resend the HTTP
authentication request. Its value must be an integer ranging from 0
to 65,535. “0” indicates no timeout. The default value is 5.
retries Optional. This parameter specifies the retry times send the HTTP
authentication request to the HTTP host. Its value must be 1, 2 or 3.
The default value is 1.
index Optional. This parameter specifies the host index. Its value must be
1, 2 or 3. The default value is 1.
Only one HTTP authentication request template can be configured for one HTTP AAA server.
http_server_name This parameter specifies the name of an existing HTTP AAA server.
request_url This parameter specifies the HTTP or FTP URL of the HTTP
authentication login template to be imported. Its value must be a
string of 1 to 256 characters.
<password><an_password></password>
<deviceid><an_cus-define-var1></deviceid>
<devicetype>P</devicetype>
<clientversion>9.0.0.0</clientversion>
<clientip><an_clientip></clientip>
<regionid><an_cus-define-var2></regionid>
<regioncolor>G</regioncolor>
</ns1:login>
</soapenv:Body>
</soapenv:Envelope>
When preparing the HTTP authentication login template, please bear the following information in
the mind:
The fields <an_username>, <an_password> and <an_clientip> will be filled with user
information of the user to be authenticated.
The field <an_serverhost> will be replaced by the IP address of the HTTP host selected by
AG.
The field <an_content-length> will be filled by AG according the actual length of the
content.
Note:
The HTTP authentication login template must be plain text file only.
For HTTP authentication request with customized user information, the portal theme
login page should be used.
http_server_name This parameter specifies the name of an existing HTTP AAA server.
http_server_name This parameter specifies the name of an existing HTTP AAA server.
login_response_filter This parameter specifies the filter condition for the HTTP
authentication login response. Its value must be a string of 1 to 255
characters. The value can contain the variables and related rules
defined by the commands “aaa server http variant response
name” and “aaa server http variant response profile”.
For example:
When the HTTP authentication login response contains an “an_ret” variable whose vaule is 2, a
challenge is required and the challenge message will be “please enter the login PIN number.”
vs(config) aaa server http login challengemessage "http_server" "1" "<an_ret>=2" "please
enter the login PIN number"
This command should be used together with the “aaa server http challenge require” command.
The HTTP challenge template is similar to the HTTP authentication login template. For details,
please refer to the “aaa server http login template” command.
http_server_name This parameter specifies the name of an existing HTTP AAA server.
request_url This parameter specifies the HTTP or FTP URL of the HTTP
challenge template to be imported. Its value must be a string of 1 to
256 characters.
http_server_name This parameter specifies the name of an existing HTTP AAA server.
http_server_name This parameter specifies the name of an existing HTTP AAA server.
For example:
http_server_name This parameter specifies the name of an existing HTTP AAA server.
challenge_response_filter This parameter specifies the filter condition for the HTTP
authentication challenge message. Its value must be a string of 1 to
255 characters. The value can contain the variables and related rules
defined by the commands “aaa server http variant response
name” and “aaa server http variant response profile”.
For example:
When the challenge response contains an “an_random” variable whose vaule is 1, a further
challenge is required and the challenge message will be “Please use the UTF-8 encoding format if
multi-byte characters are used.”
http_server_name This parameter specifies the name of an existing HTTP AAA server.
var_name This parameter specifies the name of the customized user variable
in the HTTP authentication login response. Its value must be a
string of 1 to 32 characters in the format of <an_xx>, such as
<an_param1>.
var_filter Optional. This parameter specifies the filter used to parse this
variable included in the HTTP authentication login response. Its
value must be a string of 1 to 256 characters. The default value is
empty.
For example:
vs(config) aaa server http variant response name " http_server" "<an_need_challenge>"
"var_AN_need_challenge=<an_need_challenge>;"
http_server_name This parameter specifies the name of an existing HTTP AAA server.
var_filter This parameter specifies the filter condition used to parse the single
user variable included in the HTTP authentication login response.
Its value must be a string of 1 to 256 characters.
priority Optional. This parameter specifies the priority of the rule. Its value
must be an integer ranging from 1 to 100. The lower the value, the
higher the priority. The default value is 50.
For example:
This command is used to delete a specified multi-variable parsing rule for the specified HTTP
AAA server.
user_name Optional. This parameter specifies the way to obtain the username
from the HTTP (authorization) response. If the username is
successfully obtained from the HTTP response, AG will display the
obtained username on the welcome portal page.
group_name Optional. This parameter specifies the way to obtain the group
name of the end user from the HTTP (authorization) response. The
obtained group name may be further used for the user authorization.
The default value is empty, indicating not obtaining the group name
from the HTTP response.
phone Optional. This parameter specifies the way to obtain the phone
number of the end user from the HTTP (authorization) response.
The obtained phone number is used for SMS authentication when
both HTTP authentication and SMS authentication are required.
picture_url Optional. This parameter specifies the way to obtain the avatar
picture URL of the end user from the HTTP (authorization)
response.
uid Optional. This parameter specifies the way to obtain the UID of the
end user from the HTTP (authorization) response. Its value must be
in the format of “uid=<an_value>”.
end_flag Optional. This parameter specifies the end location of the HTTP
response to be filtered. Its value must be a string of 1 to 256
characters.
For example:
http_server_name This parameter specifies the name of an existing HTTP AAA server.
default_group This parameter specifies the name of the default HTTP group. Its
value must be a string of 1 to 64 characters.
SAML
Security Assertion Markup Language (SAML) is an XML-based open standard for describing and
exchanging security information between on-line business partners. AG supports authentication
and authorization using the SAML protocol. In the SAML architecture, AG works as a Service
Provider (SP), providing resources for users and depending on the assertion of the Identity
Provider (IdP) for user authentication and authorization.
The section covers the commands for configuring the SAML function.
When the SAML function is enabled, the virtual site will use only SAML for authentication and
authorization, and ignore the other authentication and authorization configuration of the AAA
function, such as LocalDB and LDAP. When the SAML function is disabled, the virtual site will
use the authentication and authorization configuration of the AAA function.
idp_name This parameter specifies the name of an IdP. Its value must be a
string of 1 to 64 characters.
Before enabling an IdP, you need to import the metadata of the IdP using the “aaa saml idp
metadata” command and specify the attributes used to obtain the user identity information from
the SAML Assertion response returned by the IdP using the “aaa saml idp attributes” command.
If no IdP is enabled, all available IdPs will be displayed for the user to select for authentication.
idp_name This parameter specifies the name of the existing IdP specified by
the “aaa saml idp name” command.
idp_name This parameter specifies the name of the existing IdP specified by
the “aaa saml idp name” command.
url This parameter specifies the HTTP, HTTPS or FTP URL to obtain
the metadata of the IdP. Its value must be a string of 1 to 900
characters.
This metadata should be imported to the IdP enabled for the SAML SP. Please note that the SP
metadata on the IdP should be updated if the attributes configured using the “aaa saml idp
attributes” command or the binding types configured by the “aaa saml sp slo” command is
changed.
Note: Because multiple IP addresses and domain names can be configured for a virtual
site (via the commands “virtual site ip” and “virtual site domain”), there may be
multiple URLs for the metadata of the SP server. The administrator can select the
metadata as required.
idp_name This parameter specifies the name of the existing IdP specified by
the “aaa saml idp name” command.
username This parameter specifies the attribute to obtain the username from
the SAML Assertion response. The obtained username will be used
for further authorization. Its value must be a string of 1 to 900
characters. Besides, the special value “subject.nameid” is also
supported, indicating the NameID field in the SAML Assertion
response.
groupname Optional. This parameter specifies the attribute to obtain the group
name from the SAML Assertion response. The obtained group
name will be used for further authorization. Its value must be a
string of 1 to 900 characters. The default value is empty.
netpool Optional. This parameter specifies the attribute to obtain the netpool
from the SAML Assertion response. The obtained netpool will be
used for further authorization. Its value must be a string of 1 to 900
characters. The default value is empty.
type This parameter specifies the binding type for the ACS. Its value
must be:
The default value is “post”. For more details about SAML bindings,
please refer to http://docs.oasis-open.org/security/saml/v2.0/.
type This parameter specifies the binding type for the SLO service.
Its value must be:
both: indicates both the HTTP redirect binding and the HTTP
POST binding.
OAuth Authentication
aaa oauth enable
This command is used to enable OAuth authentication for the virtual site.
When OAuth authentication is enabled for the virtual site, a program of the OAuth client is started
for the virtual site in the system. To communicate with a third-party OAuth server, the OAuth
client should authenticate itself to the OAuth server. Therefore, you need to register the OAuth
client to obtain the Client ID and Secret and register the Redirection URL on the developer
platform of the OAuth server’s service provider. For information on how to register the OAuth
client and the Redirection URL, please contact the service provider of the OAuth server.
When the Google OAuth server is defined, the system automatically adds the following
configurations:
When the WeChat OAuth server is defined, the system automatically adds the following
configurations:
authenticator_url This parameter specifies the URL of the OAuth server’s login page.
Its value must be a string of 1 to 900 characters.
token_url This parameter specifies the URL where the OAuth client obtains
the access token from the OAuth server. Its value must be a string
of 1 to 900 characters.
jwks_url This parameter specifies the URL where to obtain the JWK set of
the OAuth server. Its value must be a string of 1 to 900 characters.
register_id This parameter specifies the registered client ID for the OAuth
client. Its value must be a string of 1 to 128 characters.
register_secret This parameter specifies the registered client secret for the OAuth
client. Its value must be a string of 1 to 128 characters.
redirect_url This parameter specifies the URL to which the OAuth server will
redirect responses. Its value must be a string of 1 to 900 characters.
For the Google OAuth server, its value must be the same as the
Redirection URL
(“https://<virtual_site_domain_name>/prx/000/http/localh/oaut
h_code”) registered on Google’s third-party developer
platform.
For the WeChat OAuth server, its value must be its value must
be in the format of
“https://<virtual_site_domain_name>/prx/000/http/localh/oaut
h_wechat_code” and its virtual site domain name must have
been registered on WeChat’s developer platform.
resource_url This parameter specifies the URL where the OAuth client obtains
the user information from the resource server. Its value must be a
string of 1 to 900 characters.
Note: The Google OAuth server will return the user information in the Access Token
responses and therefore this configuration is not required.
Note: This option can be used when post-OAuth user registration is disabled.
If the post-OAuth authorization filter is not configured, the system will continue to perform
authorization for all users passing OAuth authentication.
To use a WeChat service account to provide the virtual site’s resources to end users, you also need
to configure the following advanced settings for successful WeChat OAuth authentication.
Method
aaa method name <method_name> [description]
This command is used to add a AAA method. AAA method specifies the AAA server(s) used for
authentication and the AAA server authorization. A maximum of five AAA methods can be
configured.
method_name This parameter specifies the name of the AAA method. Its value
must be a case-insensitive string of 1 to 32 characters enclosed by
double quotes when beginning with a non-alphabetical character.
description Optional. This parameter specifies the description of the method. Its
value must be a string of 1 to 127 characters enclosed by double
quotes when beginning with a non-alphabetical character. If this
parameter is not specified, the default description will be the value
of “method_name”.
method_name This parameter specifies the name of the existing AAA method.
authorization_server Optional. This parameter specifies the authorization server. Its value
must be:
Note:
Note: Different AAA server scenarios can meet specific needs. Following are examples of
how to configure AAA servers:
method_name This parameter specifies the name of the existing AAA method.
otp_server_name This parameter specifies the name of an existing OTP server. The
OTP server must be the SMS server configured by the command
“aaa server name sms”.
authentication_server|author This parameter specifies the name of an existing server from which
ization_server the mobile phone numbers of users will be obtained. The server
must be the one used for authentication or authorization configured
by the command “aaa method server” and the server type must be
LocalDB, LDAP, RADIUS or Certificate.
Rank
aaa method rank include <method_name> <number>
This command is used to add a AAA method to the rank list of AAA methods and set the rank
number of the AAA method in the rank list.
method_name This parameter specifies the name of the existing AAA method.
number This parameter specifies the rank number of the AAA method in the
rank list. Its value must be 1, 2, 3 or 4. The smaller the value, the
higher the rank. For example, the parameter value “1” indicates that
the AAA method ranks number 1 in the rank list.
Note: If the administrator deletes all AAA methods from the rank list, the AAA rank
function will automatically become disabled.
Accounting
aaa accounting {on|off}
This command is used to enable or disable the RADIUS accounting function. By default, this
function is disabled.
This command is used to disable the sending of accounting records to the RADIUS server when
users login or logout.
Group Mapping
aaa map group <ext_grp_name> <int_grp_name>
This command is used to map an external group to an internal LocalDB group. The maximum
number of group mappings varies with the number of LocalDB groups.
ext_grp_name This parameter specifies the external group name. Its value must be
a string of 1 to 64 characters.
This command is used to delete all mappings between external groups and internal LocalDB
groups.
Hardware ID
aaa hardwareid {on|off}
This command is used to enable or disable the Hardware ID authorization function. By default, the
Hardware ID authorization function is disabled.
email This parameter specifies the email address. Its value must be a
string of 1 to 127 characters.
This command is used to enable or disable Hardware ID authorization for the specified LocalDB
group.
status This parameter specifies the status of the device. Its value must be:
approve: indicates that the users in this group can use the
device to access internal resources.
pending: indicates that the users in this group can use the
device to access internal resources only after the
administrator’s approval.
deny: indicates that the users in this group cannot use the
device to access internal resources.
hardware_id This parameter specifies the hardware ID of the device. Its value
must be a string of 1 to 511 characters.
Note: For an external group, the administrator can map the external group to a LocalDB
group using the “aaa map group” command. Then when the users in this external group
access the virtual site, the Hardware ID rules for the mapping LocalDB group will work
for these users.
displayed.
orderby Optional. This parameter specifies the order by which to display the
hardware ID rules. Its value must be “name”, “type”, “status”,
“hardwareid”, “hostname”, and “synced”. You can enter mulitple
values separated with commas. The default value is “name”. If you
want to display the hardware ID rules in reverse order, enter DESC
behind the value.
This command is used to set the maximum number of Hardware ID rules with status “approve” for
every LocalDB group with the aggregation function enabled. If this command is not configured,
the default maximum number of Hardware ID rules for every LocalDB group with the aggregation
function enabled is 16.
status This parameter specifies the status of the device. Its value must be:
approve: indicates that the user can use the device to access
internal resources.
pending: indicates that the user can use the device to access
deny: indicates that the user cannot use the device to access
internal resources.
hardware_id This parameter specifies the hardware ID of the device. Its value
must be a string of 1 to 511 characters.
This command is used to clear the configurations of Hardware ID authorization for a specified
LocalDB group. If the “group_name” parameter is not configured, all configurations of Hardware
ID will be cleared.
To use this function, the Hardware ID synchronization host must be configured using the “localdb
hardwareid sync host” command and the HTTP request template must be configured using the
“localdb hardwareid sync req” command.
To use this function, the Hardware ID synchronization host must be configured using the “localdb
hardwareid sync host” command and the HTTP request templates must be configured using the
“localdb hardwareid sync req” command.
port Optional. This parameter specifies the port number of the Hardware
ID synchronization host. Its value must be an integer ranging from
1 to 65,535. The default value is 80.
from 0 to 60. If the parameter value is set to 0, the system will keep
waiting for the response from the synchronization host. The default
value is 5.
auth_code Optional. This parameter specifies the username and password used
for accessing the Hardware ID synchronization host. Its value must
be a string of 1 to 64 characters. The username and password
should be separated by a colon (:). The default value is empty,
indicating the no authentication is required by the Hardware ID
synchronization host.
Note: If the synchronization fails in the specified timeout and retry times, the system will
try to synchronize the data again after the synchronization host is UP.
This command is used to set the HTTP request template used to synchronize Hardware ID rules
for a specified Hardware ID synchronization host.
action This parameter specifies the HTTP method. Its value must be “get”,
“post”, “put” and “delete”.
url This parameter specifies the request URL. Its value must be a string
of 1 to 900 characters and begin with “/”, such as
“/array/addhardwareid”.
The following table describes the mapping relationship between the parameters “type” and
“action”.
Type Action
Get
Add Post
Put
Get
Delete Post
Delete
For example:
“all”. If the parameter value is set to “all”, all the HTTP request
templates for the Hardware ID synchronization host will be deleted.
Role Configuration
role name <role_name> [description] [priority]
This command is used to add a role. When the setting of “role_name” is an existing one, this
command is also used to update role information.
role_name This parameter specifies the name of the role. Its value must be a
string of 1 to 63 characters.
priority Optional. This parameter specifies the priority of the role. Its
value must be an integer ranging from 1 to 2000. The smaller the
value, the higher the priority.
Note:
qual_name This parameter specifies the name of the qualification rule. Its
value must be a string of 1 to 63 characters.
For example, suppose the administrator wants to assign a “stuff” role to all users who log in on the
1st day of every month. If this “stuff” role already has an associated “work” qualification rule, the
administrator can add the necessary condition rule to the “work” qualification with the following
command:
position Optional. This parameter specifies the position of the link on the
portal page. Its value must be an integer ranging from 1 to 1000.
The QuickLink resources will be displayed in ascending order of
the parameter value.
configurations is enabled.
For example:
Note:
For SSO methods other than SSO Post, only the AG appliance can perform the SSO
operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0.
Frontend SSO Post requires the “sso post” configuration, but not the “sso on”
configuration.
Frontend SSO Post requires that the value of the “post_host” and “hostname”
parameters in the “sso post” configuration should be exactly the same.
Frontend SSO Post requires that the value of the “path” parameter should be the same
as that of the “login_url” parameter in the “sso post” configuration.
Frontend SSO Post does not support the “bookmark” and “other_header_field”
parameters of the “sso post” configuration.
Frontend SSO Post cannot generate the cookie required by some backend servers for
authentication.
Frontend SSO Post cannot work for the Web resources which are accessed by using
the portal URL input bar or the Web navigation tool.
Note: The auto-generated ACL “permit” configurations will be deleted when the
QuickLink resource is deleted from a specified role.
url This parameter specifies the URL link of the WRM resource. Its
value must be a string of 1 to 512 characters.
position Optional. This parameter specifies the position of the link on the
portal page. Its value must be an integer ranging from 1 to 1000.
The WRM resources will be displayed in ascending order of the
parameter value.
For example:
Note:
For SSO methods other than SSO Post, only the AG appliance can perfrom the SSO
operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0.
Frontend SSO Post requires the “sso post” configuration, but not the “sso on”
configuration.
Frontend SSO Post requires that the value of the “post_host” and “hostname”
parameters in the “sso post” configuration should be exactly the same.
Frontend SSO Post requires that the value of the parameter “url” equals to that of the
“hostname + login_url” in the “sso post” configuration.
Frontend SSO Post does not support the “bookmark” and “other_header_field”
parameters of the “sso post” configuration.
Frontend SSO Post cannot generate the cookie required by some backend servers for
authentication.
Frontend SSO Post cannot work for the Web resources which are accessed by using
the portal URL input bar or the Web navigation tool.
Note: The auto-generated ACL “permit” configurations will be deleted only when the
WRM resource is deleted from a specified role.
url This parameter specifies the URL of the Aproxy resource. Its
value must be a string of 1 to 512 characters. The host part of the
URL must be an IPv6 address enclosed by square brackets, for
example “http://[2012:1082::6]/test/index.html/”.
display_name This parameter specifies the name displayed on the portal page.
Its value must be a string of 1 to 900 characters.
Note:
For example:
Note: The auto-generated ACL “permit” configurations will be deleted only when the
Aproxy resource is deleted from a specified role.
This command must be configured if users need to access backend resources through the L3VPN
tunnel or Site2Site VPN tunnel.
This command must be configured if users need to access backend resources through the L3VPN
tunnel or Site2Site VPN tunnel.
This command is used to delete a VPN resource group from a specified role.
cifs_url
This parameter specifies the URL address of the CIFS resource
provided by the CIFS server. Its value must be a string of 1 to
512 characters. The format of the URL address can be “//<host
IP>/<folder name>”, “//<host IP>/<folder name>/username” or
“//<host IP>/<folder name>/<path>”, for example,
“//10.3.0.233/test”, “//10.3.0.233/test/username” or
“//10.3.0.233/test/test”. Please note that the URL address cannot
contain the chracters “\”, “:”, “*”, “<”, “>”, “?”, “|” and “"” and
end with “/”.
Note: If the URL address ends with “$”, the file share function
might not work. For example, “//10.10.1.21/hirai$”.
display_name This parameter specifies the name displayed for this CIFS
resource on the portal page. Its value must be a string of 1 to 900
characters.
For example:
Note:
Note: The auto-generated ACL “permit” configurations will be deleted when the CIFS
resource is deleted from a specified role.
be displayed.
resource_type Optional. This parameter specifies the resource type. Its value
must be “all”, “quicklink”, “netpool”, “vpnresourcegroup”,
“web” and “aproxy”. The default value is “all”.
resource_type Optional. This parameter specifies the resource type. Its value
must be are “all”, “quicklink”, “cifs”,“netpool”,
“vpnresourcegroup”, “web” and “aproxy”. The default value is
“all”.
When the role with the highest priority is associated with a custom session lifecycle policy,
this custom session lifecycle policy will take effect for the user.
