After two-factor authentication is enabled, the system verifies your client based on two factors when the client establishes an SSL-VPN connection. In addition to the SSL client certificate authentication, the client must also passes the username and password authentication of Identity as a Service (IDaaS). The SSL-VPN connection is established only after two-factor authentication is passed. This effectively improves the security of SSL-VPN connections. You can bind an Active Directory (AD) server to IDaaS to implement AD authentication. This topic describes how to use the two-factor authentication feature to establish an SSL-VPN connection for a client to access resources in a virtual private cloud (VPC) after the client is authenticated by AD.
Scenario
The preceding figure shows the scenario of the example used in this topic. A company has created a VPC in the China (Hangzhou) region. Applications are deployed on Elastic Compute Service (ECS) instances in the VPC. To meet business requirements, employees on business trips need to remotely access resources in the VPC from clients. The company has also deployed an AD server. To ensure security, the company requires that employees pass authentication of the AD server before they can access resources in the VPC.
In this case, the company can create an a VPN gateway, enable the SSL-VPN and two-factor authentication features, and create an IDaaS Employee Identity and Access Management (EIAM) instance to implement AD authentication. Before the client of an employee can establish an SSL-VPN connection, the client must pass the SSL client certificate authentication and the username and password authentication of the IDaaS EIAM instance. The IDaaS EIAM instance implements the username and password authentication by sending the username and password of the employee to the AD server and obtaining the authentication result from the AD server. Only after two-factor authentication is passed, the client can establish an SSL-VPN connection to access resources in the VPC.
Prerequisites
A VPC is created in the China (Hangzhou) region and relevant applications are deployed on ECS instances in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Make sure that security group rules are configured for the ECS instances in the VPC to allow clients to access cloud resources deployed on the ECS instances. For more information, see View security group rules and Add a security group rule.
Your client can access the Internet. The private CIDR block of the client does not overlap with that of the VPC.
An IDaaS EIAM instance of Enterprise Edition is created. For more information, see Manage instances.
ImportantIDaaS EIAM 1.0 instances can no longer be purchased. We recommend that you use an IDaaS EIAM 2.0 instance. In this example, an IDaaS EIAM 2.0 instance is used. For more information, see [Change notice] SSL-VPN supports IDaaS EIAM 2.0 instances for two-factor authentication.
For more information about how to use IDaaS EIAM 1.0 instances, see the Configurations of an IDaaS EIAM 1.0 instance section of this topic.
The public IP address and service port of an AD server are obtained.
In this example, an AD server that runs Windows Server 2022 is used. The public IP address of the server is 47.XX.XX.62 and the service port is 389.
The Base distinguished name (DN) of the AD server is obtained.
In this example, the Base DN of the AD server is dc=zxtest,dc=com.
The DN, username, and password of the administrator of the AD server are obtained.
In this example, the administrator username is Administrator and the password is 1****2. The administrator DN is cn=Administrator,cn=Users,dc=zxtest,dc=com, as shown in the following figure.
Procedure
Step 1: Bind an AD server
Bind an AD server to the IDaaS EIAM instance to synchronize account information from the AD server to the IDaaS EIAM instance. For more information, see Bind IDaaS to AD.
In this example, the default values are used for all optional parameters. The following figure shows that the account information that is synchronized from the AD server to the IDaaS EIAM instance.
Step 2: Add an SSL-VPN application
Log on to the IDaaS console.
In the left-side navigation pane, click EIAM. On the IDaaS tab of the EIAM page, find the IDaaS EIAM instance that you created in Prerequisites and click Manage in the Actions column.
In the left-side navigation pane of the page that appears, click Applications. On the Applications page, click Add Application.
On the Add Application page, find the Alibaba SSL VPN template and click Add Application.
In the Add Application - Alibaba SSL VPN dialog box, enter a name for the application and click Add.
On the Sign-In tab of the application details page, configure the following parameters and click Save in the lower part of the page.
SSO: specifies whether to enable single sign-on (SSO). By default, this switch is turned on.
Grant Types: the method that is used by the application for authentication. In this example, the default value Password Grant is used. Select the AD server that is bound to the instance from the IdPs drop-down list. This way, the system uses the AD server to verify the employee identity.
Authorize: the users who can access the application. In this example, the default value Manually is used. In this case, you need to manually grant permissions to the specified users to access the application. For more information, see the Authorization scope section of the "Configure SSO" topic.
On the Sign-In tab, click the Authorize sub-tab.