When the role with the highest priority is not associated with a custom session lifecycle
policy, the session timeout settings of the virtual site will take effect for the user.
This command is used to display the custom session lifecycle policy associated with a specified
role. If the “role_name” parameter is not specified, the custom session lifecycle policy associated
with every role will be displayed.
ACL Configuration
acl resourcegroup web <resource_group> [description]
This command is used to add a “web” type resource group.
resource_group This parameter specifies the name of the “web” type resource
group. Its value must be a string of 1 to 64 characters.
For Site2Site VPN, to make the subnets on the spokes and hubs accessible, you should configure
them as network resources and add them to the ACL resource group. If NAT rules are configured
for Site2Site VPN using the “vpn site2site forward” command, you should configure the virtual
subnet specified by the parameters “virtual_subnet_IP” and “virtual_subnet_netmask” as the
network resource instead of the real subnet on the spoke/hub.
resource This parameter specifies the resource to be added. Its value must
be a string of 1 to 512 characters. The type of the entered
resource must be the same as that of the resource group. Please
note that both IPv4 and IPv6 resources are supported.
For example:
This command is used to clear the resources of a specified resource group. If the “resource_group”
parameter is not specified, resources of all resource groups will be cleared.
target_name This parameter specifies the name of an existing target. Its value
must be the name of an existing role, user, or group.
priority Optional. This parameter specifies the priority of the ACL rule.
Its value must be an integer ranging from 0 to 1000. The default
value is 1000. The smaller the value, the higher the priority.
target_type Optional. This parameter specifies the type of the target. Its
value must be:
When this function is enabled, the system will accept dynamic ACLs generated by the clients.
Dynamic ACLs will be used for matching requests only when requests matching no external
ACLs or configured ACL rules.
Session Management
Global Settings
This global command is used to display the setting of the maximum concurrent session number for
a specified virtual site. If the “virtual_site” parameter is not specified, the settings of the maximum
concurrent session number for all virtual sites will be displayed.
Define the session group first using “virtual site session group name” command
Set the maximum number of concurrent sessions permitted for the session group using the
“virtual site session group limit” command
Associate virtual sites with the session group using the “virtual site session group member”
command.
group_name This parameter specifies the name of a session group. Its value must
be a string of 1 to 64 characters.
This global command is used to display the setting of the maximum concurrent session number for
a specified session group. If the “group_name” parameter is not specified, the settings of the
maximum concurrent session number for all session groups will be displayed.
Note: When the session reuse function becomes enabled or disabled, all current sessions
will be killed.
show maxsession
This global command is used to display the maximum number of concurrent user sessions in every
of the past 12 months.
This global command is used to display the daily maximum session usage records under the global
scope and each virtual site scope during a specified period in descending order.
start_date Optional. This parameter specifies the start date of the daily
maximum session usage records to be displayed. Its value must be a
string in the format of “yyyymmdd”.
If this parameter is not specified, the default start date will be the
date in which the device is put to use.
end_date Optional. This parameter specifies the end date of the daily
maximum session usage records to be displayed. Its value must be a
string in the format of “yyyymmdd”. The parameter value must be
equal to or larger than that of “start_date”.
If this parameter is not specified, the default end date is the current
date.
For example:
month_number Optional. This parameter specifies the month for which the hourly
concurrent user session report will be displayed. Its value must be
an integer ranging from 0 to 12. The default value is 0, indicating
the last month.
Per-VS Settings
no session maxperuser
This command is used to delete the configuration of maximum sessions per user.
This command is used to display the configuration of the cookie expire function.
time This parameter specifies the maximum idle time in seconds. Its
value must be an integer ranging from 1 to 86,400.
Note: If the Site2Site VPN function is used, the session lifetime timeout value should be
set to the maximum value (94,608,000).
When being warned of the session idle timeout, the user is provided with the option to reset
the session idle timeout timer. The default time that users will be warned prior to session idle
timeout is 300 seconds.
When being warned of the session lifetime timeout, the user is provided with the option to
extend the session lifetime. The amount of time by which the user can extend the session
lifetime manually each time can be configured using the “session timeout warning
extension_lifetime” command. The default time that users will be warned prior to session
lifetime timeout is 300 seconds.
idle_warning Optional. This parameter specifies the amount of time that users
will be warned prior to session idle timeout in seconds. Its value
must be an integer ranging from 1 to 86,400. The default value is
300.
lifetime_warning Optional. This parameter specifies the amount of time that users
will be warned prior to session lifetime timeout in seconds. Its
value must be an integer ranging from 1 to 94,608,000. The default
value is 300.
This command is used to set the amount of time by which the user can extend the session lifetime
manually each time. The default time to be extended is 300 seconds.
policy_name This parameter specifies the name of the custom session lifecycle
policy. Its value must be a string of 1 to 63 characters.
idle_timeout Optional. This parameter specifies the time that a session can
remain idle before it expires, in seconds. Its value must be an
integer ranging from 1 to 86,400. The default value is 3600.
life_timeout Optional. This parameter specifies the time that a session can exist
before it expires, in seconds. Its value must be an integer ranging
from 1 to 94,608,000. The default value is 86,400.
idle_warning Optional. This parameter specifies the time in seconds that users
will be warned prior to the session idle timeout. Its value must be
an integer ranging from 1 to 86,400. The default value is 300. If the
“warning” parameter is set to “on”, when being warned of the
session idle timeout, the user is provided with the option to reset the
session idle timeout timer.
lifetime_warning Optional. This parameter specifies the time in seconds that users
will be warned prior to the session lifetime timeout. Its value must
extention_time Optional. This parameter specifies the amount of time by which the
user can extend the session lifetime manually each time, in seconds.
Its value must be an integer ranging from 1 to 94,608,000. The
default value is 300.
username Optional. This parameter specifies the username of the user for
whom the number of active sessions will be displayed. Its value
must be a string of 1 to 64 characters. The default value is empty,
indicating the number of active sessions for every user will be
displayed.
username Optional. This parameter specifies the name of the user for whom
active sessions will be displayed. Its value must be a string of 1 to
64 characters. The default value is empty, indicating active sessions
for all users will be displayed.
device_id Optional. This parameter specifies the DeviceID of the device for
which active sessions will be displayed. Its value must be a string of
1 to 64 characters. The default value is empty, indicating active
sessions for all devices will be displayed.
username Optional. This parameter specifies the name of the user for whom
sessions will be displayed. Its value must be a string of 1 to 64
characters. The default value is empty, indicating the matching
sessions of all users will be displayed.
For example:
type Optional. This parameter specifies the type of the active sessions to
be displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl”
or “all”. The default value is “all”.
username Optional. This parameter specifies the name of the user for whom
the active sessions will be displayed. Its value must be a string of 1
to 64 characters. The default value is “ ”, indicating all usernames.
Web Access
Web Access provides a clientless way to access internal Web resources with the standard web
browser. This section covers the commands for configuring this module.
QuickLink
hostname This parameter specifies the public hostname used for mapping to
the internal Web resource. Its value must be a string of 5 to 64
characters.
resource_id This parameter specifies the name of the QuickLink resource. Its
value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and
characters “_” and “-” are supported.
virtual_site This parameter specifies the name of the existing virtual site for
which the QuickLink rule is configured.
port This parameter specifies the port used for mapping to the internal
Web resource. Its value must be an integer ranging from 1 to
resource_id This parameter specifies the name of the QuickLink resource. Its
value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and
characters “_” and “-” are supported.
virtual_site This parameter specifies the name of the existing virtual site of with
the QuickLink rule configured.
backend_url This parameter specifies the URL of the internal Web resource. Its
value must be a string of 1 to 900 characters.
rewrite_option1 Optional. This parameter specifies the rewrite option. Its value must
only be:
Note:
rewrite_option2 Optional. This parameter specifies the rewrite option. Its value must
only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
or “forwardheader”.
rewrite_option3 Optional. This parameter specifies the rewrite option. Its value must
only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
or “forwardheader”.
rewrite_option4 Optional. This parameter specifies the rewrite option. Its value must
only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
or “forwardheader”.
rewrite_option5 Optional. This parameter specifies the rewrite option. Its value must
only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
or “forwardheader”.
backend_url This parameter specifies the additional URL of the internal Web
resource. Its value must be a string of 1 to 900 characters.
resource_id This parameter specifies the name of the QuickLink resource. The
parameter value must be the name predefined by the command
“virtual site quicklink hostname” or “virtual site quicklink port”.
WRM
General Settings
rewrite {on|off}
This command is used to enable or disable the Web Resource Mapping (WRM) function. By
default, this function is enabled.
WRM Rule
rule_id This parameter specifies the ID of WRM rewrite rule. Its value
must be an integer ranging from 0 to 1024.
parameter_name This parameter specifies the name obtained from the value of the
HTML “name” attribute in the HTML “param” tag.
url|host This parameter specifies the value type obtained from the HTML
“value” attribute of the HTML “param” tag. Its value must only be
“url” or “host”.
index Optional. This parameter specifies the index of the URL or host to
be rewritten. Its value must be an integer ranging from 1 to
4,294,967,295. The default value is empty.
For example, if the HTML file of the backend Web server contains the HTML “param” tag
<param name = “param” value = “http://test.com”/>, the WRM rule should be:
rewrite relative
This command is used to enable the rewrite of the relative URLs. By default, this function is
disabled.
no rewrite relative
This command is used to disable the rewrite of the relative URLs.
URL Masking
file_name Optional. This parameter specifies the file name. Its value must
only be “filename” or its prefix. If this parameter is specified, the
name of file of the internal resource will also be masked. The
default value is empty.
no rewrite urlmask
This command is used to disable the URL masking function.
URL Property
url This parameter specifies the URL that will not be rewritten by the
WRM rewrite rule. Its value must be a string of 9 to 1000
characters.
This command is used to clear the list of URLs that will not be rewritten by the WRM rewrite
rule.
url This parameter specifies the URL for which “Accept Encoding”
headers will be masked. Its value must be a string of 9 to 990
characters.
Custom Rewrite
rule_id This parameter specifies the ID of the custom rewrite rule. Its value
must be an integer ranging from 1 to 4,294,967,295.
rewrite_position This parameter specifies when to execute the custom rewrite rule.
Its value must only be
url_pattern This parameter specifies the URL string used to match with the
URL. Its value must be a string of 1 to 900 characters.
This parameter also supports the prefix match. For example, if the
parameter value is set to xxx.yyy.zzz, all sub-URLs and files under
this path will be rewritten.
Besides, this parameter supports the wildcard “*”. For example, the
URL can be http://*.arraynetworks.com/.
flag Optional. This parameter specifies the flag of the custom rewrite
rule. Its value must be:
“i”: indicates that the system will ignore the case sensitivity
during URL matching.
The default value is empty, indicating the system rewrites the URL
according to the configuration of this custom rewrite rule.
URL Policy
AG provides the URL policies to allow the administrator to control end users’ access to the Web
resources through the virtual site according to the requested URL.
Internal
External
Public
Block
Note: The public URL policy cannot be set as default URL policy.
priority This parameter specifies the priority of the external URL policy. Its
value must be an integer ranging from 0 to 65,535. The smaller the
value, the higher the priority.
url This parameter specifies the URL keyword. Its value must be a
string of 1 to 100 characters.
priority This parameter specifies the priority of the internal URL policy. Its
value must be an integer ranging from 0 to 65,535. The lower the
value, the higher the priority.
url This parameter specifies the URL keyword. Its value must be a
string of 1 to 100 characters.
This command is used to configure a block URL policy. If the requested URL matches the block
URL policy, the block URL policy blocks the end users’ access.
priority This parameter specifies the priority of the block URL policy. Its
value must be an integer ranging from 0 to 65,535. The smaller the
value, the higher the priority.
url This parameter specifies the URL keyword. Its value must be a
string of 1 to 100 characters.
For example:
After this command is executed, the AG appliance will block all accesses to the “a.b.com”.
After this command is executed, the AG appliance will block the access to the
“a.b.com/test/index.html/”.
priority This parameter specifies the priority of the public URL policy. Its
value must be an integer ranging from 0 to 65,535. The smaller the
value, the higher the priority.
url This parameter specifies the URL keyword. Its value must be a
string of 1 to 100 characters.
show urlpolicy
This command is used to display all URL policies.
no urlpolicy default
This command is used to reset the default URL policy to the default setting “internal”.
SSO
sso {on|off}
This command is used to enable or disable the SSO (Single Sign On) function for Web Access. By
default, this function is disabled. This function takes effect only when the portal login credential is
the same as the login credential of the Web application server.
realm_name This parameter specifies the name of an existing Kerberos realm. Its
value must be an uppercase string of 1 to 128 characters.
For example:
This command is used to add a Key distribution center (KDC) to the specified Kerberos realm.
After KDCs are configured, the system sends the request to the KDC with the highest priority to
obtain the service ticket. The earlier the KDC is configured for the virtual site, the higher the
priority of the KDC will be. A maximum of three KDCs can be added to a Kerberos realm.
kdc_host_name This parameter specifies the hostname or IP address of the KDC. Its
value must be a string of 1 to128 characters. If its value is IP
address, it must be an IPv4 address enclosed by double quotes.
kdc_port Optional. This parameter specifies the port number that the KDC
listens to. Its value must be an integer ranging from 1 to 65535. The
default value is 88.
Note: If the local DNS server under the global scope supports the service location SRV
resource record, the system can find the KDC by itself, so this command and the “sso
kerberos realm name” command do not need to be configured.
For example:
hostname This parameter specifies the host name of the backend server. Its
value must be a string of 1 to 128 characters.
login_url This parameter specifies the URL of the login page. Its value must
be a string of 1 to 900 characters.
username_field This parameter specifies the field used to post the username for
authentication. Its value must be a string of 1 to 64 characters.
password_field This parameter specifies the field used to post the password for
authentication. Its value must be a string of 1 to 32 characters.
post_host Optional. This parameter specifies the POST target that includes the
port if needed. Its value must be a string of 1 to 128 characters. By
default, the value of the “hostname” parameter is used.
post_url Optional. This parameter specifies the URL to which the POST
request is directed. Its value must be a string of 1 to 900 characters.
By default, the value of the “login_url” parameter is used.
post_fields Optional. This parameter specifies a set of fields that are required
by the backend service in addition to the username and password.
Its value must be a string of 1 to 1024 characters. It can be a string
of only characters or a string containing multiple “field=value”
pairs. In addition, it supports tokens, which will be dynamically
replaced by actual values.
For example:
“domain=abc&deptname=xyz&ipaddress=<IP_ADDR_DOTDEC>
&macaddress=<MAC_ADDR_DASH>”
“enable”: indicates that the end user can access the same
backend application without re-entering their credentials when
accessing the same Web resource again.
other_header_field Optional. This parameter specifies a set of HTTP header fields that
are required by the backend service for user authentication.
Multiple HTTP header fields must be separated by “\r\n”. Its value
should be a string of 1 to 1024 characters.
Proxy
server proxy manual http <ip > <port> <username> <password> <domain>
This command is used to add an HTTP-type backend proxy server.
port This parameter specifies the port number of the backend proxy
server. Its value must be an integer ranging from 0 to 65,535.
username Optional. This parameter specifies the username used for passing
the backend proxy server’s authentication. This parameter needs to
be specified when the backend proxy server requires authentication.
Its value must be a string of 1 to 64 characters. The default value is
empty.
password Optional. This parameter specifies the password used for passing
the backend proxy server’s authentication. This parameter needs to
be specified when the backend proxy server requires authentication.
Its value must be a string of 1 to 32 characters. The default value is
empty.
domain Optional. This parameter specifies the domain of the backend proxy
server. This parameter needs to be specified when the backend
proxy server requires authentication. Its value must be a string of 1
to 64 characters. The default value is empty.
port This parameter specifies the port number of the backend proxy
server. Its value must be an integer ranging from 0 to 65,535.
script_url This parameter specifies the URL from which the AG appliance
downloads a proxy auto-configuration script. Its value must be a
string of 1 to 1024 characters. A script in the required format must
be stored at this URL and this script should include the proxy server
information, such as IP address.
username Optional. This parameter specifies the username used for passing
the authentication of the backend proxy server determined by the
auto-configuration proxy script. Its value must be a string of 1 to 64
characters. The default value is empty.
password Optional. This parameter specifies the password used for passing
the authentication of the backend proxy server determined by the
auto-configuration proxy script. Its value must be a string of 1 to 32
characters. The default value is empty.
domain Optional. This parameter specifies the domain of the backend proxy
server determined by the auto-configuration proxy script. Its value
must be a string of 1 to 64 characters. The default value is empty.
URL Filter
filter {on|off}
This command is used to enable or disable the URL filter function for Web access. This function
is used to prevent Cross Site Scripting (XSS) attacks. By default, this function is disabled.
For example:
Statistics
General Settings
vpn {on|off}
This command is used to enable or disable the VPN function. By default, this function is disabled.
Note: For the Site2Site VPN function, the client traffic isolation function should be
disabled.
Netpool
Basic Settings
The administrator should configure this command whether accessing backend resources through
the L3VPN tunnel or Site2Site VPN tunnel.
netpool This parameter specifies the name of the Netpool. Its value must be
a string of 1 to 31 characters.
Dynamic IP Assignment
The system can dynamically assign the IP address to the SSL VPN Client in either of the
following ways:
Dynamic IP range: When an end user is assigned the Netpool with the dynamic IP range
configured, the system will pick up an IP address from the dynamic IP range.
DHCP server: When an end user is assigned the Netpool with the DHCP server configured,
the system will communicate with the DHCP server to obtain the IP address.
For a Netpool, the dynamic IP range and the DHCP server are mutually exclusive.
start_ip This parameter specifies the first IPv4 address in the dynamic IPv4
range.
end_ip This parameter specifies the last IPv4 address in the dynamic IPv4
range.
Note: In the Active/Active scenario, the dynamic IPv4 range of the local unit should not
overlap with that of the peer unit.
Active/Active scenario (each AG appliance is active for one or some VIPs of the virtual
site)
In this scenario, you need to configure dynamic IP ranges specific to each unit on one AG
appliance and enable the HA runtime synconfig function on all AG appliances. The HA runtime
synconfig function can automatically synchronize the dynamic IP range configurations specific to
certain units to peer units.
For example:
On AG1:
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.25 "unit1"
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.26 192.168.0.50 "unit2"
After the configurations are finished, 25 IP addresses are available on each AG appliance and all
50 IP addresses can be used for the virtual site in total.
Active/Standby scenario (only one AG appliance is active for the virtual site)
For example:
On AG1:
vs(config)$vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.50
On AG2:
vs(config)$vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.50
After the configurations are finished, 50 IP addresses will be available for the virtual site on the
active AG appliance.
Configure dynamic IP ranges specific to each unit on one AG appliance and enable HA
runtime synconfig.
For example:
On AG1:
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.25 "unit1"
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.26 192.168.0.50 "unit2"
After the configurations are finished, each AG appliance uses its separate IP range of 25 IP
addresses when becoming active for the virtual site.
start_ip This parameter specifies the first IPv6 address in the dynamic IPv6
range.
end_ip This parameter specifies the last IPv6 address in the dynamic IPv6
range.
Note:
The prefixes of IPv6 addresses in the dynamic IPv6 range must be the same. Besides,
the prefix length should be equal or larger than 96 bits, indicating that the “start_ip”
and “end_ip” can only be different in the last 32 bits.
In the Active/Active scenario, the dynamic IPv6 range of the local unit should not
overlap with that of the peer unit.
server_ip This parameter specifies the IP address of the DHCP server. Its
value must be an IPv4 address.
lease_time This parameter specifies the desired lease time in minutes. Its value
must an integer ranging from 5 to 43,200.
subnet This parameter specifies the IP address of the subnet. Its value must
be an IPv4 address.
This command is used to enable the AG appliance to send the client PC’s MAC address as the
unique client ID to request the IP address from the DHCP server, when the end user is assigned
the specified Netpool.
Note: For IE and IE-core browsers, both the “activex” and “java” initiation modes can be
used. However, for non-IE-core browsers, only the “java” initiation mode can be used.
Therefore, this command only works for IE and IE-core browsers.
NAT
Note:
When the VPN Netpool NAT function is enabled and the administrator accesses the
AG appliance through L3VPN, the AG appliance cannot initiatively communicate
with the L3VPN client.
To use the Site2Site VPN function, the VPN NAT function should be disabled.
The following commands cannot be executed if the SCP/TFTP server is installed on the
L3VPN client:
The following commands cannot be executed to ping or traceroute the L3 VPN client:
ping
ping6
traceroute
traceroute6
Keep-alive Interval
interval This parameter specifies the interval that the VPN tunnel will be
kept alive while being inactive. Its value must be an integer ranging
from 1 to 60, in seconds.
Routing
gateway_ip This parameter specifies the IP address of the route gateway. Its
value must be an IPv4 address.
Note: This command works both for SSL VPN and Mobile VPN.
If this command is not configured for a Netpool, received packets will always be sent through the
route gateway configured for the Netpool using the “vpn netpool route gateway <netpool>
<gateway_ip> [unit_name]” command.
If neither the route gateway nor the default route is configured for the Netpool, the received packet
will be sent based on the global routing table.
Note: This command works both for SSL VPN and Mobile VPN.
Client Subnet
Note: To use the Site2Site VPN function, the VPN traffic logging function should be
disabled.
account_id Optional. This parameter specifies the ID that the Netpool assigns
to the Windows administrator account. Its value must be a string of
1 to 255 characters. When the administrator does not specify this
parameter for the first time, its value will be “1”; its value will be
increased by 1 each time this parameter is not specified.
Proxy
type This parameter specifies the type of the proxy server. Its value must
only be “manual” or “script”.
server_url
This parameter specifies the URL of the proxy server. Its value
must be a string of 1 to 256 characters. Its value must be:
For example:
After this command is executed, the file a.txt will be automatically opened when a VPN tunnel is
established.
For example:
After this command is executed, the file a.txt will be opened when a VPN tunnel is disconnected.
DNS Settings
hostname This parameter specifies the hostname of the DNS server. Its value
must be a string of 1 to 31 characters.
hostip Optional. This parameter specifies the IPv4 address of the DNS
server. The default value is “127.0.0.1”.
hostname This parameter specifies the hostname of the DNS server. Its value
must be a string of 1 to 31 characters.
hostip This parameter specifies the IPv6 address of the DNS server.
timeout This parameter specifies the timeout value in milliseconds. Its value
must be an integer ranging from 5 to 3,000.
Note: This command works for the SSL VPN Client on Windows only.
timeout This parameter specifies the timeout value in milliseconds. Its value
must be an integer ranging from 5 to 3,000. Some network
environment, such as 3G/WIFI, has a very large round-trip time
(RTT). Administrators should increase the Netpool’s DNS timeout
value, if SSL VPN Client users’ network RTT is larger than virtual
site’s default DNS timeout.
Note: This command works for the SSL VPN Client on Windows only.
timeout This parameter specifies the timeout value in milliseconds. Its value
must be between 1,000 and 15,000.
Besides, if the hostname matches multiple virtual DNS filter rules, the SSL VPN Client will select
the longest matching virtual DNS filter rule.
host This parameter specifies the hostname to be resolved. Its value must
be a string of 1 to 31 characters and in the format of xxx.yyy.zzz. If
the parameter value is set to “all”, indicating all hostnames.
Besides, the wildcard “*” is supported.
flag This parameter specifies the policy that the system will implement
for DNS queries that do not match the virtual DNS filter rule. Its
value must be:
0: indicates that the SSL VPN Client will perform the normal
DNS resolution process. Please refer to the ArrayOS AG User
Guide for details.
1: indicates that the SSL VPN Client will use only the local
DNS server to perform the DNS resolution.
If the “host” parameter is set to “all”, the SSL VPN Client will use
only the virtual DNS server to perform the DNS resolution,
regardless of what the “flag” parameter is set to.
For example:
Besides, if the hostname matches multiple local DNS filter rules, the SSL VPN Client will use the
longest matching local DNS filter rule.
host This parameter specifies the hostname to be resolved. Its value must
be a string of 1 to 31 characters and in the format of xxx.yyy.zzz. If
the parameter value is set to “all”, indicating all hostnames.
flag This parameter specifies the policy that the system will implement
for DNS queries that do not match the local DNS filter rule. Its
value must be:
0: indicates that the SSL VPN Client will perform the normal
DNS resolution process. Please refer to the ArrayOS AG User
Guide for details.
1: indicates that the SSL VPN Client will use only the virtual
DNS server to perform the DNS resolution.
If the “host” parameter is set to “all”, the SSL VPN Client will use
only the local DNS server to perform the DNS resolution,
regardless of what the “flag” parameter is set to.
For example:
If no virtual or local DNS filter rule is configured, the SSL VPN Client will perform
the normal DNS resolution process.
If both the virtual and local DNS filter rules are configured:
If the hostname matches one virtual DNS filter rule, the virtual DNS filter rule will
take effect.
If the hostname does not match any virtual DNS filter rule but match one local DNS
filter rule, the local DNS filter rule will take effect.
If the hostname does not match any virtual or local DNS filter rule, but one virtual
DNS filter rule with flag=1 exists, this virtual DNS filter rule will take effect.
If the hostname does not match any virtual or local DNS filter rule, but one virtual
DNS filter rule with flag=0 exists, the Array SSL VPN Client will perform the normal
DNS resolution process.
This command is used to clear all virtual and local DNS filter rules configured for the specified
Netpool.
With this function enabled, the SSL VPN Client will resolves all DNS queries by following a
fixed DNS resolution process in which the DNS settings configured for the specified Netpool
will be used first.
With this function disabled, the SSL VPN Client resolves the DNS queries based on the DNS
resolution process of the Windows TCP/IP protocol on the PC with the SSL VPN Client
installed.
Note: The IPv6 DNS queries except those match IPv6 DNS hostmap (configured using the
“vpn netpool dns hostmap6” command) cannot be processed by the client DNS proxy
function.
Multicast Forwarding
The administrator should configure this command whether accessing backend resources through
the L3VPN tunnel or Site2Site VPN tunnel.
resource_group This parameter specifies the name of the VPN resource group. Its
value must be a string of 1 to 31 characters.
For Site2Site VPN, to make the subnets on the spokes and hubs accessible, you should configure
them as network resources. If NAT rules are configured for Site2Site VPN using the “vpn
site2site forward” command, you should configure the virtual subnet specified by the parameters
“virtual_subnet_IP” and “virtual_subnet_netmask” as the network resource instead of the real
subnet on the spoke/hub.
resource_group This parameter specifies the name of the existing VPN resource
group.
net_resource This parameter specifies the name of the network resource. Its value
must be a string of 7 to 127 characters in the format of
“[IP]/[Mask]:[Start Port]-[End Port]” or “[Start IP]-[End IP]:[Start
Port]-[End Port]”. For the “[Start IP]-[End IP]:[Start Port]-[End
Port]” format, a standard IP range should be used; otherwise the
configuration will fail to take effect. Please note that both IPv4 and
IPv6 network resources are supported. The [IP]/[Mask] or [Start
IP]-[End IP] part is mandatory while the “[Start Port]-[End Port]”
part is optional. When the “[Start Port]-[End Port]” part is not
contained, all the ports are included.
type Optional. This parameter specifies the type of the services that can
use the network resource. Its value must be:
Note: This parameter must be set to “1” for the Site2Site VPN
function.
For example:
resource_group This parameter specifies the name of the existing VPN resource
group.
net_resource This parameter specifies the name of the network resource. Its value
must be a string of 7 to 127 characters in the format of the
“[IP]/[Mask]: [Start Port]-[End Port]” or “[Start IP]-[End IP]:[Start
Port]-[End Port]”. For the “[Start IP]-[End IP]:[Start Port]-[End
Port]” format, a standard IP range should be used; otherwise the
configuration will fail to take effect. Please note that both IPv4 and
IPv6 network resources are supported. The [IP]/[Mask] or [Start
IP]-[End IP] part is mandatory while the “[Start Port]-[End Port]”
part is optional. When the “[Start Port]-[End Port]” part is not
contained, all the ports are included.
type Optional. This parameter specifies the type of the services that can
use the network resource. Its value must be:
Note: If the default gateway is not configured for a client PC, the excluded list configured
for the VPN network resource group will fail to take effect for the client PC.
For example:
This command is used to display the list of excluded network resource items for the specified
VPN resource group. If the “resource_group” parameter is not specified, the lists of excluded
network resource items for all VPN resource groups will be displayed.
resource_group This parameter specifies the name of the VPN resource group. Its
value must be a string of 1 to 31 characters.
application_name This parameter specifies the application name. Its value must be a
string of 1 to 63 characters.
executable_name This parameter specifies the image name of the application. Its
value must be a case-sensitive string of 1 to 256 characters.
hash Optional. This parameter specifies the MD5 hash value. Its value
must be a string of 1 to 32 characters.
If this parameter is specified, the SSL VPN client will verify the
MD5 hash value of the application. The packets can be sent through
the VPN tunnel only when the verification is successful.
This command is used to clear application resource items for the specified VPN resource group. If
the “resource_group” parameter is not specified, application resource items of all VPN resource
groups will be cleared.
resource_group This parameter specifies the name of a VPN resource group. Its
value must be a string of 1 to 31 characters.
application_name This parameter specifies the application name. Its value must be a
string of 1 to 63 characters.
executable_name This parameter specifies the executable name. Its value must be a
string of 1 to 256 characters. This parameter is case-sensitive.
Speed Tunnel
The system supports three types of VPN Tunnels: TCP tunnel, UDP tunnel and DTLS tunnel. By
default, the TCP tunnel will be established after the VPN is connected.
port This parameter specifies the listening port for the UDP or DTLS
Speed Tunnel. Its value must be an integer ranging from 0 to
type Optional. This parameter specifies the type of the Speed Tunnel. Its
value must be:
mode This parameter specifies how the VPN data is dispatched. Its value
must be:
0: indicates that all VPN data goes through the TCP Tunnel.
1: indicates that TCP data goes through the TCP Tunnel and
UDP data goes through the Speed Tunnel.
2: indicates that TCP data goes through the Speed Tunnel and
UDP data goes through the TCP Tunnel.
3: indicates that all VPN data goes through the Speed Tunnel.
protocol This parameter specifies the DTLS protocol version used to encrypt
the DTLS Speed Tunnel. Its value must only be “DTLSv1”,
indicating DTLS version 1.0.
If this command is already configured, this command can also be used to update the existing
cipher suite(s) set for the DTLS Speed Tunnel.
cipher_suite This parameter specifies the cipher suite(s) for the DTLS Speed
Tunnel. Its value must be “DES-CBC3-SHA”, “AES128-SHA” or
“AES256-SHA”. If multiple cipher suites are configured, they must
be separated by colons.
For example:
For example:
validcode This parameter specifies the valid code. Its value must be a string of
8 to 32 characters.
no vpn validcode
This command is used to disable the valid code function and clear the valid code.
Mobile VPN
type Optional. This parameter specifies the type of the IPSec service. Its
value must only be:
For Mobile VPN, IPSec (transport-mode) is in charge of providing security protection for the
tunnel packets. As data encryption is a high CPU-load task, the hardware acceleration card for
IPSec encryption is required.
type Optional. This parameter specifies the type of the IPSec statistics to
be displayed. Its value must only be:
Please note that the following commands can be executed only under the virtual site scope.
This command is used to create an IPSec Phase1 proposal. To start the IPsec service, at least one
IPSec Phase1 proposal must be configured.
proposal_id This parameter specifies the ID of the IPSec Phase1 proposal. Its
value must only be 1, 2, 3, or 4.
psk Optional. This parameter specifies the IPSec pre-shared key. Its
value must be a string of 1 to 16 characters. The default value is
“presharedkey”.
algorithm This parameter specifies the algorithm used for IPSec Phase1
encryption. Its value must only be “3des” or “aes”.
proposal.
algorithm This parameter specifies the algorithm used for IPSec Phase1 Hash.
Its value must only be “md5” or “sha1”.
time Optional. This parameter specifies the maximum time allowed for
completing the IPSec Phase1 negotiation. Its value must be an
integer ranging from 1 to 3600, in seconds. The default value is 15.
algorithm This parameter specifies the algorithm used for IPSec Phase2
encryption. Its value must only be “3des”, “aes” or “all”.
algorithm This parameter specifies the algorithm used for IPSec Phase2
authentication. Its value must only be “hmac_md5”, “hmac_sha1”
or “all”.
time Optional. This parameter specifies the maximum time allowed for
completing the IPSec Phase2 negotiation. Its value must be an
integer ranging from 1 to 3600, in seconds. The default value is 10.
cert_number Optional. This parameter specifies the serial number of the trusted
CA certificate to be activated. Its value must be an integer ranging
from 0 to 4,294,967,295.
The index can be obtained using the “show ssl rootca” command.
The index can be obtained using the “show ssl interca” command.
This command is used to enable or disable NAT traversal (NAT-T) function if the NAT device is
available between the mobile client and AG. By default, this function is enabled.
name This parameter specifies the name of the iOS configuration profile.
Its value must be a string of 1 to 32 characters.
no ipsec profilename
This command is used to delete the iOS configuration profile.
domain This parameter specifies the domain name. Its value must be a
string of 1 to 64 characters.
mode This parameter specifies the mode of the domain. Its value must
only be “always”, “never” or “onretry”.
domain This parameter specifies the domain name. Its value must be a
string of 1 to 64 characters.
auth_method This parameter specifies the device authentication method. Its value
must only be “psk” or “certificate”.
This command is used to set the IPSec tunnel lifetime. The IPsec tunnel will be disconnected after
this IPSec tunnel lifetime expires. If this command is not configured, the default IPSec tunnel
lifetime is 3000 seconds.
ipsec {start|stop}
This command is used to start or stop IPSec services for the virtual site. Before starting the IPSec
services, please create an IPSec Phase1 proposal using the “ipsec ikephase1 proposal” first.
If this command is already configured, it can also be used to modify the AAA method for clients
using the IPSec service.
Site2Site VPN
The Site2Site VPN function is provided to establish the L3VPN tunnel between the spokes and
hub (AG). In the Site2Site function, the AG or vxAG appliance functions as the hub (VPN server)
and a physical or virtual CentOS 7 host with the Site2Site VPN client installed functions as the
spoke. A spoke uses a LocalDB account (configured using the “localdb account” command) to
establish the Site2Site VPN tunnel with the hub. The LocalDB account IP configured for the
LocalDB account using the “localdb ip account” command will be used as the tunnel IP for the
spoke.
The Site2Site VPN function shares certain concepts with the L3VPN, please refer to AG 9.3 User
Guide for usage guidelines of Site2Site VPN.
Note:
The Site2Site VPN tunnel should be an always-on tunnel. Therefore, the session
lifetime timeout value (configured via the “session timeout lifetime” command)
should be set to the maximum value (94,608,000).
For the same virtual site, the Site2Site VPN function cannot be used together with the
L3VPN function.
To avoid IP conflicts between spoke subnets and hub subnets, you can configure virtual subnets
for spoke subnets or hub subnets using the “virtual_subnet_ip” and “virtual_subnet_netmask”
parameters. In this way, the virtual subnets will be added to the Site2Site VPN in place of the real
spoke subnets or hub subnets. The mappings between the spoke subnets or hub subnets and virtual
subnets will also be used by spokes to translate the spoke subnet IPs or hub subnet IPs in the
packets to the virtual subnet IPs. Note that only the network portion of the IPs is translated and the
host portion is kept unchanged.
subnet_ip This parameter specifies the IPv4 address of the spoke subnet or
hub subnet.
netmask This parameter specifies the netmask of the spoke subnet or hub
subnet. Its value must be given in dotted decimal notation.
tunnel_ip This parameter specifies the IPv4 address assigned to the Site2Site
VPN tunnel.
For the spoke subnet, the value of this parameter should be the
same as one of the LocalDB account IP configured using the
“localdb ip account” command.
virtual_subnet_ip Optional. This parameter specifies the IPv4 address of the virtual
subnet.
Note: The virtual subnet should not be the same as any spoke or
hub subnet.
the client. By default, this function is enabled. Please contact Array customer support before
disabling this function.
responses to clients, so that the clients are unaware of the proxy process on the appliance. By
default, this function is disabled.
org_url_field Optional. This parameter specifies the field name of the URL to be
passed to the redirection URL. Its value must be a string of 1 to 16
characters. The default value is empty.
custom_name Optional. This parameter specifies the customized name for the
client IP address in the inserted HTTP header, URL query string, or
HTTP cookie. Its value must be a string of 1 to 32 characters.
header_name Optional. This parameter specifies the customized name for the
HTTP header used to transfer the client certificate to the backend
server. Its value must be a string of 1 to 128 characters. The default
value is “X-Client-Cert:”.
mode Optional. This parameter specifies the mode of inserting the client
certificate into HTTP requests. Its value must be:
certificate_type Optional. This parameter specifies the encoding format of the client
certificate content. Its value must be:
Note: This function works for QuickLink only when the Client Authentication function is
enabled.
field_name This parameter specifies the standard name of the certificate field.
Its value must be:
For “scope”:
Scope Description
The value of the symbol or specific OID will be searched in the client certificate’s
Subject
subject DN.
The value of the symbol or specific OID will be searched in the client certificate’s
Issuer
issuer DN.
The value of the symbol or specific OID will be searched in the client certificate’s
Ext
external field. The client certificate must be in the SSL v2.0 or SSL v3.0 version.
The value of the specific OID will be searched in the client certificate’s TBS (To
OID or <null>
Be Signed).
For “symbol”:
Note: When there is more than one value to the same symbol in a specific scope, the
appliance will transfer all of them to the backend server, and one digital number will be
appended to the customized name from the second symbol. The digital number is increased
from 1.
If the client certificate has the following subject DN (“OU” in the scope of “subject” has two
values: “Dev” and “AG”):
Then the backend server will receive the following cookie and headers (the integer “1” is added
after the second customized name “OU”):
2.5.4.11: Dev
2.5.4.111: AG
Cookie: OU=Dev, OU1=AG
customized_name Optional. This parameter specifies a customized name for the
certificate field to be inserted into the HTTP header, URL query
string, or HTTP cookie. If this parameter is not specified, the value
of the “field_name” parameter will be used as the customized name.
format_opt Optional. This parameter specifies the format of the certificate field
forwarded to the backend server. Its value is case-insensitive.
Surname
Given Name
Name
Initials
Generation Qualifier
Serial Number
Email Address
Common Name
Positive Title Reverse
Pseudonym
DN Qualifier
Organization Unit
Organization
Locality
State Or Province
Domain Component
Country
The following are examples of the date and time when the
“field_name” parameter is set to “Validity”:
Extension::= SEQUENCE {
extnValueOCTET STRING }
SEQUENCE
SET
Untagged data
: }
: }
: }
Generalized Time
UTC time
Note: Multiple transfer modes can be set for the same certificate field. However, only one
customized name is allowed for the same certificate field. That is, the newest customized
name of the certificate field will overwrite the customized name of the field in earlier “http
xclientcert plaintext” configurations.
oid This parameter specifies the OID field in the client certificate. Its
value must be enclosed by double quotes.
customized_name This parameter specifies the customized name for the OID field in
the client certificate. Its value must be a string of 1 to 32 characters.
http xusername
This command is used to enable the function of inserting an “X-SSO-USER” HTTP header field
to set the username into HTTP requests sent to the backend server.
no http xusername
This command is used to disable the function of inserting the “X-SSO-USER” HTTP header to set
the username into HTTP requests sent to the backend server.
http statefulredirect
This command is used to enable the HTTP stateful redirection function (or book marking
function). When enabled, end users who are required to re-login (for example, after session
timeout) will be redirected to their previous webpage after login.
no http statefulredirect
This command is used to disable the HTTP stateful redirection function.
http nostore
This command is used to disable the browser caching function. After this command is executed,
the response from the backend server will not be cached. By default, the browser caching function
is disabled.
no http nostore
This command is used to enable the browser caching function.
File Share
fileshare cifs {on|off}
This command is used to enable or disable the file share (CIFS) function for the current virtual site.
The file share function provides remote users with shared access to files shared by the CIFS server.
The files shared by the CIFS server are defined as CIFS resources for roles using the “role
resource cifs” command. By default, the CIFS function is disabled.
domain_name|work_group This parameter specifies the default domain name or work group.
Its value must be a string of 1 to 256 characters.
By default, the default Web portal is provided for the virtual site. Also, the AG appliance allows
the administrator to customize the Web portal by any of the following ways:
Portal custom: The portal custom function enables the administrator to customize portal
pages and errors pages using external pages. This function can be used to customize only
certain portal pages and all error pages.
Portal theme: The portal theme function enables the administrator to create a custom portal
theme or import a custom portal theme and activate it for the custom portal theme to take
effect. This function can be used to customize all portal pages and all error pages.
The portal/error page customized using the portal custom function or the portal theme function has
a higher priority than the default portal/error page. In addition, the portal/error page customized
using the portal custom function has a higher priority than that customized by the portal theme
function.
Portal Configuration
This section covers the CLI commands for configuring the general settings for the Web portal or
other settings for certain portal pages.
language This parameter specifies the language used by the Web portal. Its
value must be “english”, “chinese”, “chinese-Big5”,
“chinese-GB2312”, “chinese-traditional” and “japanese”. The
administrator can view the list of supported languages by executing
the “show portal languages” command.
no portal language
This command is used to reset the Web portal language to the default value.
This command is used to display the available languages that the Web portal can use. Currently,
the following languages are supported:
url This parameter specifies the HTTP or FTP URL of the custom logo
image. Its value must be a string of 1 to 900 characters.
no portal logo
This command is used to reset the Web portal logo image to the default logo image.
If a character set has been configured, this command is used to modify the existing character set.
character_set This parameter specifies the character set. Its value must be a
string of 1 to 64 characters.
no portal charset
This command is used to delete the configuration of the character set for the Web portal.
portal cookietest
This command is used to enable the check of whether the browser can support cookies. By default,
this function is enabled.
no portal cookietest
This command is used to disable the check of whether the browser can support cookies.
If a message has been configured for the login page, this command is used to modify the existing
message.
login_message This parameter specifies the login message. Its value must be a
string of 1 to 1024 characters.