Grant permissions to the accounts that are used to access the application over an SSL-VPN connection. For more information, see Authorization.
Step 3: Create a VPN gateway
- Log on to the VPN gateway console.
On the VPN Gateways page, click Create VPN Gateway.
On the VPN Gateway page, configure the parameters that are described in the following table, click Buy Now, and then complete the payment.
The following table describes only the key parameters that you must configure. For other parameters, use the default values or leave them empty. For more information, see Create and manage a VPN gateway.
Parameter
Description
Region
The region in which you want to create the VPN gateway. In this example, China (Hangzhou) is selected.
NoteMake sure that the VPC and the VPN gateway reside in the same region.
Gateway Type
The type of the VPN gateway. In this example, Standard is selected.
Network Type
The network type of the VPN gateway. In this example, Public is selected.
Tunnels
The tunnel mode of the VPN gateway. The system displays the tunnel modes that are supported in this region.
VPC
The VPC to be associated with the VPN gateway.
vSwitch 1
The first vSwitch to be associated with the VPN gateway in the selected VPC.
If you select Single-tunnel, you need to specify only one vSwitch.
If you select Dual-tunnel, you need to specify two vSwitches.
NoteBy default, the system selects a vSwitch. You can change or use the default vSwitch.
After you create a VPN gateway, you cannot change the vSwitch that is associated with the VPN gateway. You can view the associated vSwitch and the zone of the vSwitch on the details page of the VPN gateway.
vSwitch 2
The second vSwitch to be associated with the VPN gateway in the selected VPC.
Specify two vSwitches in different zones in the associated VPC to implement disaster recovery across zones for IPsec-VPN connections.
For a region that supports only one zone, disaster recovery across zones is not supported. We recommend that you specify two vSwitches in the zone to implement high availability of IPsec-VPN connections. You can also select the same vSwitch as the first one.
NoteIf only one vSwitch is deployed in the VPC, create another one. For more information, see Create and manage a vSwitch.
IPsec-VPN
Specifies whether to enable the IPsec-VPN feature for the VPN gateway. In this example, Disable is selected.
SSL-VPN
Specifies whether to enable the SSL-VPN feature for the VPN gateway. In this example, Enable is selected.
SSL Connections
The maximum number of clients that can connect to the VPN gateway.
NoteThe SSL Connections parameter is available only after you enable the SSL-VPN feature.
Go back to the VPN Gateways page to view the VPN gateway that you created.
The VPN gateway that you created in the previous step is in the Preparing state. After about 1 to 5 minutes, the VPN gateway enters the Normal state. The Normal state indicates that the VPN gateway is initialized and ready for use.
Step 4: Create an SSL server
In the left-side navigation pane, choose .
In the top navigation bar, select the region in which you want to create an SSL server.
NoteMake sure that the SSL server and the VPN gateway that you created reside in the same region.
On the SSL Server page, click Create SSL Server.
In the Create SSL Server panel, configure the parameters that are described in the following table, and click OK.
The following table describes only the key parameters that you must configure. For other parameters, use the default values or leave them empty. For more information, see Create and manage an SSL server.
Parameter
Description
VPN Gateway
The VPN gateway that you created.
Local Network
The CIDR block of the VPC to which you want to connect. In this example, 192.168.0.0/16 is used.
Client CIDR Block
The CIDR block that your client uses to connect to the SSL server. In this example, 10.0.0.0/24 is used.
ImportantThe subnet mask of the client CIDR block must be 16 to 29 bits in length.
Make sure that the local CIDR block and the client CIDR block do not overlap with each other.
We recommend that you use 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or one of their subnets as the client CIDR block. If you want to specify a public CIDR block as the client CIDR block, you must specify the public CIDR block as the user CIDR block of the VPC. This way, the VPC can access the public CIDR block. For more information, see the What is a user CIDR block? and How do I configure a user CIDR block? sections of the "FAQ" topic.
After you create an SSL server, the system automatically adds routes that point to the client CIDR block to the VPC route table. Do not add routes that point to the client CIDR block to the VPC route table again. Otherwise, SSL-VPN connections cannot work as expected.
Advanced Configuration
The advanced configurations. You need to enable two-factor authentication for the VPN gateway. In this example, EIAM 2.0 (recommended) is selected for the IDaaS Instance Version parameter. Use the default values for other parameters.
IDaaS Instance Region: the region in which the IDaaS EIAM 2.0 instance resides. In this example, China (Hangzhou) is selected.
IDaaS Instance: the instance that you want to associate with the SSL server. Select the IDaaS EIAM 2.0 instance that you created in Prerequisites.