For example:
If a message has been configured for a shared virtual site, this command is used to modify the
existing message.
choose_site_message This parameter specifies the content of the message. Its value must
be a string of 1 to 1024 characters.
For example:
If the OTP authentication portal message has been configured, this command is used to modify the
existing OTP authentication message.
For example:
vs(config)$portal otp message "The SMS message has been sent to <PHONE>"
If the title of the OTP authentication page has been configured, this command is used to modify
the existing title of the OTP authentication message.
title_string This parameter specifies the title of the OTP authentication page. Its
value must be a string of 1 to 128 characters.
This command is used to set the welcome page title. If this command is not configured, the default
title is “welcome”.
If a welcome page title has been configured, this command is used to modify the existing welcome
page title.
title_string This parameter specifies the title of the welcome page. Its value
must be a string of 1 to 128 characters.
no portal title
This command is used to reset the welcome page title to the default value.
If a welcome message has been configured, this command is used to modify the existing welcome
message.
For example:
portal changeldbpassword
This command is used to enable the display of the “LocalDB password change” link on the
welcome page. When this function is enabled, the “Change Password” hyperlink is displayed on
the welcome portal page. When the user clicks this hyperlink, a “Change Password” portal page
will be displayed for the user to change the password. By default, this function is disabled.
no portal changeldbpassword
This command is used to disable the display of the “LocalDB password change” link on the
welcome page.
no portal changeldappassword
This command is used to disable the display of the “LDAP password change” link on the welcome
page.
portal urlbar
This command is used to enable the URL input bar on the welcome portal page. When this
function is enabled, the URL input bar will be displayed on the welcome portal page after portal
login. With the URL input bar, the user can access Web resources that are not displayed as Web
links on the welcome portal page. By default, this function is disabled.
no portal urlbar
This command is used to disable the URL input bar on the welcome portal page.
This command is used to display whether or not the URL input bar is enabled on the welcome
page.
portal newwindows
This command is used to enable opening a new browser window when a portal link is accessed.
By default, this function is disabled.
no portal newwindows
This command is used to disable opening a new browser window when a portal link is accessed.
nourlbar Optional. This parameter specifies whether the navigation panel has
the URL input bar. Its value must be:
empty: indicates that the navigation panel has the URL input
bar. With the URL input bar, the user can access the desired
URL directly from the current Web page.
no portal navtool
This command is used to disable the Web navigation panel for the pages of Web resources
accessed through the portal.
portal bookmark on
This command is used to enable the bookmark function on the welcome page. With this function,
end users can add the frequently accessed resources on the virtual portal as bookmark links and
access these resources conveniently by clicking these bookmark links in future. AG now supports
adding bookmarks for three types of resources: Web, File Share and Desktops. By default, this
function is disabled.
resource_type This parameter specifies the type of the resource for which the
bookmark is added. Its value must be “web”, “fileshare” or
“desktop”.
url This parameter specifies the URL of the resource for which the
bookmark is added. Its value must be a string of 1 to 512 characters.
This parameter supports HTML tages that can be used between <a>
and </a>, such as “<b>…</b>”, “<font color=x>…</font>”, and
“<i>…</i>”. When HTML tages are used, the parameter value
must be enclosed by double quotes.
parameter Optional. This parameter specifies the resource parameter. Its value
must be a string of 1 to 255 characters. The default value is empty.
For example:
vs(config)$portal bookmark role "r" "web" "http://10.3.6.57" "<b>Test</b>" ""
vs(config)$portal bookmark role "r" "fileshare" "//10.3.6.57/ShareFolder" "<b>File</b>"
""
vs(config)$portal bookmark role "r" "desktop" "http://10.3.6.57" "<b>Test</b>" ""
If an autolaunch message has been configured, this command is used to modify the existing
autolaunch message.
autolaunch_message This parameter specifies the autolaunch message. Its value must be
a string of 1 to 1024 characters.
url This parameter specifies the HTTP or HTTPS URL of the external
RDP proxy server. Its value must be a string of 1 to 512 characters.
url This parameter specifies the HTTP or HTTPS URL of the external
file proxy server. Its value must be a string of 1 to 512 characters.
This command is used to configure the MotionPro client detection function on the portal page.
This function allows the AG appliance to detect whether the MotionPro client has been installed
on the client PC.
If this command is not configured, the system will detect whether the MotionPro client has been
installed on the client PC on the welcome page.
prelogin|postlogin This parameter specifies where the system detects whether the
MotionPro client has been installed on the client PC. Its value must
be:
This command is used to clear all Web portal configurations, including the portal custom, portal
theme and DesktopDirect integration configurations.
Portal Customization
Portal Custom
The portal custom settings enable the administrator to customize the following portal pages using
external pages:
Login page:
Welcome page
Logout page
url This parameter specifies the URL of the custom login page. Its
value must be a string of 1 to 900 characters.
username Optional. This parameter specifies the name of POST field that will
contain the username value. Its value must be a string of 1 to 64
characters. The default value is “uname”.
password1 Optional. This parameter specifies the name of the POST field that
will contain the password value. Its value must be a string of 1 to
64 characters. The default value is “pwd”.
securID Optional. This parameter specifies the name of the POST field that
will contain the securID token code value. Its value must be a string
of 1 to 64 characters. The default value is “token”.
password2 Optional. This parameter specifies the name of the POST field that
will contain the second password value. Its value must be a string of
1 to 64 characters. The default value is “pwd2”.
url This parameter defines the URL of the custom welcome page. Its
value must be a string of 1 to 900 characters.
If a custom password change page has been configured for the AAA method, this command is
used to modify the existing custom password change page.
auth_method This parameter specifies an existing AAA method. Its value must
be defined by the “aaa method name” command.
url This parameter defines the URL of the confirmation page after
successfully changing the password. Its value must be a string of 1
to 900 characters.
url This parameter specifies the URL of the custom logout page. Its
value must be a string of 1 to 900 characters.
var_name This parameter specifies the name of the customized user variable
in the HTTP authentication login request. Its value must be a string
of 1 to 32 characters in the format of <an_xx>, such as
<an_param1>.
var_filter Optional. This parameter specifies the filter condition used to parse
the single variable included in the HTTP authentication login
request. Its value must be a string of 1 to 255 characters. The
default value is empty.
For example:
var_filter This parameter specifies the filter condition used to resolve the
multi-variable combination included in the HTTP authentication
login request. Its value must be a string of 1 to 255 characters.
priority Optional. This parameter specifies the priority of the rule. Its value
must be an integer ranging from 1 to 100. The lower the value, the
higher the priority. The default value is 50.
For example:
url This parameter specifies the URL of the custom error page. Its
value must be a string of 1 to 900 characters.
The following table displays the types of the custom error pages that can be customized:
Portal Theme
A portal theme can be consisted of theme objects and theme errors. Theme objects are used to
customize the portal pages while theme errors are used to customize the error pages.
page_type This parameter specifies the type of the portal page. For the valid
names supported by this parameter, see Table 3-3.
object_name This parameter specifies the name of the theme object. Its value
url This parameter specifies the URL from which the custom portal
page is imported. Its value must be a string of 1 to 900 characters.
file_type This parameter specifies the file type of the custom portal page. Its
value must be “html”, “css”, “js”, “xml”, “htc”, “text” and “binary”.
0: not rewrite.
1: rewrites.
The following table shows the types of portal pages that can be customized:
page_type This parameter specifies the type of the portal page. Please refer to
the “portal theme object” command for the parameter value.
url This parameter specifies the URL of the theme error page. Its value
must be a string of 1 to 900 characters.
url This parameter specifies the HTTP or FTP URL of the portal theme
to be imported. Its value must be a string of 1 to 900 characters.
theme_name Optional. This parameter specifies the name of the portal theme to
be imported. Its value must be a string of 1 to 20 characters.
Note: This parameter only works for portal theme objects in the
imported portal theme but not for theme error pages in it.
If a portal theme has been activated, this command is used to activate another portal theme.
theme_name This parameter specifies the name of the portal theme created or
imported.
DesktopDirect Integration
portal desktop off
This command is used to disable the DesktopDirect Integration function. When this function is
disabled, the Web portal will not integrate DesktopDirect resources. By default, this function is
disabled.
Note: The “portal desktop off”, “portal desktop embed”, and “portal desktop
newwindow” configurations are mutually exclusive.
Application SSO
The Application SSO function enables application login credentials to be passed to the backend
application servers for the login users when the portal and application credentials are different.
This function works for Web, Fileshare and DesktopDirect applications. By default, this function
is disabled for Web, Fileshare and DesktopDirect applications.
To use this function, you also need to configure application login credentials for login users in the
LocalDB server using the “localdb sso account” command.
Cluster
cluster virtual ifname <interface_name> <virtual_cluster_id>
This command is used to add a virtual cluster to the specified interface.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface or
VLAN interface.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface, VLAN
interface or “all”. “all” indicates virtual clusters of all interfaces
will be cleared.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface or
VLAN interface.
virtual_ip This parameter specifies the virtual IP address of the virtual cluster.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface or
VLAN interface.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface or
VLAN interface.
priority This parameter specifies the priority of the virtual cluster. Its value
must an integer ranging from 1 to 255. The larger the value, the
higher the priority.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface or
VLAN interface.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface or
VLAN interface.
This command is used to reset the advertisement interval to default for the specified virtual
cluster.
virtual_cluster_id Optional. This parameter specifies the existing virtual cluster ID.
The default value is 0, indicates that all virtual clusters on the
specified interface will be enabled.
The default value is “all”, indicating that the virtual clusters on all
interfaces will be enabled.
The default value is “all”, indicating that the status for all interfaces
will be displayed.
This command is used to display configurations of the virtual cluster on the specified interface.
The default value is “all”, indicating that the configurations for all
interfaces will be displayed.
The default value is “all”, indicating that the last 10 transition logs
for all interfaces will be displayed.
virtual_cluster_id Optional. This parameter specifies the existing virtual cluster ID.
The default value is 0, indicates that the transition logs for all
This command is used to display the statistics of the virtual cluster on the specified interface.
The default value is “all”, indicating that the statistics of the virtual
cluster for all interfaces will be displayed.
virtual_cluster_id Optional. This parameter specifies the existing virtual cluster ID.
The default value is 0, indicates that the statistics for all virtual
clusters will be cleared.
HA (High Availability)
The High Availability feature provides session synchronization and configuration synchronization
among HA units. All the HA CLI commands need to be executed under the global scope.
General Settings
unit_id This parameter specifies the unique ID of the HA unit. Its value
ranges from 1 to 32.
port Optional. This parameter specifies the port used for primary link
communication with other units. Its value ranges from 1 to 65,535.
The default value is 65,521.
Note:
Before configuring the local unit, you must have configured the local unit’s interface
IP address. Otherwise, the local unit cannot be identified by the HA domain.
The IP addresses of the units in an HA domain must be all IPv4 or all IPv6.
After adding multiple units for an HA domain by executing the command “ha unit”,
the system will establish primary link connections between each two units
automatically.
no ha unit <unit_id>
This command is used to delete an HA unit from the HA domain.
Note: If the local unit is deleted from the HA domain, all the “ha hc…” configurations on
the local unit will also be deleted, and the “ha hc peerunit” configuration will be reset to
the default value.
unit_name This parameter specifies the name of the HA unit. Its value should
be a string of 1 to 15 characters.
description Optional. This parameter describes the HA unit. Its value should be
a string of 0 to 256 characters.
ha on
This command is used to enable the HA feature. The HA feature can be enabled only when both
the local unit and any peer unit have been configured.
ha off [force]
This command is used to disable the HA feature. By default, the HA feature is disabled.
link_id This parameter specifies the ID of the secondary link. Its value
ranges from 1 to 31. The ID of each secondary link between two
units should be unique.
port Optional. This parameter specifies the port used for secondary link
communication with another unit. The default value is 65,521.
Please be noted that to establish a secondary link between two units, you need to configure a
secondary link with the same ID on the two units respectively.
For example, the IP address of two HA units “1” and “2” are 192.168.1.1 and 192.168.10.1
respectively. To establish a secondary link “1” between the two units, the following two
commands must be executed on both units:
Note:
The IP addresses of secondary links must not be on the same network segment as the
IP address of the primary link.
The IP addresses of the two ends of a secondary link must be both IPv4 or both IPv6
addresses.
link_id This parameter specifies the unique ID for the secondary link.
ha ssf on
This command is used to enable the Stateful Session Failover (SSF) fucntion. By default,this
fucntion is disabled.
ha ssf off
This command is used to disable the SSF function.
ha synconfig bootup on
This command is used to enable bootup configuration synchronization. By default, bootup
configuration synchronization is disabled.
Bootup configuration synchronization will synchronize all configurations from the peer HA unit
that first joins the HA domain, except those configurations specific only to an HA unit or to be
implemented only on the specified HA unit.
All the configurations will be synchronized except those matching the following blacklist:
ip route
bond
hostname
vlan
access
ssh ip
webui ip
webui port
webwall
ip redundant
cluster virtual priority
interface name
ha on
ha off
ha log on
ha log off
passwd enable
Note: Before using bootup configuration synchronization, the administrator needs to:
Set the identical synconfig challenge code using the “synconfig challenge” command
on each HA unit.
Configure all HA units as synconfig peers using the “synconfig peer” command on
each HA unit.
ha synconfig runtime on
This command is used to enable runtime configuration synchronization. By default, runtime
configuration synchronization is disabled.
When runtime configuration synchronization is enabled, all CLI commands executed on the local
unit will be synchronized to peer units for execution except the CLI commands that are specific to
the local unit and need to be executed only on the local unit.
The CLI commands matching the following blacklist but not matching the following whitelist will
not be synchronized. The CLI commands matching the following whitelist or not matching the
blacklist will be synchronized.
hostname ...
no hostname ...
passwd enable ...
ssh ip ...
no ssh ip ...
admin reset configmode ...
system fallback ...
no system fallback ...
system component ...
system reboot ...
system shutdown ...
system console ...
system dump ...
system flexlicense ...
system license ...
no system license ...
system interactive ...
system serialnumber ...
system test ...
system update ...
clear config ...
art export ...
support ...
help ...
who ...
whoami ...
Virtural Site:
switch ...
enable ...
configure ...
exit ...
quit ...
show ...
write ...
client security export ...
For example, “write ...” is in the blacklist while “write memory ...” is in the whitelist.
When “write file/write net scp/write net tftp/write net all scp/write net all tftp” or other
commands prefixed with “write” are executed, they will not be synchronized to peer units for
execution because they match the blacklist entry “write ...” but not match any whitelist entry.
When the “write memory all” command is executed, it will be synchronized to peer units for
execution because it matches the whitelist entry “write memory ...”.
ha rejoin on <time>
This command is used to enable the function of forcing HA units to rejoin the HA domain at
specified interval. This function works for the Active-Standby mode only and should be
configured on both active and standby units. After this function is enabled, the HA function will
be disabled and then enabled on the peer unit at the specified interval. By default, this function is
disabled.
Example:
After this command is executed, the HA function will be disabled and then enabled at 10:05 every
day on the peer unit.
After this command is executed, the HA function will be disabled and then enabled at 10:05 every
Monday and Tuesday on the peer unit.
After this command is executed, the HA function will be disabled and then enabled every five
minutes on the peer unit.
ha rejoin off
This command is used to disable the function of forcing HA units to rejoin the HA domain.
show ha rejoin
This command is used to display the configuration of the function of forcing HA units to rejoin
the HA domain.
ha log on
This command is used to enable the HA logging function. By default, this fucntion is disabled.
ha log off
This command is used to disable the HA logging function.
log_level This parameter specifies the level of HA logs. The valid values of
“level” are emerg, alert, crit, err, warning, notice, info, and debug.
The default value is info. Once the level of HA logs is specified, the
message lower than this level will be ignored.
line Optional. This parameter specifies how many lines of HA logs will
be displayed. Its value ranges from 1 to 4,294,967,295. The default
value is 100, indicating that the latest 100 lines of HA logs
generated by the system will be displayed.
clear ha log
This command is used to clear all the HA logs.
show ha config
This command is used to display all HA configurations.
clear ha all
This command is used to clear all the HA configurations.
show ha status
This command is used to display the status of all units in the HA domain, including the domain
status, group status, synconfig status, whitelist and blacklist of runtime synconfig, link status and
so on.
HA Groups
ha group id <group_id>
This command is used to add a floating IP group for the local unit. A maximum of 256 groups can
be added for each unit.
no ha group id <group_id>
This command is used to delete the specified floating IP group from the local unit.
clear ha group id
This command is used to delete all the floating IP groups from the local unit.
end_fip This parameter specifies the end IP address of the floating IP range,
which can be an IPv4 or IPv6 address.
Note:
All the IP addresses in the floating IP range, including the start IP and the end IP,
The scope of the floating IP range must be greater than or equal to that of any existing
IP address pool.
unit_id This paramaeter specifies the name of the HA unit. It can be a local
unit or a peer unit.
Note: The administrator can also modify the priority of the floating IP group on the unit by
executing this command. If the priority of a floating IP group is not specified on a unit, the
group will not take effect on the unit, and the status of the group will always be “Init”.
This command is used to disable the preempt mode for a specified floating IP group or all floating
IP groups.
Health Check
condition_name This parameter specifies the condition name for this gateway health
check. The value of this parameter ranges from GATEWAY_1 to
GATEWAY_32.
interval Optional. This parameter specifies the interval, in ms, at which the
health check is performed. The value of this parameter ranges from
1000 to 10,000. The default value is 1000.
clear ha hc gateway
This command is used to delete all configured gateway health check conditions.
interval Optional. This parameter specifies the interval, in ms, at which the
health check is performed. The value of this parameter ranges from
5000 to 1,000,000. The default value is 5000.
no ha hc cpu overheat
This command is used to delete the CPU overheat health check condition configured for the local
HA unit.
fatal_percent This parameter specifies the threshold for the CPU utilization. The
value of this parameter ranges from 1 to 100, in %.
interval Optional. This parameter specifies the interval, in ms, at which the
health check is performed. The value of this parameter ranges from
5000 to 1,000,000. The default value is 5000.
no ha hc cpu utilization
This command is used to delete the CPU utilization health check condition configured for the
local HA unit.
zone_name This parameter specifies the name of an ATCP zone. The entered
ATCP zone name is case-sensitive and must be enclosed in double
quotes. It only supports the following predefined names:
SSL record
SSL HW
SSL connection
Proxy client
Proxy cookie
Proxy connection
Proxy
uProxy event
TCP pcb
fatal_percent This parameter specifies the threshold for the memory utilization of
the specified ATCP zone. The value of this parameter ranges from 1
to 100, in %.
condition_name This parameter specifies the name of the health check condition.
The value of this parameter ranges from ATCPZONE_1 to
ATCPZONE_64.
fatal_percent This parameter specifies the threshold for the Mbuf utilization. The
value of this parameter ranges from 1 to 100, in %.
no ha hc memory mbuf
This command is used to delete the Mbuf utilization health check condition configured for the
local HA unit.
mpool_name This parameter specifies the name of an mpool. The entered mpool
name is case-sensitive and must be enclosed in double quotes. It
userland events
incomplete conns
Cache Transactions
IPC Transactions
vpn_session
vpn_tunnel
vpn_conn
proxy_t
proxy_conn_data
frame
comp_scg
ssl_crypto_data_t
fatal_percent This parameter specifies the threshold for the memory utilization of
the specified mpool. The value of this parameter ranges from 1 to
100, in %.
condition_name This parameter specifies the name of the health check condition.
The value of this parameter ranges from MPOOL_1 to
MPOOL_16.
This command is used to delete the memory utilization health check conditions configured for all
the mpools on the local HA unit.
free_space_threshold Optional. This parameter specifies the threshold for the system free
space, in MB. The value of this parameter ranges from 0 to 8192.
The default value is 50. 0 indicates the system will not check
whether the free system space is smaller than the free space
threshold.
used_swap_threshold Optional. This parameter specifies the threshold for the used swap
space, in MB. The value of this parameter ranges from 0 to 8192.
The default value is 0, indicating that the system will not check
whether the used swap space exceeds the threshold.
no ha hc memory system
This command is used to delete the system memory health check condition configured for the
local HA unit.
interval Optional. This parameter specifies the interval, in ms, at which the
memory health check is performed. The value of this parameter
ranges from 5000 to 1,000,000. The default value is 5000.
process_name This parameter specifies the name of a process. The entered process
name is case-sensitive and supports only the following predefined
names:
condition_name This parameter specifies the name of the process health check
condition. The value of this parameter ranges from PROCESS_1 to
PROCESS_32.
clear ha hc process
This command is used to delete all the health check conditions configured for the processes
running on the local HA unit.
interval Optional. This parameter specifies the interval, in ms, at which the
health check is performed. The value of this parameter ranges from
300,000 to 3,600,000. The default value is 300,000.
interval Optional. This parameter specifies the interval, in ms, at which the
health check is performed. The value of this parameter ranges from
300,000 to 3,600,000. The default value is 300,000.
no ha hc sslcard
This command is used to delete the SSL card health check condition configured for the local HA
unit.
vcondtion_name This parameter specifies the name of the vcondition. The maximum
length of the vcondition name is 128 characters.
Note:
unit_id Optional. This parameter specifies the ID of a unit. Its value ranges
from 0 to 32. The default value is 0, indicating all units. 1 to 32
indicates a specific HA unit.
Decision
condtion_name This parameter specifies the name of the health check condition.
The value of this parameter can be the name of a real health check
condition or a vcondition. The system supports the following
values:
conditions
Note:
To ensure that every unit can obtain the running status of other peer units, the failover
rules configured on all the units must be the same.
The system provides predefined failover rules. You can view these predefined rules by
running the command “show ha decision”. “condition_name” of these predefined
rules are PORT_1~PORT_32, and the corresponding “action_name” are all
“Group_Failover”. You can execute this command to modify “action_name” of these
predefined rules.
show ha decision
This command is used to the failover rules of all floating IP groups on the local unit, including
both the predefined and customized rules.
AN(config)#show ha decision
ID Condition_Name Action_Name Group_ID
0 PORT_1 Group_Failover -
1 PORT_2 Group_Failover -
2 PORT_3 Group_Failover -
3 PORT_4 Group_Failover -
4 PORT_5 Group_Failover -
5 PORT_6 Group_Failover -
6 PORT_7 Group_Failover -
7 PORT_8 Group_Failover -
8 PORT_9 Group_Failover -
9 PORT_10 Group_Failover -
10 PORT_11 Group_Failover -
11 PORT_12 Group_Failover -
12 PORT_13 Group_Failover -
13 PORT_14 Group_Failover -
14 PORT_15 Group_Failover -
15 PORT_16 Group_Failover -
16 PORT_17 Group_Failover -
17 PORT_18 Group_Failover -
18 PORT_19 Group_Failover -
19 PORT_20 Group_Failover -
20 PORT_21 Group_Failover -
21 PORT_22 Group_Failover -
22 PORT_23 Group_Failover -
23 PORT_24 Group_Failover -
24 PORT_25 Group_Failover -
25 PORT_26 Group_Failover -
26 PORT_27 Group_Failover -
27 PORT_28 Group_Failover -
28 PORT_29 Group_Failover -
29 PORT_30 Group_Failover -
30 PORT_31 Group_Failover -
31 PORT_32 Group_Failover -
32 SYS_MEM Unit_Failover -
33 CPU_UTIL Group_Failover 1
34 CPU_TEMP Reboot -
Chapter 9 WebWall
This chapter covers the CLI commands used for configuring the WebWall function.
The system provides the WebWall function to filter the packets that need to pass through the AG
appliance. With the WebWall function enabled on a specified interface, when the packets reach
this interface of the AG appliance, the system will employ the Access Control List (ACL) permit
and deny rules associated with this interface to permit or deny the packets.
Access List
The system supports a maximum of 1024 ACL permit and deny rules. Every ACL permit or deny
rule has a unique ID. The ACL permit or deny rule will take effect only when it is associated with
a system interface, bond interface or VLAN interface using the “accessgroup” command.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
source_port This parameter specifies the source port number. Its value must
be an integer ranging from 0 to 65535. “0” indicates all ports.
destination_port This parameter specifies the destination port number. Its value
must be an integer ranging from 0 to 65535. “0” indicates all
ports.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
source_port This parameter specifies the source port number. Its value must
be an integer ranging from 0 to 65535. “0” indicates all ports.
destination_port This parameter specifies the destination port number. Its value
must be an integer ranging from 0 to 65535. “0” indicates all
ports.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
source_port This parameter specifies the source port number. Its value must
be an integer ranging from 0 to 65535. “0” indicates all ports.
destination_port This parameter specifies the destination port number. Its value
must be an integer ranging from 0 to 65535. “0” indicates all
ports.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
source_port This parameter specifies the source port number. Its value must
be an integer ranging from 0 to 65535. “0” indicates all ports.
destination_port This parameter specifies the destination port number. Its value
must be an integer ranging from 0 to 65535. “0” indicates all
ports.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
must be an integer ranging from 1 to 999.
The following commands are used to delete the configurations of the specified ACL permit or
deny rule.
clear accesslist
This command is used to clear all ACL permit and deny rules.
Access Group
accessgroup <accesslist_id> <interface>
This command is used to associate existing ACL permit or deny rules with a specified interface.
interface This parameter specifies the interface with which the ACL permit or
deny rule is associated. Its value must be the name of a system
interface, bond interface, or VLAN interface.
Example:
Note: If an ACL permit or deny rule is deleted, the associations with this ACL rule and all
interfaces will be also deleted.
show accessgroup
This command is used to display all the associations between the ACL permit or deny rules and
the interfaces.
clear accessgroup
This command is used to clear all the associations between the ACL permit or deny rules and the
interfaces.
WebWall
webwall <interface> <on|off> [mode]
This command is used to enable or disable the WebWall function on a specified interface.
When the WebWall function is enabled on an interface, the system will allow a packet to pass
through the interface only when the packet explicitly matches an ACL permit rule. When the
packet matches both an ACL permit rule and an ACL deny rule, the ACL deny rule will take
effect. When the packet matches multiple ACL permit or deny rules, it will be matched in an
ascending order of the ID of the ACL permit or deny rule. If no ACL permit or deny rule is
associated with the interface, no TCP, UDP and ICMP packet is allowed to pass through the
interface.
When the WebWall function is disabled on an interface, all packets can pass through the interface.
For security considerations, it is strongly recommended that administrators disable the WebWall
function only for diagnostic purposes. By default, the WebWall function is disabled on every
interface.
interface This parameter specifies the interface name. Its value must be the
name of a system interface, bond interface, or VLAN interface.
1: indicates the ack mode. In this mode, The TCP packets with
the ACK flag will be permitted by default.
Note: When the WebWall function is disabled, the configurations of ACL permit or deny
rules and the associated interfaces will still exist.
show webwall
This command is used to display the current configurations of the WebWall function.
With the Client Security function, the system will classify the remote client into a certain device
class based on a set of host integrity checks and device attributes such as IP address, Registry and
OS, and then assign the corresponding level of access privileges to the client.
This chapter covers the commands using for configuring device class. Other configurations are
available only via the WebUI.
If this command is not configured, the default Client Security level is “none”.
level This parameter specifies the default Client Security level. Its value
must be:
After the Client Security function is enabled, the system matches the client accessing the virtual
site with all device class rules sequentially in the descending order of the priority until one rule is
matched. When the client passes the host security checks defined for a device class rule, matches
the device attributes configured for the device class rule, or both conditions, the client matches
this device class rule.
If no device class rule is matched, the client will be rejected from reaching the login page.
If the client matches a device class rule, the client will be assigned the access privileges indicated
by the Client Security level after logging into the virtual site.
device_name This parameter specifies the name of the device class to be added to
the virtual site. Its value must be a string of 1 to 32 characters.
level This parameter specifies the security level. Its value must be:
privileges.
Note: If two-stage Client Security is enabled, the system only matches the client with
the first two device class rules. The configurations of two-stage Client Security, host
integrity and device attributes are available only via WebUI.
level This parameter specifies the name of the existing custom Client
Security level defined by the “client security level” command.
level This parameter specifies the name of the existing custom Client
Security level defined by the “client security level” command.
level This parameter specifies the name of the existing custom Client
Security level defined by the “client security level” command.
level This parameter specifies the name of the existing custom Client
Security level defined by the “client security level” command.
This command is used to export the Client Security configuration file to an SCP server.
server_name This parameter specifies the name of the remote SCP server to
which the Client Security configuration file will be exported. Its
value must be a string of 1 to 128 characters.
user_name This parameter specifies the name of the user on the remote SCP
server. Its value must be a string of 1 to 64 characters.
file_path This parameter specifies the file path of the Client Security
configuration file to be exported. The file path must include the file
name. Its value must be a string of 1 to 256 characters.
server_ip This parameter specifies the IP address of the remote TFTP server.
file_name Optional. This parameter specifies the file name of the Client
Security configuration file to be exported. The default name is
“setup.orig.xml”. Its value must be a string of 1 to 256 characters.
url This parameter specifies the HTTP or FTP URL of the Client
Security configuration file. Its value must be a string of 1 to 512
characters.
lcc Optional. This parameter specifies the “lcc” mode. Its value must
be:
“lcc”: indicates that after the remote client passes the client
security check, the browser will ignore the “Success_URL”
field, which was configured via WebUI for the specified
device class, and will be redirected to the login page.
empty: indicates that after the remote client passes the client
security check, the browser will be redirected to the page
specified by the “Success_URL” field, which was configured
via WebUI for the specified device class.
Graphic Monitoring
statmon {on|off}
This global command is used to enable or disable the status monitoring function. The status
monitoring function monitors and collects information regarding the system’s running status at
fixed intervals, such as the status of CPU utilization, system memory utilization and active
sessions. The administrator can view thestatus information in the form of graphs via WebUI. By
default, this function is disabled.
Note: If the system time of an HA unit is not the current time, the graphs of the status
information displayed on WebUI will be abnormal when this HA unit is added to the HA
domain.
statmon clear
This global command is used to clear all existing statistic information collected by the status
monitoring function.
unused_days This parameter specifies the number of days. Its value must be an
integer ranging from 0 to 4,294,967,295. The default value is 730.
Logging
General Settings
log {on|off}
This global command is used to enable or disable the logging function of the AG appliance. By
default, this function is disabled.
After the logging function is enabled, the system generates system log messages according to the
log level specified by the “log level” command, and sends the system log messages to the log
buffer and to the remote syslog hosts (if configured using the “log host” command).
level This parameter specifies the valid log level. Its value must be
“emerg”, “alert”, “crit”, “err”, “warning”, “notice”, “info”, or
“debug”, and these values are listed from the highest priority to
lowest. The higher the priority of the log level, the higher the
severity of the event. When the log level is set, the system generates
logs of only this level and higher levels. For details, please refer to
RFC.
facility_name This parameter specifies the log facility. Its value must be
“LOCAL0”, “LOCAL1”, “LOCAL2”, “LOCAL3”, “LOCAL4”,
“LOCAL5”, “LOCAL6” or “LOCAL7”. For details, please refer to
RFC.
source_port This parameter specifies the source port for sending the system log
messages. Its value must be an integer ranging from 1 to 65,535.
log test
This command is used to generate a test log message at the level “emerg”.
Log Customization
This global command is used to set the HTTP access logging format. The system supports the
HTTP access log formats “combined”, “common” and “squid”. Please refer to the RFC for details.
vip_option This parameter specifies whether or not the VIP (virtual IP) on
which the request is received is logged. Its value must be:
host_option This parameter specifies whether or not the host in the request is
logged.
This global command is used to set the HTTP access logging format to “welf”.
format This parameter specifies the HTTP access logging format. Its value
must be a string of 1 to 256 characters enclosed by double quotes
and formed using the symbols listed below. Besides, any characters
that are not part of the symbols listed below can also be added to
the log message.
Symbol Meaning
%a Cache result
%b Bytes returned by proxy to client
%c Client IP address
%d Date stamp
%e HTTP MIME type information
%f “PROXY_LOG”, tag can be used to distinguish with other logs.
%g Time stamp (military format)
%h Host name as pulled from client host
%i User-agent
%k Session cookies
%m HTTP method
%n Full date/time stamp[MM/DD/YYYY:HH:MM:SS +/-0000]
%o Port of virtual service
%p Proxy IP address, VIP
%q A single double quote
%r HTTP return status code
%s Real Server IP address
%t Unix time stamp
%u Request URL
%v Protocol version
%w Referrer (from client Referrer:header)
%B Username
%D SSL session ID
%N Full date/time stamp [DD/MMM/YYYY:HH:MM:SS +/-0000]
%P Real Server port
%R Elapsed time, time-taken
%T Time format compatible with W3C (GMT)
%U Full URL
So, for example, the following custom HTTP logging format instructs the log system to record the
time stamp, elapsed time, client IP address, cache result, HTTP return status code, bytes returned
by proxy to client, HTTP method, request URL and real server IP address.
This log format will be the same as the effect of the command “log http squid”.
no log http
This global command is used to disable HTTP access logging.
This global command is used to configure a remote syslog host used for storing system log
messages of the specified log level(s). A maximum of 6 remote log hosts can be configured.
host_ip This parameter specifies the IP address of the remote syslog host.
Its value must be an IPv4 or IPv6 address.
port Optional. This parameter specifies the port number of the remote
syslog host. Its value must be an integer ranging from 1 to 65,535.
The default value is 514.
protocol Optional. This parameter sets the protocol used to transmit system
log messages. Its value must be “TCP” or “UDP”. The default value
is “UDP”.
The default value is 0, indicating that all system log messages of the
specified level(s) will be sent to the remote syslog host without any
other filtering. If the host ID is set to a value larger than 0, system
log messages of specified level(s) will first be filtered based on the
configurations of log filter (configured via the “log filter”
command) and then sent to the remote syslog host.
Please note that the host ID “0” can be used by multiple remote
systlog hosts, while the host ID larger than 0 must be unique among
all remote syslog hosts.
log_level Optional. This parameter specifies the level(s) of the log. Its value
must be one or multiple of the following levels: “emerg”, “alert”,
“crit”, “err”, “warning”, “notice”, “info”, and “debug”. The default
value is “all”, indicating all of the above levels are selected.
Multiple levels in the parameter value must be separated by comma
and enclosed by double quotes.
Note: Before configuring a remote syslog host, please make sure that the remote syslog
host is ready to receive system log messages.
For example:
This global command is used to delete the remote syslog host of the specified protocol type. If the
“protocol” parameter is not specified, the remote log host of the “UDP” type will be deleted.
host_id This parameter specifies an existing log host ID set via the “log
host” command.
filter_id This parameter specifies the ID of the log filter. Its value must be an
integer ranging from 1 to 64.
filter_string This parameter specifies the log filter string. Its value must be a
string of 1 to 40 case-insensitive characters.
mode Optional. This parameter specifies the mode of log filters. Its
value must be:
1. Select Admin Tools > Monitoring > Logging > Disabled Log
under the global scope.
2. In the Disabled Log area, click the Log ID List action link to
view IDs of all system log messages.
Log Alert
rule_id This parameter specifies the log ID. Its value must be an integer
ranging from 1 to 32.
If a log alert rule with the same “log_id” already exists, the AG
appliance will prompt the administrator for whether or not to
expression This parameter specifies the regular expression used for log
matching. Its value must be a string of 1 to 64 characters.
email This parameter specifies the email address used to receive log alert
emails. Its value must be a string of 1 to 128 characters enclosed by
double quotes.
interval This parameter specifies the interval to send log alert emails. Its
value must be an integer ranging from 0 to 10,000, in minutes. 0
means sending the log alert email immediately after a system log
message matches this log alert rule.
type Optional. This parameter specifies the content type of the log alert
email. Its value must be
SNMP Commands
General Settings
The Simple Network Management Protocol (SNMP) offers the communication rules between a
management device and the managed devices on the network. It defines a set of messages,
methods and syntax to implement the access and management from the management device to the
managed devices.
An SNMP managed network comprises primarily network management stations (NMSs) and an
agent. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the
NMS. The NMS and agents exchange management information through the SNMP protocol.
The AG appliance acts as an SNMP agent and currently supports the SNMP GET requests, but not
SNMP SET requests. For details, refer to the following commands.
snmp on [version]
This global command is used to enable the SNMP agent of the AG appliance.
snmp off
This global command is used to disable the SNMP function. By default, this function is disabled.
show snmp
This global command is used to display all SNMP settings.
Example:
AN(config)#show snmp
snmp community reindeer
snmp location server room 6
snmp contact admin@example.com
snmp host 10.2.21.1 rudolph
snmp enable traps
clear snmp
This global command is used to reset the SNMP settings to default.
SNMP Request
the SNMP agent. If the SNMP requests sent by the NMS do not carry the correct community
string, the SNMP agent will reject the SNMP requests.
string This parameter specifies the community string. Its value must
be a string of 1 to 32 characters. The parameter value can only
be changed when the SNMP function is disabled.
Note: For the sake of security, it is strongly recommended to modify the default SNMP
community string to avoid possible system information interception.
Example:
no snmp community
This global command is used to reset the community string to the default “public”.
For example:
no snmp contact
This global command is used to delete the contact information of the administrator.
For example:
no snmp location
This global command is used to delete the setting of physical location configured for the SNMP
agent.
auth_password This parameter specifies the password of the SNMP v3 user account
needed to be added into the SNMPv3 user database. Its value must
be a string of 8 to 32 characters.
security_level Optional. This parameter specifies the security level. Its value must
be:
priv_password Optional. This parameter specifies the private password for data
encryption. Its value must be a string of 8 to 32 characters.
“snmp ippermit” command are permitted by the SNMP agent. By default, this function is disabled,
indicating all SNMP GET requests are permitted by the SNMP agent.
source_ip This parameter specifies the network IP address of the subnet. Its
value must be an IPv4 address.
SNMP Traps
linkup: This trap is sent when the interface of the SNMP agent becomes “up”.
linkdown: This trap is sent when the interface of the SNMP agent becomes “down”.
caSyslog: This trap is sent when the system log level is larger than “err”.
host_ip This parameter specifies the IP address of the SNMP host. Its
value must be an IPv4 address.
trap_version Optional. This parameter specifies the SNMP trap version. Its
value must be “1”, “2” or “3”, indicating SNMP v1, SNMP v2
or SNMP v3.
security_level Optional. This parameter specifies the security level. Its value
must be:
Troubleshooting Commands
ping {ipv4|host_name}
This global command is used to check the network connectivity to the specified IPv4 network host
by sending Internet Control Message Protocol (ICMP) echo requests.
ipv4|host_name This parameter specifies the IP address or name of the IPv4 network
host.
ping6 {ipv6|host_name}
This global command is used to check the network connectivity to the specified IPv6 network host
by sending Internet Control Message Protocol (ICMP) echo requests.
ipv6|host_name This parameter specifies the IP address or name of the IPv6 network
host.
ping {ipv4|host_name}
This command is used to check the network connectivity to the specified IPv4 network host by
sending Internet Control Message Protocol (ICMP) echo requests.
For this command, the virtual site will always use global DNS settings to resolve the host name.
ipv4|host_name This parameter specifies the IP address or name of the IPv4 network
host.
traceroute {ipv4|host_name}
This global command is used to trace the route to the specified IPv4 network host by sending three
packets to each intermediate node on this route. After this command is executed, the TTL, host
names and IP addresses of the intermediate nodes (routers or gateways), as well as the round-trip
time of each packet to every node will be displayed.
ipv4|host_name This parameter specifies the IP address or name of the IPv4 network
host.
traceroute6 {ipv6|host_name}
This global command is used to trace the route to the specified IPv6 network host by sending three
packets to each intermediate node on this route. After this command is executed, the TTL, host
names and IP addresses of the intermediate nodes (routers or gateways), as well as the round-trip
time of each packet to every node will be displayed.
ipv6|host_name This parameter specifies the IP address or name of the IPv6 network
host.
traceroute {ipv4|host_name}
This command is used to trace the route to the specified IPv4 network host by sending three
packets to each intermediate node on this route. After this command is executed, the system will
display the TTL, host names and IP addresses of the intermediate nodes (routers or gateways), as
well as the round-trip time of each packet to every node.
For this command, the virtual site will always use global DNS settings to resolve the host name.
ipv4|host_name This parameter specifies the IP address or name of the IPv4 network
host.
nslookup {ip|host_name}
This global command is used to resolve the IPv4 address for the specified host name or vice versa.
After this command is executed, the IPv4 address resolved by the DNS server will be displayed
for the specified host name or vice versa.
ip|host_name This parameter specifies the host name or IPv4 address enclosed by
double quotes.
nslookup {ip|host_name}
This command is used to resolve the IPv4 address for the specified host name or vice versa. After
this command is executed, the IPv4 address resolved by the DNS server will be displayed for the
specified host name or vice versa.
For this command, if the “dns useglobal off” command is configured for the virtual site, the virtual
site will use its DNS settings to resolve the host name. If the “dns useglobal on” command is
configured for the virtual site, the virtual site will use global DNS settings to resolve the host
name.
ip|host_name This parameter specifies the host name or IPv4 address enclosed by
double quotes.
ip_address This parameter specifies the allowed IP address. Its value must be
an IPv4 or IPv6 address.
address.
show support
This global command is used to display all the network segments, within which the users are
allowed to use the “test” account to log into the AG appliance via the SSH protocol or Console.
clear support
This global command is used to clear all the network segments, within which the users are
allowed to use the “test” account to log into the AG appliance via the SSH protocol or Console.
Debug Commands
General Settings
debug enable
This global command is used to enable the debug function. Once this function is enabled, the AG
appliance will first clean the old files (such as sys_debug.tar.gz and sys_core.tar.gz) used to
collect debugging data. Then, the AG appliance will create a new file (such as englog.
20161030_133513) to store debugging data and this collecting process will not stop until the
“debug disable” command is executed.
debug disable
This global command is used to disable the debug function. Once the debug function is disabled,
the AG appliance will first generate a file named sys_debug.tar.gz to store the collected debug
data. Then, the AG appliance will clean up the collected debug data in the system. The file
sys_debug.tar.gz can be downloaded via WebUI.