IDaaS Application: the SSL-VPN application that is added to the IDaaS instance.
Step 5: Create an SSL client
In the left-side navigation pane, choose .
On the SSL Client page, click Create SSL Client.
In the Create SSL Client panel, enter a name for the SSL client, select the SSL Server to which you want to connect, and then click OK.
On the SSL Client page, find the SSL client that you created and click Download Certificate in the Actions column.
Save the downloaded SSL client certificate package to a local directory for further client configurations.
Step 6: Configure the client
Configure a Linux client
Open the CLI.
Install OpenVPN.
# Run the following command to install OpenVPN on CentOS: yum install -y openvpn # Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. cd /etc/openvpn # Go to the openvpn/ directory. ls # Check whether the conf/ directory is created in the openvpn/ directory. mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory. # Run the following command to install OpenVPN on Ubuntu: apt-get update apt-get install -y openvpn # Run the following command to check whether the system creates the /etc/openvpn/conf/ directory. If the directory is not created, you must manually create the /etc/openvpn/conf/ directory. cd /etc/openvpn # Go to the openvpn/ directory. ls # Check whether the conf/ directory is created in the openvpn/ directory. mkdir -p /etc/openvpn/conf # If the conf/ directory does not exist in the openvpn/ directory, you must manually create the conf/ directory.Decompress the SSL client certificate package that you download and copy the SSL client certificate to the /etc/openvpn/conf directory.
Go to the /etc/openvpn/conf directory, run the following command, and then enter the username and password. After the client passes AD authentication, an SSL-VPN connection is established.
openvpn --config /etc/openvpn/conf/config.ovpn --daemon
Configure a Windows client
Download and install the OpenVPN client for Windows.
Decompress the SSL client certificate package that you download and copy the SSL client certificate to the OpenVPN\config directory.
In this example, the certificate is copied to the C:\Program Files\OpenVPN\config directory. You must copy the certificate to the directory in which the OpenVPN client is installed.
Start the OpenVPN client, click Connect, and then enter the username and password. After the client passes AD authentication, an SSL-VPN connection is established.
Configure a macOS client
Open the CLI.
If Homebrew is not installed on macOS, run the following command to install Homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"Run the following command to install OpenVPN:
brew install openvpnCopy the SSL client certificate package that you download to the configuration directory of the OpenVPN client.
Back up all configuration files in the /usr/local/etc/openvpn directory.
ImportantThe default installation path of OpenVPN may vary based on the version of macOS. Replace the relevant paths with the actual installation path when you perform this and subsequent operations.
Run the following command to delete the configuration files of OpenVPN:
rm /usr/local/etc/openvpn/*Run the following command to copy the downloaded SSL client certificate package to the configuration directory of OpenVPN:
cp cert_location /usr/local/etc/openvpn/cert_locationindicates the path of the SSL client certificate package that you download. Example: /Users/example/Downloads/certs6.zip.
Run the following commands to decompress the certificate package:
cd /usr/local/etc/openvpn/ unzip /usr/local/etc/openvpn/certs6.zipGo to the /usr/local/etc/openvpn directory, run the following command, and then enter the username and password to establish an SSL-VPN connection:
sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
Step 7: Test the connectivity
After you complete the preceding steps, the client is connected to the VPC and can access resources in the VPC. Perform the following steps to test the connectivity between a Linux client and the VPC:
Open the CLI on the client.
Run the
pingcommand to access the ECS 1 instance in the VPC to test the connectivity.ping <IP address of ECS 1>If the following messages are returned, the client can access resources in the VPC.
Configurations of an IDaaS EIAM 1.0 instance
If you use an IDaaS EIAM 1.0 instance, perform the operations shown in the following procedure. You must enable Lightweight Directory Access Protocol (LDAP) authentication for the IDaaS EIAM 1.0 instance and associate the instance with the SSL server when you create the SSL server. The remaining procedure is the same as that for using an IDaaS EIAM 2.0 instance.
Procedure
Enable LDAP authentication
Before you can establish an SSL-VPN connection, you must enable LDAP authentication for the IDaaS EIAM 1.0 instance and synchronize account information for further authentication.
Add the LDAP authentication source.
Log on to the IDaaS console.
On the EIAM page, click the Legacy Version tab, find the instance that you want to manage, and then click its ID.
In the left-side navigation pane, choose Authentication > Authentication Sources.
In the upper-right corner of the Authentication Sources page, click Add Authentication Source.