The following is the generated tar file that only contains the debug information collected from the
moment of executing the “debug enable” command to the moment of executing the “debug
disable” command.
/var/crash/sys_debug.tar.gz
tcpdump
ssldump
subsystem_name Optional. This parameter specifies the name of the subsystem. The
default value is “no_englog”.
Debug Snapshot
core_files_number Optional. This parameter specifies the number of system core files
to be collected. Its value must be an integer ranging from 1 to 10.
The default value is 1.
Note: Administrators must first execute this command to set the number of core files to be
collected before executing the “debug snapshot system” command to collect core files,
such as sys_core.tar.gz and app_core.tar.gz. If no value is specified, the system will not
collect any core file.
level This parameter specifies the quantity of the snapshot. Its value must
be “1”, “2” or “3”. “1” indicates the least data while “3” indicates
the most data.
sys_snap.tar.gz.gpg
sys_log.tar.gz.gpg
sys_core.tar.gz.gpg
app_core.tar.gz.gpg
Please note that the files “sys_core.tar.gz.gpg” and “app_core.tar.gz.gpg” can be generated only
when specific core files exist in the system.
Please note that the files “sys_core.tar.gz.gpg” and “app_core.tar.gz.gpg” can be generated only
when specific core files exist in the system.
level This parameter specifies the quantity of the snapshot. Its value must
be “1”, “2” or “3”. “1” indicates the least data while “3” indicates
the most data.
Debug Trace
src_port Optional. This parameter specifies the source port to be traced. Its
value must be an integer ranging from 0 to 65535. The default value
is 0, indicating all source ports will be traced live.
tcpdump_argument Optional. This parameter specifies the argument used to trace TCP
activities via tcpdump, which is a TCP packet analyzer. Its value
must be a string of 1 to 128 characters.
virtual_site This parameter specifies the name of the existing virtual site. Its
value must be a string of 1 to 63 characters.
encrypt|plain Optional. This parameter specifies the display format of the data in
ssldump_argument Optional. This parameter specifies the argument used to trace SSL
activities via ssldump, which is an SSL packet analyzer. Its value
must be a string of 1 to 128 characters enclosed by double quotes.
tcpdump_argument Optional. This parameter specifies the argument used to trace TCP
activities via tcpdump, which is a TCP packet analyzer. Its value
must be a string of 1 to 128 characters.
encrypt|plain Optional. This parameter specifies the display format of the data in
SSL communication packets. Its value must be:
ssldump_argument Optional. This parameter specifies the argument used to trace SSL
activities via ssldump, which is an SSL packet analyzer. Its value
must be a string of 1 to 128 characters enclosed by double quotes.
tcpdump_argument Optional. This parameter specifies the argument used to trace TCP
activities via tcpdump, which is a TCP packet analyzer. Its value
must be a string of 1 to 128 characters.
tcpdump_argument Optional. This parameter specifies the argument used to trace TCP
activities via tcpdump, which is a TCP packet analyzer. Its value
must be a string of 1 to 128 characters.
tcpdump_argument Optional. This parameter specifies the argument used to trace TCP
activities via tcpdump, which is a TCP packet analyzer. Its value
must be a string of 1 to 128 characters.
tcpdump_argument Optional. This parameter specifies the argument used to trace TCP
activities via tcpdump, which is a TCP packet analyzer. Its value
must be a string of 1 to 128 characters.
Debug Usage
username This parameter specifies the username to log into the remote FTP
server. Its value must be a string of 1 to 128 characters.
remote_ftp_ip This parameter specifies the IP address of the remote FTP server. Its
value must be an IPv4 address.
file_name This parameter specifies the name of the file to be exported to the
FTP server (without the “.tar.gz.gpg” suffix). Its value must be
“sys_snap”, “sys_snap.0”, “sys_snap.1”, “sys_log”, “sys_log.0”,
“sys_log.1”, “sys_core”, “app_core”, “sys_debug”, “sslkeylog” or
“all”. If the parameter value is set to “all”, all the latest tarball files
(sys_snap, sys_log, sys_core, app_core and sys_debug) are
exported to the remote FTP server.
Debug Monitor
username This parameter specifies the username to log into the remote FTP
remote_ftp_ip This parameter specifies the IP address of the remote FTP server. Its
value must be an IPv4 address.
username@remote addres:filepath This parameter specifies the username and the name or
IP address of the remote host on the remote SCP server.
Its value must be a string of 1 to 128 characters
enclosed by double quotes, such as
“test@172.16.13.12:/home/test”.
username This parameter specifies the username to log into the remote FTP
server. Its value must be a string of 1 to 128 characters.
remote_ftp_ip This parameter specifies the IP address of the remote FTP server. Its
value must be an IPv4 address.
file_path This parameter specifies the path, which must include the file name,
to import the file from the FTP server. Its value must be a string of
1 to 256 characters.
“test@172.16.13.12:/home/test”.
Administrators
enable|config This parameter specifies the administrator’s access level. Its value
must be:
scope Optional. This parameter sets the administrator’s access scope. Its
value must be:
Under the virtual site scope, this command is used to change an existing administrator’s password.
enable|config This parameter specifies the new access level. Its value must be:
netmask This parameter specifies the netmask. Its value must be in dotted
decimal notation.
Note: After the “admin access” configurations are added or deleted, you need to restart the
WebUI for the configuration changes to take effect for all WebUI sessions. Therefore,
please execute the “webui restart” command after executing the “admin access”, “no
admin access” or “clear admin access” command.
virtual_site Optional. This parameter specifies the name of the virtual site. If
this parameter is not specified, the administrator access from all
virtual sites will be denied.
virtual_site Optional. This parameter specifies the name of the virtual site. If
this parameter is not specified, administrator “Config” level access
message This parameter specifies the content of the message. Its value must
be a string of 1 to 60 characters.
role_name This parameter specifies the name of the administrator role. Its
value must be a string of 1 to 25 characters.
scope This parameter specifies the administrator’s access scope. Its value
must be:
This global command is used to clear all associations between configured administrator roles and
a specified administrator.
role_name|list This parameter specifies how to list the available features. Its value
must be:
Admin AAA
LDAP (ladp): indicates that the LDAP host(s) configured using the “admin aaa ldap host”
command will be used for authentication and authorization.
RADIUS (radius): indicates that the RADIUS host(s) configured using the “admin aaa
radius host” command will be used for authentication and authorization.
rank This parameter specifies the rank number of the AAA method in the
rank list. Its value must be 1 or 2.
When the rank number of the AAA method “ladp” is 1, the rank
number of the AAA method “radius” can only be 2, and vice versa.
This global command is used to enable or disable AAA rank for Admin AAA. By default, this
function is disabled.
When AAA rank is enabled for Admin AAA, the AAA method with rank 1 will be used for
authentication first. If an administrator fails the authentication using this AAA method, the system
will use the AAA method with rank 2 to authenticate the administrator. However, when AAA rank
is disabled for Admin AAA, only the AAA method with rank 1 can be used for authentication.
That is, if an administrator fails the authentication using this AAA method, the system will reject
the administrator.
ip This parameter specifies the IP address of the LDAP host. Its value
must be an IPv4 address.
port This parameter specifies the port of the LDAP host. Its value must
be an integer ranging from 1 to 65,535.
base This parameter specifies the Distinguished Name (DN) of the entry
at which to start the search for administrators. Its value must be a
string of 1 to 900 characters.
timeout This parameter specifies the idle timeout to allow search to run, in
seconds. Its value must be an integer ranging from 1 to 65,535.
index Optional. This parameter specifies the host index. Its value must be
1, 2 or 3. The default value is 1.
“tls”: indicates that the LDAP server is accessed over the TLS
protocol.
filter_string This parameter specifies a filter string used to search for the LDAP
entries. Its value must be a string of 1 to 80 characters, which must
be enclosed by double quotes.
logical operator: “&” (and), “|” (or), “!” (not), “=” (equal to),
or “*” (any).
Please refer to the RFC for details of the LDAP filter string.
For example:
expression This parameter specifies the regular expression that defines the part
of the DN to be extracted as the group information. Its value must
be a string of 1 to 64 characters.
group_name This parameter specifies the default group name for administrators
that do not belong to any other LDAP group. Its value must be a
string of 1 to 80 characters.
In dynamic LDAP bind mode, the system sends a Bind request containing the LDAP admin’s
username and password to the LDAP host and sends a Search request containing the search filter
string (configured by “aaa server ldap searchfilter”) to obtain the LDAP entry of the
administrator. The system obtains the first DN and sends it together with the password of the
administrator in another Bind request to the LDAP host. After the administrator passes the
authentication, the system reuses the obtained LDAP entry to authorize the administrator.
In static LDAP Bind mode, the system sends the DN (<dn_prefix><USER><dn_suffix>) together
with the password of the administrator in a Bind request to the LDAP host. After the administrator
passes the authentication, the system sends a Search request containing the configured search filter
string to obtain the LDAP entry of this administrator. Then, it authorizes the administrator based
on the obtained LDAP entry.
dn_prefix This parameter specifies the DN prefix. Its value must be a string of
1 to 80 characters.
dn_suffix This parameter specifies the DN suffix. Its value must be a string of
1 to 80 characters.
admin aaa radius host <ip> <port> <secret> <retries> <timeout> [index]
This global command is used to configure a RADIUS host for Admin AAA if a RADIUS method
is used. A maximum of three RADIUS hosts can be configured.
port This parameter specifies the port of the RADIUS host. Its value
must be an integer ranging from 1 to 65,535.
secret This parameter specifies the shared secret text string used by the
AG appliance and the RADIUS host to encrypt passwords and
exchange responses. Its value must be a string of 1 to 80 characters.
retries This parameter specifies the retry times to connect to the RADIUS
host. Its value must be an integer ranging from 1 to 65,535.
timeout This parameter specifies the timeout value of the search in seconds.
Its value must be an integer ranging from 1 to 65,535.
index Optional. This parameter specifies the host index Its value must be
1, 2 or 3. The default value is 1.
attribute This parameter specifies the ID of the attribute used to obtain the
external RADIUS group of the administrator from the RADIUS
entry. For example, use 25 for the “Class” attribute. Numbers for
other attributes are available in the RADIUS RFC (RFC 2865) and
are listed below.
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor Specific
27 Session Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
group_name This parameter specifies the default group name for administrators
that do not belong to any other RADIUS group. Its value must be a
string of 1 to 80 characters.
nasip This parameter specifies the NAS IP address of the RADIUS server.
Its value must be an IPv4 address.
This global command is used to set the access privilege for a specified external administrator
group.
scope Optional. This parameter specifies the access scope of the external
administrator group. Its value must be:
“virtual site name”: indicates that the site administrator can run
commands only under a specified virtual site.
System Access
Console Access
pager <lines>
This global command is used to enable the pagination function for the command output and set the
number of lines in the command output that can be displayed in one page. If one page cannot
display the entire command output, you can press Enter to display one more line each time or
press Space to display one more page each time.
no pager
This global command is used to disable the display paging function. After this command is
executed, all outputs will be displayed without stopping.
show pager
This global command is used to display the setting for the display paging function.
WebUI Access
webui {on|off}
This global command is used to enable or disable the Web User Interface (WebUI).
webui restart
This global command is used to restart the WebUI.
webui ip <ip_address>
This global command is used to set the WebUI IP address. After this command is executed,
administrators can access the system via WebUI only through the specified IP address. Only one
IPv4 address and one IPv6 address can be set as the WebUI IP address.
ip_address This parameter specifies the IP address for WebUI access. It must
be an IPv4 or IPv6 address. The value of the WebUI IP address
must be an interface IP or a virutal site IP. Otherwise, the WebUI
no webui ip <ip_address>
This global command is used to delete a specified WebUI IP address.
clear webui ip
This global command is used to clear the WebUI IP address setting. After executing this command,
users can access the WebUI through any interface IP or configured virtual site IP.
port This parameter specifies the port number for accessing the WebUI.
Its value must be an integer ranging from 1025 to 65,000.
login_language This parameter specifies the login language of WebUI. Its value
must be “en” (English), “cn” (Simplified Chinese) or “jp”
(Japanese).
timeout This parameter specifies the idle timeout value for WebUI. Its value
must be an integer ranging from 1 to 65,535, in minutes.
When the “url” parameter is not specified, you can import the certificate by coping and pasting the
contents of the PEM-format certificate into the CLI. The entering of “…” is required in the bottom
line following the certificate to mark the end of the import.
url Optional. This parameter specifies the FTP, TFTP or HTTP URL
from which the PEM-format certificate is imported. Its value must
be a string of 1 to 950 characters.
When the “url” parameter is not specified, you can import the certificate by copying and pasting
the contents of the intermediate certificate into the CLI to import the certificate. The entering of
“…” is required in the bottom line following the certificate to mark the end of the import.
url Optional. This parameter specifies the FTP, TFTP or HTTP URL
from which the intermediate certificate is imported. Its value must
be a string of 1 to 950 characters.
SSH Access
ssh {on|off}
This global command is used to enable or disable the SSH access function on the AG appliance.
By default, SSH access is enabled.
ssh ip <ip_address>
This global command is used to set the SSH IP address. After this command is executed,
administrators can access the system via SSH only through the specified IP address. If this
command is not configured, administrators can access the AG appliance via SSH at any available
IP address (including virtual site IP addresses) on the AG appliance.
ip_address This parameter specifies the IP address for SSH access. Its value
must be:
no ssh ip <ip_address>
This global command is used to delete a specified SSH IP address.
minutes This parameter specifies the idle timeout value for SSH access. Its
value must be an integer ranging from 1 to 9,999,999, in minutes.
inputonly|inputoutput Optional. This parameter indicates when the SSH session will be
considered as not idle.
no ssh idletimeout
This global command is used to reset the idle timeout value for SSH access to the default setting,
9,999,999.
This global command is used to enable or disable SSH password authentication for a specified
administrator. By default, this function is enabled for every administrator.
url Optional. This parameter specifies the HTTP, FTP or TFTP URL
from which the SSH public key is imported. Its value must be a
string of 1 to 256 characters. The default value is empty.
restapi on [port]
This command is used to enable RESTful API-based Web service. By default, this function is
disabled. RESTful API-based Web service uses the HTTPS protocol.
port Optional. This parameter specifies the port number at which the
RESTful API-based Web service listens. Its value must be an
integer ranging from 1025 to 65,000, but cannot be the same port
used by other services.
restapi off
This command is used to disable RESTful API-based Web service.
show restapi
This command is used to display the configuration of RESTful API Web service.
XML-RPC Access
xmlrpc on [https|http]
This command is used to enable the XML-RPC function, which works by sending an HTTP-based
request (including the XML-RPC message) to the AG appliance. By default, the XML-RPC
function is disabled.
https|http Optional. This parameter specifies the protocol used to transmit the
XML-RPC messages. The default value is “https”.
xmlrpc off
This command is used to disable the XML-RPC function.
xmlrpc ip <ip_address>
This global command is used to set the XML-RPC IP address. After this command is executed,
administrators can access the system via XML-RPC only through the specified IP address. If this
command is not configured, 0.0.0.0 will be used as the default value and administrators can access
the AG appliance via XML-RPC at any available IPv4 address (including virtual site IP addresses)
on the AG appliance.
ip_address This parameter specifies the IP address for XML-RPC access. Its
value must be an IPv4 address configured in the system or 0.0.0.0,
indicating all the IPv4 addresses configured in the system.
no xmlrpc ip <ip_address>
This global command is used to delete a specified IP address configured for XML-RPC access.
port This parameter specifies the port number for XML-RPC access.
Its value must be an integer ranging from 1025 to 65,000.
show xmlrpc
This global command is used to display configurations of the XML-RPC function and the
XML-RPC Authentication function, including the XML-RPC IP address, the designated
XML-RPC port, and the configured XML-RPC Authentication username and password.
clear xmlrpc
This command is used to reset the settings of the XML-RPC function, the XML-RPC
authentication function to default values.
System Management
System Information
show version
This global command is used to display the basic information of the AG appliance, such as host
name, Array Networks software version, system CPU, available memory and total memory, latest
booting time, licensed features, and system up time.
Example:
AN(config)#show version
Host name : AN
System CPU : Intel(R) Pentium(R) CPU G6950 @ 2.80GHz
System Module : X8SIE-LN4
System RAM : 3829948 kbytes.
System boot time : Fri Aug 12 09:57:08 GMT (+0000) 2017
Current time : Fri Aug 12 11:22:09 GMT (+0000) 2017
System up time : 1 day, 19:25
Platform Bld Date : Fri Jun 24 23:39:57 CST 2017
SSL HW : HW ( 1X4D ) Initialized
Compression HW : No HW Available
Power supply : 1U, AC
Network Interface : 4 x Gigabit Ethernet copper
Model : Array AG1100, RAM Limit: 4096 MB
Serial Number : 0437A33459211000002262016314154
Maximum Sessions : 500
Maximum VPortals : 256
Licensed Features : WebWall Clustering SSL SwCompression VPNClient
HostCheck CacheCleaner WebApps SSF MobileClient
DesktopDirect AdvancedClient AdvancedDLP SSF_SM SMS
SWMaintenance MobileDirect
License Key : kKwDxIWU-cLA0IQ0w-nU8nnX+V-P9g=#131-4d67d9a8-25cf122a
-6d67eaa3-feef0122-4d#7ebaa-fdaf1#dc-ba98765
License Date : Expires on Sep 28 2018
show version
This command is used to display the basic information of the AG appliance, such as host name,
Array Networks software version, system CPU, available memory and total memory, latest
booting time, licensed features, and system up time.
show memory
This global command is used to display the memory critical information relating to the AG
appliance.
Example:
Each connection owns a “pcb” data structure. There are two kinds of “pcb” data structures. “small
pcb” is for TCP connections in “TIME_WAIT” state with size equal to 64 bytes. And, “pcb” is for
all the other TCP connections with larger size (288 bytes). The “LIMIT” column specifies the total
number of data structure items. “USED” refers to the number of items in use. “Free” indicates
items remaining that may be used. “REQUEST” is the accumulation of total usages and is always
incremented.
System License
halt|poweroff Optional. This parameter specifies the mode used for system
shutdown. Its value must be:
halt: indicates that the system halts but the power is not
turned off. The system will automatically reboot when the
power comes back after power off. This parameter value
is very convenient when the AG appliance is remote to the
administrator.
url This parameter specifies the HTTPS, HTTP or FTP URL used to
import the new software package. Its value must be a string of 1 to
256 characters.
Example:
Note: If this command is excuted via an SSH connection and the SSH connection is
terminated during the update, the system will not be able to complete the update process.
Do not disconnect the connections to the AG appliance during the system update process.
url This parameter specifies the HTTPS, HTTP or FTP URL used to
import the new software package. Its value must be a string of 1 to
256 characters.
md5_value Optional. This parameter specifies the MD5 value of the new
software package. The MD5 value is used to validate the integrity
Note: After the system software package is imported into the system, you can update the
system using this package by executing the “system update” command with the “URL”
parameter set to “/var/package/package_name”.
system fallback
This global command is used to enable the system fallback function. After this comamnd is
executed, the system will boot from the other root partition on next reboot.
no system fallback
This global command is used to disable the system fallback function. The system will boot from
the current root partition on next reboot.
url This parameter specifies the HTTPS, HTTP or FTP URL used to
import the component updating package. Its value must be a string
of 1 to 256 characters.
System Dump
Configuration Management
displayed.
Please note that this parameter can take effect only when the
“display_mode” parameter is set to “all”, “global” or the virtual site
name.
Under the virtual site scope, this command is used to display the configurations saved in the
startup configuration file by executing the “write memory” command for a specified virtual site.
Configuration Backup
Note: The backup files are in the UTF-8 encoding format on the appliance’s disk, the
remote SCP server or the remote TFTP server. To read or edit the backed up file, make
sure that your file viewer or editor supports UTF-8 encoding.
write memory
This command is used to save the virtual site’s running configurations to the startup configuration
file.
file_name Optional. This parameter specifies the name of the backup file. Its
value must be a string of 1 to 256 characters. This parameter needs
to be specified only when the “mode” parameter is set to “all”.
file_name This parameter specifies the name of the backup file. Its value must
be a string of 1 to 256 characters.
no config <file_name>
Under the global scope, this command is used to delete a specified user-defined configuration file.
Under the virtual site scope, this command is used to delete a specified user-defined configuration
file.
Under the virtual site scope, this command is used to display a specified backup file.
file_name Optional. This parameter specifies the name of the backup file. Its
value must be:
Under the virtual site scope, this command is used to clear all backup files for a specified virtual
site.
Under the virtual site scope, this command is used to back up the virtual site’s running
configurations to a specified remote SCP server.
server_name This parameter specifies the host name or IP address of the SCP
server. Its value must be a string of 1 to 128 characters. If the IP
address is entered, it should be enclosed by double quotes.
username This parameter specifies the username to access the remote SCP
server. Its value must be a string of 1 to 64 characters. After the
username is entered, the password prompt for this SCP server will
appear.
file_path This parameter specifies the path to save the configuration file. Its
value must be a string of 1 to 256 characters.
server_ip This parameter specifies the IP address of the TFTP server. Its value
must be an IPv4 address.
server_ip This parameter specifies the IP address of the TFTP server. Its value
must be an IPv4 address.
file_name This parameter specifies the name of the configuration file in which
the configuration data is saved. Its value must be a string of 1 to
256 characters.
server_name This parameter specifies the host name or IP address of the SCP
server. Its value must be a string of 1 to 128 characters. If the IP
address is entered, it should be enclosed by double quotes.
username This parameter specifies the username to access the remote SCP
server. Its value must be a string of 1 to 64 characters. After the
username is entered, the password prompt for this SCP server will
appear.
file_path This parameter specifies the path to store the configuration file. Its
value must be a string of 1 to 256 characters.
This global command is used to back up all the running configurations including virtual-site
running configurations to a specified remote TFTP server.
server_ip This parameter specifies the IP address of the remote TFTP server.
Its value must be an IPv4 address.
Configuraiton Restore
Note: The files restored from the appliance’s disk, the remote SCP server, the remote
TFTP server or the Web server must be in the UTF-8 encoding format. To read or edit the
restored file, make sure that your file viewer or editor supports UTF-8 encoding.
configure memory
This command is used to restore the virtual site’s configurations from the startup configuration
file.
restored.
file_name Optional. This parameter specifies the name of the backup file. Its
value must be a string of 1 to 256 characters. This parameter needs
to be specified only when the “mode” parameter is set to “all”.
Note: Execution of the command “configure file all” will not clear the current
configurations from the system. To replace all the current configurations with the loaded
configurations, the administrator needs to execute the command “clear config all” first.
file_name This parameter specifies the name of the backup file. Its value
should be a string of 1 to 256 characters.
Under the virtual site scope, this command is used to restore the virtual site’s configurations from
a specified remote SCP server.
server_name This parameter specifies the host name or IP address of the SCP
server. Its value must be a string of 1 to 128 characters. If the IP
address is entered, it should be enclosed by double quotes.
username This parameter specifies the remote user account name. Its value
must be a string of 1 to 64 characters. After the username is entered,
the password prompt for this SCP server will appear.
file_path This parameter specifies the path of the configuration file saved on
the remote SCP server. Its value must be a string of 1 to 256
characters.
Under the virtual site scope, this command is used to restore the virtual site’s configurations from
a specified remote TFTP server.
server_ip This parameter specifies the IP address of the remote TFTP server.
Its value must be an IPv4 address.
file_name This parameter specifies the name of the configuration file. Its
value must be a string of 1 to 256 characters.
Under the virtual site scope, this command is used to restore the virtual site’s configurations from
a specified Web server.
url This parameter specifies the URL address of the configuration file.
For example, http://www.xyz.com/array.conf. Its value must be a
string of 1 to 64 characters.
server_name This parameter specifies the host name or IP address of the remote
SCP server. Its value must be a string of 1 to 128 characters. If the
IP address is entered, it should be enclosed by double quotes.
username This parameter specifies the username to access the remote SCP
server. Its value must be a string of 1 to 64 characters. After the
username is entered, the password prompt for this SCP server will
appear.
file_path This parameter specifies the path of the configuration file saved on
the remote SCP server. Its value must be a string of 1 to 256
characters.
server_ip This parameter specifies the IP address of the remote TFTP server.
Its value must be an IPv4 address.
file_name This parameter specifies the name of the configuration file. Its
value must be a string of 1 to 256 characters.
url This parameter specifies the URL address of the configuration file.
For example, http://www.xyz.com/array.conf. Its value must be a
string of 1 to 64 characters.
Configuration Clearance
this command is executed, please execute the “write memory” command to save the current
configuration, otherwise the system will be restored to the original status after a system reboot.
This command cannot be executed if there are other configurations dependent on these basic
network settings. In this situation, please execute the command “clear config secondary” first to
delete the related configurations. Then, execute the command “clear config primary” again.
Under the virtual site scope, this command is used to clear all settings of the virtual site.
Configuration Synchronization
The Configuration Synchronization feature allows administrators to transfer configuration
information between AG appliances within the same network.
peer_name This parameter specifies the name of the synchronization peer. Its
value must be a string of 1 to 128 characters.
This global command is used to configure a challenge code for system configuration
synchronization. The challenge codes on synchronization nodes must be identical.
code This parameter specifies the challenge code. Its value must be a
string of 1 to 31 case-sensitive characters. The “$” character is also
supported.
no synconfig challenge
This global command is used to delete the configured challenge code.
Note: The challenge code is displayed in encrypted format. The administrator must
securely record the original challenge code.
synconfig to <peer_name>
This global command is used to manually synchronize running configurations from the local node
to a specified peer node. After this command is executed, prior to applying the new configurations,
the “clear config secondary” will be executed on the peer node. This will remove all the existing
configurations except for appliance-sepcific settings. The appliance-sepcific settings unaffected
include system IP addresses, SSH IP address, WebUI IP address, WebUI IP port, IP route, host
name, Bond, VLAN, WebWall, accesslist and accessgroup.
peer_name This parameter specifies the name of the synchronization peer. This
parameter must be specified in order to determine the configuration
state to be restored.
file_name This parameter specifies the name of the file to be copied. Its value
must be a string of 1 to 256 characters.
This global command is used to copy a directory from the local node to the peer node in the
backend.
directory_name This parameter specifies the name of the directory to be copied. Its
value must be a string of 1 to 256 characters.
Example:
Welcome to Ylmf_OS!
* Information: http://www.ylmf.com/
This global command is used to create a Telnet connection to a remote host. The system supports
all standard Telnet parameters under the UNIX system. For details, please refer to the technical
documentation about Telnet commands.
host port This parameter specifies the IP address and the port of the remote
host. Its value must be enclosed by double quotes.
Example:
RTS
ip rts on <rts_mode>
This command is used to enable the RTS function. RTS ensures that all of the response packets
from a remote server can be directed to the link from which the corresponding request packets are
sent by a client.
rts_mode This parameter specifies the RTS mode. Its value can only be
“gateway” or “all”. “gateway” means that RTS records external
senders as configured gateways. “all” means that RTS records all
external senders that send packets to the unit. By default, the RTS
mode will be “all”.
ip rts off
This command is used to disable the RTS function.
show ip rts
This command is used to display the RTS configuration.
clear ip rts
This command is used to reset the RTS configuration.
Note: The maximum number of RTS entries may vary according to the amount of system
memory as shown in the following table. Each RTS entry uses about 264KB memory
space.
Bond
bond name <bond_id> <bond_name>
This command assigns a name to the specified bond interface. The AG appliance supports at most
6 bond interfaces.
The optional “1|0” parameter sets the interface as either the primary (1) or backup (0) interface in
the bond. Multiple primary or backup interfaces can be set in the bond. When all the primary
interfaces in the bond fail, the backup interfaces will attempt to take over the work.
1|0 1: This is the default value and sets the interface as one of the
primary interfaces in the bond.
0: Sets the interface as one of the backup interfaces in the bond.
NAT
nat port <vip> <network_ip> <netmask> [timeout] [gateway]
This command is used to enable network address translation (NAT) along with port translation.
NAT converts the address of each server or device on the inside network into one IP address for
the Internet and vice versa. The AG appliance will check for subnet overlap or verify that the
configured virtual IP exists. Data packets will be NATTed if and only if:
The source IP address is in the range of the configured “network_ip” and “netmask”.
The configured “gateway” is the same as the route gateway. If the “gateway” is set to the
default value (0.0.0.0), the “vip” and the route gateway should be within the same network
segment.
netmask This parameter specifies the netmask for the network performing
the NAT.
The configured “gateway” is the same as the route gateway (The route gateway is configured
by using the command “ip route default”). If the “gateway” is set to the default value
(0.0.0.0), the “vip” and the route gateway should be within the same network segment.
HTTP Compression
http compression {on|off}
This global command is used to enable or disable the HTTP Compression function. By default,
this function is disabled. When this function is enabled, Text, XML and HTML will be
compressed by default. To compress other types of HTTP data, please configure HTTP
compression policies using the command “http compression policy useragent”.
user_agent This parameter specifies the name of the user agent. Its value
should be a string of 1 to 256 characters. It is recommended that the
parameter value should be enclosed in double quotes.
mime_type This parameter specifies the MIME media type which data
compression is used. Its value can only be:
doc
xls
ppt
js
css
That is, the system compresses JavaScript and CSS-type data for the following four types of
browsers (user agents): IE 6, IE 7, IE 8 and Mozilla 5.0.
This global command is used to display all the configured HTTP compression policies including
recommended policies.
virtual_site_name This parameter specifies the name of the virtual site. Its value can
be a virtual site name or all. “all” indicates that the statistics on
HTTP compression under all virtual sites will be displayed.
This command is used to clear all URL-excluded compression policies configured under the
virtual site.
mac_address This parameter specifies the MAC address of the remote host.
Chapter 15 DesktopDirect
instance_name Optional. This parameter specifies the name of the ART instance to
be displayed. If this parameter is not specified, all the configured
instances will be displayed.
instance_name This parameter specifies the name of the ART instance to which the
user belongs. Its value should be a string of 1 to 50 characters.
user_name Optional. This parameter specifies the name of the user. Its value
should be a string of 1 to 100 characters. If this parameter is not
specified, information of all the users in the specified ART instance
will be displayed.
Name Resolution
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
host_id This parameter specifies the ID of the host. Its value should be a
string of 1 to 255 characters.
host_ip
This parameter specifies the IP address of the host. Its value should
be given in dotted decimal notation.
minute This parameter specifies the timeout value. Its value should be an
integer ranging from 1 to 4,294,967,295.
ART Instance
art create instance <instance_name>
This global command is used to create a new ART instance.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
This global command is used to display proxy mode information for an ART instance.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
port This parameter specifies the port. Its value should be an integer
ranging from 1 to 65,535.
ART User
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user. Its value should be a
string of 1 to 100 characters.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
ART Group
instance_name This parameter specifies the name of the ART instance to which the
group belongs to.
group_name This parameter specifies the name of the group. Its value should be
a string of 1 to 250 characters.
instance_name This parameter specifies the name of the ART instance to which the
group belongs to.
instance_name Optional. This parameter specifies the name of the ART instance. If
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
server This parameter specifies the name of the AD server. Its value
should be a string of 1 to 255 characters.
base This parameter specifies the AD server host base string. Its value
should be a string of 1 to 255 characters.
username This parameter specifies the username for logging into the AD
server. Its value should be a string of 1 to 255 characters.
password This parameter specifies the password for logging into the AD
server. Its value should be a string of 1 to 255 characters.
instance_name Optional. This parameter specifies the name of the ART instance.
Desktop Publishing
mac_address Optional. This parameter specifies the MAC address. Its value
should be a string of 1 to 255 characters without any spaces or
dashes (for example, 112233445566 or aabbccddeeff).
port Optional. This parameter specifies the RDP Port. Its value should
be an integer ranging from 0 to 65535, and defaults to 0.
Note: If hostnames of desktops cannot be resolved using the virtual site's DNS settings,
the administrator needs to execute the “dns useglobal on” command to allow the virtual
site to use the global DNS settings for hostname resolution. Otherwise, the virtual site
cannot fetch the assigned desktops for users.
instance_name This parameter specifies the name of the ART instance to which the
group belongs. Its value should be a string of 1 to 50 characters.
group_name This parameter specifies the name of the group to which the
desktop is assigned. Its value should be a string of 1 to 250
characters.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
group_name This parameter specifies the name of the group to which the
desktop is assigned.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user to which the desktop
is assigned. Its value should be a string of 1 to 100 characters.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user to which the desktop
is assigned.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user to which the desktop
is assigned.
Power Management
art powermanagement wakeup desktop <instance_name> <user_name>
{host|ip}
This global command is used to wakeup the registered desktop for the specified user.
instance_name This parameter specifies the name of the ART instance to which the
user belongs. Its value should be a string of 1 to 50 characters.
user_name This parameter specifies the name of the user. Its value should be a
string of 1 to 100 characters.
seconds This parameter specifies the timeout value in seconds. Its value
should be an integer ranging from 1 to 4,294,967,295.
unit_ip This parameter specifies the IP address of the unit. Its value should
be given in dotted decimal notation.
multicast_ip This parameter specifies the IP address used for sending multicast
messages. Its value should be given in dotted decimal notation.
multicast_port This parameter specifies the port used for sending multicast
messages. Its value should be an integer ranging from 1 to 65,535.
agent_ip This parameter specifies the IP address of the relay agent. Its value
should be given in dotted decimal notation.
interface_ip This parameter specifies the IP address of the interface. Its value
should be given in dotted decimal notation.
instance_name This parameter specifies the name of the ART instance. Its value
should be string of 1 to 50 characters.
device_type This parameter specifies the type of the device. Its value should be
a string of 1 to 255 characters.
device_id Optional. This parameter specifies the DeviceID. Its value should
be a string of 1 to 255 characters. If this parameter is not specified,
this operation will apply to all the devices of the specified device
type.
user_name Optional. This parameter specifies the name of the user to which the
device is associated. Its value should be a string of 1 to 100
characters. If this parameter is not specified, this operation will
apply to all the users in the specified ART instance.
user_name Optional. This parameter specifies the name of the user to which the
device is associated.
user_name Optional. This parameter specifies the name of the user to which the
device is associated.
This global command is used to disable a previously enabled device. The disabled devices will
remain in the database and could be re-enabled later.
user_name Optional. This parameter specifies the name of the user to which the
device is associated.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
instance.index This parameter specifies the name of the ART instance and the
device index (For example, default.3523).
instance.index This parameter specifies the name of the ART instance and the
device index.
This global command is used to cancel automatically accepting all the registration requests for the
specified ART instance.
The information will be displayed in the following format “<Index>. <State> <User name>
<Device Type> <DeviceID>”, where:
User name – Empty if the record is not associated to any specific user.
For example:
1. iPad elgel-we089u7-slnklnsed
12. (Disabled) user1 iPhone sdoih-24kl23-kjbna7
20. (Pending) iPhone hosdh-ksjd9783-sdkjse
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
This global command is used to display the information about device registration requests and
device authorizations for the specified device.
instance_name This parameter specifies the name of the ART instance and the
device index (optional).
Host SSO
art hostsso <instance_name> <host> <username> <password>
This global command is used to create or modify a Host SSO entry for the specified ART
instance.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
host This parameter specifies the hostname. Its value should be a string
of 1 to 250 characters.
username This parameter specifies the username for logging into the host. Its
value should be a string of 1 to 100 characters.
password This parameter specifies the password for logging into the host. Its
value should be a string of 1 to 100 characters.
Registration Policies
art registration policy desktopsperuser <instance_name> <max_number>
This global command is used to set the maximum number of desktops that can be registered by
each user in the specified ART instance.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
days This parameter specifies the number of days the desktop remains
available after registration. Its value should be an integer ranging
from 0 to 4,294,967,295. “0” means that the desktop will always be
available.
instance_name This parameter specifies the name of the ART instance. Its value
should be a string of 1 to 50 characters.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user. Its value should be a
string of 1 to 100 characters.
ad_user This parameter specifies the username of the AD server. Its value
should be a string of 1 to 255 characters.
ad_pw This parameter specifies the password of the AD server. Its value
should be a string of 1 to 255 characters.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name Optional. This parameter specifies the name of the user. If this
parameter is not specified, the operation will apply to all the users
in the specified ART instance.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name Optional. This parameter specifies the name of the user. If this
parameter is not specified, the operation will apply to all the users
in the specified ART instance.
Replication
art replication enable
This global command is used to enable the Replication function.
ip This parameter specifies the IP address of the peer. Its value should
be given in dotted decimal notation.
Client Package
art client package import package <package_name> <url> [clean]
This global command is used to import a client package.
package_name This parameter specifies the name of the package. Its value should
be a string of 1 to 100 characters.
url This parameter specifies the URL of the package. Its value should
be a string of 1 to 255 characters.
Application Publishing
Terminal Server
port Optional. This parameter specifies the RDP port configured on the
server. Its value should be an integer ranging from 1 to 65535, and
defaults to 3389.
server_name Optional. This parameter specifies the name of the terminal server.
Its value should be a string of 1 to 255 characters. If this parameter
is not specified, the hostname or IP address proided by the
administrator will be used as the terminal server name.
server_name Optional. This parameter specifies the name of the terminal server
to be displayed. If this parameter is not specified, configurations of
all the terminal servers will be displayed.
group_name This parameter specifies the name of the terminal server group. Its
value should be a string of 1 to 250 characters.
group_name This parameter specifies the name of the terminal server group.
old_group_name This parameter specifies the current name of the terminal server
group. Its value should be a string of 1 to 250 characters.
new_group_name This parameter specifies the new name of the terminal server group.
Its value should be a string of 1 to 250 characters.
group_name This parameter specifies the name of the terminal server group.
group_name This parameter specifies the name of the terminal server group.
group_name Optional. This parameter specifies the name of the terminal server
group to be displayed. If this parameter is not specified,
configurations of all the terminal server groups will be displayed.
app_name This parameter specifies the name of the application. Its value
should be a string of 1 to 255 characters.
old_app_name This parameter specifies the current name of the application. Its
value should be a string of 1 to 255 characters.
new_app_name This parameter specifies the new name of the application. Its value
should be a string of 1 to 255 characters.
description This parameter specifies the description. Its value should be a string
of 1 to 255 characters.
location This parameter specifies the location of the application. Its value
should be a string of 1 to 255 characters.
directory This parameter specifies the directory of the application. Its value
should be a string of 1 to 255 characters.
folder This parameter specifies the folder of the application. Its value
should be a string of 1 to 255 characters. It can support multil-layer
folders separated by the “\” character. For example, “Daily\Office”
will display the application in the Office folder.
This global command is used to disable the specified application. A disabled application remains
in the configuration, but it will not be presented to the user.
server|server_group This parameter specifies the name of the server or server group. Its
value should be a string of 1 to 255 characters.
server|server_group This parameter specifies the name of the server or server group.
width This parameter specifies the width of the window in pixels. Its
value should be an integer ranging from 1 to 65,535.
height This parameter specifies the height of the window in pixels. Its
value should be an integer ranging from 1 to 65,535.
XenApp Definition
farm_name This parameter specifies the name of the farm. Its value should be a
string of 1 to 255 characters.
old_farm_name This parameter specifies the current name of the farm. Its value
should be a string of 1 to 255 characters.
new_farm_name This parameter specifies the new name of the farm. Its value should
folder This parameter specifies the folder (on the user portal) where
applications of a specified XenApp server farm will be presented to
the user. For example, if folder “HR” is specified, all applications
from the farm will be presented under the HR folder that is
presented at the root of the user’s portal. Its value should be a string
of 1 to 255 characters.
order Optional. This parameter specifies the position of the newly added
server in the server farm. If it is not specified or larger than the
Association
app_or_farm This parameter specifies the name of the XenApp server farm or the
Terminal Server based application. Its value should be a string of 1
to 255 characters.
instance_name This parameter specifies the name of the instance. Its value should
be a string of 1 to 50 characters.
app_or_farm This parameter specifies the name of the XenApp server farm or the
Terminal Server based application.
app_or_farm This parameter specifies the name of the XenApp server farm or the
Terminal Server based application.
instance_name This parameter specifies the name of the instance to which the
group belongs.
group_name This parameter specifies the name of the group. Its value should be
a string of 1 to 250 characters.
app_or_farm This parameter specifies the name of the XenApp server farm or the
Terminal Server based application.
instance_name This parameter specifies the name of the instance to which the
group belongs.
app_or_farm This parameter specifies the name of the XenApp server farm or the
Terminal Server based application.
instance_name This parameter specifies the name of the instance to which the user
belongs.
user_name This parameter specifies the name of the user. Its value should be a
string of 1 to 100 characters.
app_or_farm This parameter specifies the name of the XenApp server farm or the
Terminal Server based application. Its value should be a string of 1
to 255 characters.
instance_name This parameter specifies the name of the instance to which the user
belongs.
External Providers
art external provider create <provider_name> <provider_type>
This global command is used to create an external provider.
provider_name This parameter specifies the name of the external provider. Its value
should be a string of 1 to 250 characters.
provider_type This parameter specifies the type of the external provider. Its value
can only be “xendesktop”, “vmview” or “epapi”.
Note: According to the XML specification, the characters “<”, “&”, “>”, “"” and “'”
should not contained in the XML contents. Because the Xendesktop provider sends the
HTTP Post request in XML format, please do not include those characters in the username
or password when preparing an XML HTTP Post request.
old_name This parameter specifies the current name of the external provider.
new_name This parameter specifies the new name of the external provider.
port This parameter specifies the port of the XenDesktop data collector.
Its value should be an integer ranging from 1 to 65,535, and
defaults to 80.
domain This parameter specifies the domain name of the XenDesktop data
collector. Its value should be a string of 1 to 255 characters.
port This parameter specifies the port of the XenDesktop data collector.
port This parameter specifies the port of the VMView connection server.
Its value should be an integer ranging from 1 to 65,535, and
defaults to 443.
port This parameter specifies the port of the VMView connection server.
port This parameter specifies the port of the EP API server. Its value
should be an integer ranging from 1 to 65,535.
This global command is used to remove the EP API server configuration of the specified external
provider.
instance_name This parameter specifies the name of the ART instance to which the
external provider is assigned. Its value should be a string of 1 to 50
characters.
instance_name This parameter specifies the name of the ART instance to which the
external provider is assigned.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
group_name This parameter specifies the name of the group to which the
external provider is assigned. Its value should be a string of 1 to
250 characters.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
group_name This parameter specifies the name of the group to which the
external provider is assigned.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user to which the external
provider is assigned. Its value should be a string of 1 to 100
characters.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user to which the external
provider is assigned.
provider_type This parameter specifies the type of the external provider. Its value
can only be “xendesktop”, “vmview” or “epapi”.
Data Protection
art dataprotection default redirect <option>
This global command is used to enable a specified data protection redirection option. These
settings will apply to all users who do not have a custom policy assigned to them.
option This parameter specifies the option to be enabled. Its value can only
be:
drive
clipboard
printer
smartcard
ports
POS
policy_name This parameter specifies the name of the policy. Its value should be
a string of 1 to 255 characters.
option This parameter specifies the option to be enabled. Its value can only
be:
drive
clipboard
printer
smartcard
ports
POS
instance_name This parameter specifies the name of the ART instance to which the
policy is assigned. Its value should be a string of 50 characters.
instance_name This parameter specifies the name of the ART instance to which the
policy is assigned.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
group_name This parameter specifies the name of the group to which the policy
is assigned. Its value should be a string of 250 characters.
instance_name This parameter specifies the name of the ART instance to which the
group belongs.
group_name This parameter specifies the name of the group to which the policy
is assigned.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user to which the policy is
assigned. Its value should be a string of 100 characters.
instance_name This parameter specifies the name of the ART instance to which the
user belongs.
user_name This parameter specifies the name of the user to which the policy is
assigned.
Client Settings
art client settings set <set_name>
This global command is used to define a new client settings set.
set_name This parameter specifies the name of the set. Its value should be a
string of 1 to 100 characters.
platform This parameter specifies the platform. Its value must only be:
all
windows
macos
iphone
ipad
android
custom_parameter This parameter specifies the name of the feature. For the supported
parameter values, please refer to the following table for details.
custom_value This parameter specifies the value of the feature. For the supported
parameter values, please refer to the following table for details.
Note: The default values in the following table indicate the values that will be used by the
system if this command is not executed.
adaptively adjusted.
0: The RemoteApp
capabilities of the remote host
Determines whether the will be checked.
RemoteApp capabilities of
disableremoteappcapscheck 1: The RemoteApp
the remote host will be
checked. capabilities of the remote host
will not be checked.
0: Windows key
combinations are applied on
Determines how Windows the local computer.
key combinations are applied 1: Windows key
keyboardhook
when you are connected to a combinations are applied on
remote host. the remote computer.
2: Windows key
combinations are applied in
0: If server authentication
fails, connect without giving
a warning.
1: If server authentication
fails, do not connect.
Determines what should
2: If server authentication
authentication_level happen when server
fails, show a warning and
authentication fails.
allow the user to connect or
not.
second Optional. This parameter specifies the interval in seconds. Its value
should be an integer ranging from 1 to 60, and defaults to 60.
width This parameter specifies the width that appears on the client. Its
value should be an integer ranging from 0 to 4,294,967,295.
height This parameter specifies the height that appears on the client. Its
value should be an integer ranging from 0 to 4,294,967,295.
enabled|disabled This parameter specifies whether the desktop connection bar will be
displayed or not.
url This parameter specifies the URL where the installation package
can be downloaded. Its value should be a string of 1 to 255
characters.
proxy Optional. This parameter specifies the proxy address and port (for
example, 192.168.1.1:8080). Its value should be a string of 1 to 255
characters.
url This parameter specifies the URL where the installation package
can be downloaded. Its value should be a string of 1 to 255
characters.
proxy Optional. This parameter specifies the proxy address and port (for
example, 192.168.1.1:8080). Its value should be a string of 1 to 255
characters.
bitmapcaching
desktopwallpaper
fullwindowdrag
menuanimation
themes
platform This parameter specifies the platform. Its value must be:
all: indicates that this function can be configured for all the
platforms. Currently, the system only supports the Windows
platform.
idle This parameter specifies the idle timeout value in seconds. Its value
must be an integer ranging from 0 to 4,294,967,295. If it is set to 0,
the idle timeout alert is disabled and will not affect a user’s session.
lifetime This parameter specifies the lifetime timeout value in seconds. Its
value must be an integer ranging from 0 to 4,294,967,295. If it is set
to 0, the lifetime timeout alert is disabled and will not affect a user’s
session.
instance_name This parameter specifies the name of the instance. Its value should
be a string of 1 to 50 characters.
This global command is used to associate the client settings with the specified group.
instance_name This parameter specifies the instance to which the group belongs.
group_name This parameter specifies the name of the group. Its value should be
a string of 1 to 250 characters.
instance_name This parameter specifies the instance to which the group belongs.
instance_name This parameter specifies the instance to which the user belongs.
user_name This parameter specifies the name of the user. Its value should be a
string of 1 to 100 characters.
instance_name This parameter specifies the instance to which the user belongs.
Client Verification
art clientverification rule define <rule> [url]
This global command is used to configure a client verification rule.
rule This parameter specifies the name of the rule. Its value should be a
string of 1 to 255 characters.
url Optional. This parameter specifies the URL of the rule. Its value
should be a string of 1 to 255 characters.
instance_name This parameter specifies the name of the instance. Its value should
be a string of 1 to 255 characters.
instance_name This parameter specifies the instance to which the group belongs.
group_name This parameter specifies the name of the group. Its value should be
a string of 1 to 255 characters.
instance_name This parameter specifies the instance to which the group belongs.
instance_name This parameter specifies the instance to which the user belongs.
user_name This parameter specifies the name of the user. Its value should be a
string of 1 to 255 characters.
instance_name This parameter specifies the instance to which the user belongs.
This global command is used to display the list of all the client verification rules.
Import
Note: The files imported from the local file system or the remote TFTP server must be in
the UTF-8 encoding format. Otherwise, the importing might fail.
add|skip This parameter specifies the option to deal with the non-existence
user. Its value can only be:
refresh|append This parameter specifies the option to deal with the desktops of the
existing user. Its value can only be:
refresh: indicates that all the exsiting desktops for the user will
be deleted and the new desktops (from the file) will be added.
append: indicates that the new desktops (from the file) will be
added to the user while the old desktops still exsit.
file_name This parameter specifies the name of the file in the local file
system. Its value should be a string of 1 to 255 characters.
add|skip This parameter specifies the option to deal with the non-existence
user. Its value can only be:
refresh|append This parameter specifies the option to deal with the desktops of the
existing user. Its value can only be:
refresh: indicates that all the exsiting desktops for the user will
be deleted and the new desktops (from the file) will be added.
append: indicates that the new desktops (from the file) will be
added to the user while the old desktops still exsit.
ip This parameter specifies the TFTP server IP. Its value should be
given in dotted decimal notation.
file_name This parameter specifies the name of the file on the remote TFTP
server. Its value should be a string of 1 to 255 characters.
file_name This parameter specifies the name of the file in the local file
system.
file_name This parameter specifies the name of the file on the remote TFTP
server.
Export
Note: The files exported to the local file system or the remote TFTP server are in the
UTF-8 encoding format. To read or edit the exported file, make sure that your file viewer
or editor supports UTF-8 encoding.
file_name This parameter specifies the name of the file in the local file
system. Its value should be a string of 1 to 255 characters.
Note: The information of users with no desktops assigned will not be exported from the
database to the local file system.
file_name This parameter specifies the name of the file on the remote TFTP
server. Its value should be a string of 1 to 255 characters.
Note: The information of users with no desktops assigned will not be exported from the
database to the remote TFTP server.
file_name This parameter specifies the name of the file in the local file
system.
This global command is used to export ART configurations from the database to the remote TFTP
server.
file_name This parameter specifies the name of the file on the remote TFTP
server.
file_name This parameter specifies the name of the file in the local file
system.
Chapter 16 MotionPro
This chapter describes all the CLI commands used to configure the MotionPro feature. All
MotionPro CLI commands are available under the virtual site scope.
Basic Commands
show motionpro config
This command is used to display all the MotionPro CLI configurations.
AAA
The commands listed below are used for DeviceID Authentication. For other User Authentication
and Certificate Authentication methods, please refer to Chapter 4 AAA.
type This parameter specifies the type of the AAA server. Its value must
only be “deviceid”
server_name This parameter specifies the name of the AAA server, which must
be unique among all servers in the same virtual site. Its value must
be a string of 1 to 32 characters.
description Optional. This parameter specifies the server description. Its value
must be a string of 1 to 127 characters. If it is not specified, the
default description will be the value of “server_name”.
Note: The “aaa server deviceid autoregister” configuration will not take effect if the
“aaa server diviceid rejectunregister” command is configured for the same DeviceID
server.
Note: The following two commands work only when this function is enabled.
device_limit This parameter specifies the maximum devices that a user can
have. Its value can be an integer ranging from 0 to
4,294,967,295. “0” means no upper limit on devices.
This command is used to delete the setting of the device upper limit per user for the specified
DeviceID server.
device_id This parameter specifies the device ID. Its value should be a string
of 1 to 511 characters, which must be enclosed in double quotes.
device_name This parameter specifies the name to describe the device. Its value
should be a string of 1 to 256 characters.
status This parameter specifies the status of the device. The parameter
value can only be:
account.
Role
motionpro role define <role_name>
This command is used to add a new role.
role_name This parameter specifies the name of the role. Its value should be
a string of 1 to 255 characters.
role_name Optional. This parameter specifies the name of the role. If this
parameter is not specified, all the roles defined will be displayed.
user_name This parameter specifies the name of the user. Its value should be
a string of 1 to 255 characters.
user_name Optional. This parameter specifies the name of the user. If this
parameter is not specified, all the user-association configurations
of the role will be displayed.
Client Rule
motionpro client rule define <rule_name> [url]
This command is used to add a new MotionPro client rule.
rule_name This parameter specifies the name of the rule. Its value should be
a string of 1 to 255 characters.
url Optional. This parameter specifies the URL of the rule file. Its
value should be a string of 1 to 511 characters.
rule_name Optional. This parameter specifies the name of the rule. If this
parameter is not specified, all the rules defined will be displayed.
role_name Optional. This parameter specifies the name of the role. If this
parameter is not specified, the rule-association configuration of
all the roles will be displayed.
user_name Optional. This parameter specifies the name of the user. If this
parameter is not specified, the rule-association configuration of
all the users will be displayed.
rule_name Optional. This parameter specifies the name of the rule. If this
parameter is not specified, all the rules associated with the
virtual site will be displayed.
device_type This parameter specifies the device type. Its value must be
“macos”, “iphone”, “ipad”, “windows”, “android”, “linux” or “all”.
“all” indicates all types of devices.
Web Resources
Web APP
url This parameter specifies the URL of the Web Application. Its
value should be a string of 1 to 255 characters.
role_name Optional. This parameter specifies the name of the role. If this
parameter is not specified, the association configurations
between all the roles and Web Applications will be displayed.
user_name Optional. This parameter specifies the name of the user. If this
parameter is not specified, the association configurations
between all the users and Web Applications will be displayed.
Native Applications
motionpro nativeapp define <app_name> <description> <os_type>
<app_type> [parameters] [app_id]
This command is used to add a new Native Application.
app_name This parameter specifies the name of the Native Application. Its
value should be a string of 1 to 255 characters.
app_type This parameter specifies the type of the Native Application. Its
value can only be “built-in” or “third-party”.
app_id Optional. This parameter specifies the application ID. Its value
should be an integer ranging from 0 to 2,147,483,647, and
defaults to 0.
role_name Optional. This parameter specifies the name of the role. If this
parameter is not specified, the association configurations
between all the roles and Native Applications will be displayed.
user_name Optional. This parameter specifies the name of the user. If this
parameter is not specified, the association configurations
between all the users and Native Applications will be displayed.
MDM
motionpro mdm on
This command is used to enable the Mobile Device Management (MDM) function.
url This parameter specifies the URL of the APN certificate. Its
value should be a string of 1 to 255 characters starting with
“http://”.
database_check_interval This parameter specifies the interval for the MDM server to
check the database for notification to be sent to mobile devices
(Android) or APN (iOS) in seconds. Its value should be an
integer ranging from 1 to 3600, and defaults to 3.
This command is used to display the interval for MDM to check database and the interval of SSL
reconnection.
device_check_interval This parameter specifies the interval for the MDM server to
check the mobile device status in minutes. Its value should be an
integer ranging from 1 to 60, and defaults to 1.
push_ip This parameter specifies the push IP address or the domain name of
the MDM server. Its value must be a string of 1 to 63 characters and
must be enclosed by double quotes if the parameter value is set to
an IP address.
push_port This parameter specifies the push port of the MDM server. Its value
must be an integer ranging from 1 to 65535.
service_url This parameter specifies the URL that providing the MDM service.
Note:
The files backed up to the remote TFTP server are in the UTF-8 encoding format. To read
or edit the backed up file, make sure that your file viewer or editor supports UTF-8
encoding.
The files restored from the remote TFTP server must be in the UTF-8 encoding format. To
read or edit the restored file, make sure that your file viewer or editor supports UTF-8
encoding.
tftp_ip This parameter specifies the IP address of the TFTP server. Its value
should be given in dotted decimal notation.
tftp_ip This parameter specifies the IP address of the TFTP server. Its value
should be given in dotted decimal notation.
file_name This parameter specifies the name of configuration file saved on the
remote TFTP server. Its value should be a string of 1 to 256
characters.
Note:
The files imported from the appliance’s disk or the remote TFTP server must be in the
UTF-8 encoding format. Otherwise, the importing might fail.
The files exported to the appliance’s disk or the remote TFTP server are in the UTF-8
encoding format. To read or edit the exported file, make sure that your file viewer or editor
supports UTF-8 encoding.
file_name This parameter specifies the name of the configuration file on the
appliance’s disk. Its value should be a string of 1 to 256 characters.
file_name This parameter specifies the name of the configuration file on the
appliance’s disk. Its value should be a string of 1 to 256 characters.
tftp_ip This parameter specifies the IP address of the TFTP server. Its value
must be an IPv4 address.
file_name This parameter specifies the name of the configuration file on the
remote TFTP server. Its value should be a string of 1 to 256
characters.
tftp_ip This parameter specifies the IP address of the TFTP server. Its value
must be an IPv4 address.
file_name This parameter specifies the name of the configuration file on the
remote TFTP server. Its value should be a string of 1 to 256
characters.
file_name This parameter specifies the name of the configuration file on the
file_name This parameter specifies the name of the configuration file on the
appliance's disk. Its value should be a string of 1 to 256 characters.
tftp_ip This parameter specifies the IP address of the TFTP server. Its value
must be an IPv4 address.
file_name This parameter specifies the name of the configuration file on the
remote TFTP server. Its value should be a string of 1 to 256
characters.
tftp_ip This parameter specifies the IP address of the TFTP server. Its value
must be an IPv4 address.
file_name This parameter specifies the name of the configuration file on the
remote TFTP server. Its value should be a string of 1 to 256
characters.
Portal Configuration
motionpro portal tabpage <tab_type> <display_mode>
This command is used to configure whether a specific tab page will be displayed on the
MotionPro portal. With this function, administrators can hide corresponding tab pages from end
users when the system does not have the specific feature licensed. By default, all the tab pages are
displayed.
tab_type This parameter specifies the type of the tab page. Its value can only
be “web”, “application” or “desktop”.
display_mode This parameter specifies the display mode of the tab. Its value can
only be “display” or “not_display”.
policy_name This parameter specifies the name of the VPN policy. Its value must
be:
both: indicates that both the L4VPN tunnel and the SSL
L3VPN tunnel will be established for end users. This VPN
policy works only for MotionPro clients on PCs. Android and
iOS MotionPro clients will still use the default policy.
Synchronization
motionpro sync sql <sql_string>
This command is used to synchronize the MotionPro database by executing the PostgreSQL
commands.
Note:
Single quotes (') in PostgreSQL commands must be replace by the ampersand (&).
Note: The maximum number of VPN Netpool Client IPs (per vsite) for vxAG (2G) is
2048.
AG
1000/
AG AG AG AG AG
Related AG
Module Limit Item 1100 1150 1200 1500 1600
CLI 1000-
(4G) (4G) (8G) (16G) (16G)
T
(2G)
Virtual Site Scope
Maximum number
virtual site
of virtual sites 10 256 256 256 256 256
name
(affected by license)
Maximum number virtual site
1000 2000
of virtual site IPs ip
Maximum number
virtual site
of virtual site 1000
domain
domain names
virtual site
ip;
Maximum vip-port
virtual site
pairs (including
quicklink
QuickLink port 4000
port;
mode and http
(vsite) http
redirect insecure)
redirect
Virtual
insecure
Site
virtual site
ip;
Maximum number
virtual site
of vip-port pairs
quicklink
(including 64
port;
QuickLink port
(vsite) http
mode) per vsite
redirect
insecure
virtual site
Maximum number ip;
of ports per vip virtual site
(including quicklink quicklink 1000
port mode and http port;
redirect insecure) (vsite) http
redirect
insecure
Maximum number
virutal site
of QuickLink
quicklink 1000
hostname mode
hostname
definitions
Maximum number
role name 2000
of roles
Maximum number role
of qualifications (per qualificati 32
role) on
Maximum number
role
of conditions (per 32
condition
qualification)
Maximum number role
Role
of QuickLink resource 1000, totally 100,000
resources (per vsite) quicklink
Maximum number role
of WRM resources resource 1000, totally 100,000
(per vsite) web
Maximum number
acl rule 10,000
of ACL rules
Maximum number acl
ACL of ACL resource resourcegr 1000; totally 10,000
groups (per vsite) oup
Maximum number acl 15,00 50,00 125,0 360,00 640,0
1500
of ACL resources resource 0 0 00 0 00
Maximum number
of AAA servers (per aaa server 3 for each server type
vsite)
Maximum number
aaa
of AAA methods 5
method
(per vsite)
AAA aaa
Maximum number
method
of AAA methods 4
rank
ranks (per vsite)
include
Maximum number aaa
of AAA multi-factor method 3
authentication server
Maximum number
of concurrent 10,00 25,00 128,0
300 3000 72,000
sessions (affected by 0 0 00
Session license)
virtual site
Maximum number
session 128
of session groups
group
Maximum number
vpn
of VPN Netpools 1024 2048 2048 4096 8192 8192
netpool
(per vsite)
Maximum number vpn
of VPN resource resource 1024 2048 2048 4096 8192 8192
groups (per vsite) group
Maximum number vpn
of VPN Netpool IP netpool 1024 2048 2048 4096 8192 8192
ranges (per Netpool) iprange
Maximum number
1310 1310 2621 524288 52428
of VPN Netpool 2048
72 72 44 8
Client IPs (per vsite)
Maximum number vpn
of VPN Netpool netpool
1024 2048 2048 4096 8192 8192
DNS hostmaps (per dns
SSL Netpool) hostmap
VPN vpn
Client Maximum number resource
of VPN application groupitem 1024 2048 2048 4096 8192 8192
resources (per vsite) applicatio
n
vpn
Maximum number
resource
of VPN network 1024 2048 2048 4096 8192 8192
groupitem
resources (per vsite)
network
Maximum number
of SSO POST
sso post 64
configurations (per
vsite)
Maximum number
Proxy of URL policies (per urlpolicy 3000
vsite)
Maximum depth of a
9
certificate chain
Maximum number
ssl settings
of CDPs (CRL 10
crl offline
SSL distribution point)
ssl import
Maximum number
interca;
of certificates no limit
ssl import
imported on Array
rootca
Maximum number
localdb 10,00 200,0 200,0 200,0 500,00 500,0
of LocalDB
account 0 00 00 00 0 00
accounts
Maximum number localdb 10,00 10,00 10,00 50,00
1000 50,000
of LocalDB groups group 0 0 0 0
LocalD
Maximum number
B
of LocalDB groups localdb
20
that one account member
belongs to
Maximum number localdb
20
of LocalDB backups backup
Maximum number
dns host 1000
of static DNS hosts
Maximum number
of DNS name 3
DNS
servers
Maximum number
of DNS search 6
domains
Maximum number
System of custom write file no limit
configuration files
Global Scope
Maximum number
of NAT static 512
definitions
NAT
Maximum number
of NAT port 512
definitions
Maximum number
3
of Bonds
Bond Maximum number
of physical 12
interfaces per Bond
Maximum number
250
of VLANs
Maximum number
VLAN
of VLAN tags per 250
interface
VLAN tag range 1-4094
Maximum number
Route 1
of default routes
Maximum number
1024
of syslog line
Syslog
Maximum size of
1024*1024
syslog
Maximum number
255
of VCIDs
Maximum number
Cluster of VIPs per interface 255
of each VCID
Maximum number
64
of synconfig peers
Maximum number
of static DNS hosts
ip dns host 1000
(counted together
with vsite)
DNS Maximum number
of DNS name 3
servers
Maximum number
6
of DNS search
domains
Maximum number 12,00 20,00 50,00 144,00 256,0
SSL 1200
of SSL connections 0 0 0 0 00
Maximum number
Adminis admin
of administrator 100 100 100 100 100 100
trator user
accounts