On the Add Authentication Source page, find the
icon and click Add Authentication Source in the Actions column. In the Add Authentication Source (LDAP) panel, configure the following parameters for the LDAP server and click Submit. In this example, the AD server that you use to implement AD authentication for the IDaaS EIAM 2.0 instance is used.
ID: the ID of the LDAP authentication source, which is automatically generated by the system.
Name: the custom name of the LDAP authentication source.
LDAP URL: the URL of the LDAP server. The LDAP server is the server in which the AD system is deployed. Format: ldap://127.0.0.1:389/. In this example, ldap://47.XX.XX. 62:389/ is used.
If the server uses an IPv6 address, set this parameter to the following format: ldap://[0000:0000:0000:0000:0000:0000:0001]:389/.
NoteIDaaS can access an LDAP server only over the Internet. The LDAP server must provide a public IP address and open port 389. You can configure security group rules for the LDAP server to allow only the public IP address of IDaaS to access the LDAP server. To obtain the public IP address of IDaaS, submit a ticket.
LDAP Base: the Base DN of the LDAP server. In this example, dc=zxtest,dc=com is used.
LDAP Account: the administrator DN of the LDAP server. In this example, cn=Administrator,cn=Users,dc=zxtest,dc=com is used.
LDAP account password: the password of the administrator of the LDAP server.
Filter Condition: the filter condition used to query usernames. In this example, (sAMAccountName=$username$) is used.
For more information about filter conditions, see LDAP Filters. $username$ specifies the IDaaS username and is a fixed value.
On the Authentication Sources page, find the LDAP authentication source and click the
icon in the Status column. In the message that appears, click OK to enable the LDAP authentication source.
Synchronize account information from the LDAP server to IDaaS.
In the left-side navigation pane, choose Users > Organizations and Groups.
In the upper-right corner of the Organizations and Groups page, click Configure LDAP. In the Configure LDAP panel, click Create.
On the Server Connection tab of the Configure LDAP panel, configure the following parameters and click Save.
AD/LDAP Name: the custom LDAP account name.
Server Address: the public IP address of the LDAP server. In this example, 47.XX.XX.62 is used.
Port Number: the service port of the LDAP server. In this example, 389 is used.
Base DN: the node DN of the accounts that you want to synchronize. In this example, dc=zxtest,dc=com is used.
NoteIf Base DN is changed when IDaaS is synchronizing data from the LDAP or AD server, the synchronization may fail due to unmatched organization directories. Therefore, do not modify Base DN after it is specified. If you want to synchronize data from more than one directory, we recommend that you configure LDAP multiple times.
Administrator DN: the administrator DN. In this example, cn=Administrator,cn=Users,dc=zxtest,dc=com is used.
Password: the password of the administrator.
Select Type: the type of your LDAP server. In this example, Windows AD is selected.
Owned OU node: the IDaaS organization node to which account information is imported. If you do not configure this parameter, data is imported to the root organization unit (OU). In this example, the default value is used.
From LDAP to IDaaS: specifies whether to enable data synchronization from the LDAP server to IDaaS. If you select Enable, data can be automatically or manually synchronized from the LDAP server to IDaaS. In this example, Enable is selected.
Provision from IDaaS to LDAP: specifies whether to enable data synchronization from IDaaS to the LDAP server. If you select Enable, data can be automatically synchronized from IDaaS to the LDAP server. In this example, Enable is selected.
After you configure the preceding parameters, click Test Connection to test the connectivity. If the test fails, check the network connectivity and whether the parameter settings are valid.
On the Field Matching Rules tab of the Configure LDAP panel, configure the following parameters and click Save.
Field matching rules are used to match the fields of IDaaS with the fields of the LDAP server. For example, the cn field of the LDAP server matches the username field of IDaaS.
Username: the field that matches the username field of IDaaS. In this example, cn is used.
NoteIf the value of the cn field is in Chinese in the AD system, the field value cannot be synchronzied to IDaaS. In this case, we recommend that you use the sAMAccountName field.
External ID: the field that matches the ID field of IDaaS. If the type of the LDAP server is Windows AD, enter objectGUID. If the type of the LDAP server is OpenLdap, enter uid. In this example, objectGUID is used.
Password Attribute: the field that matches the password field of IDaaS. If the type of the LDAP server is Windows AD, enter unicodePwd. If the type of the LDAP server is OpenLdap, enter userPassword. In this example, unicodePwd is used.
User Unique Identifier: the field that matches the unique user ID field of IDaaS. If the type of the LDAP server is Windows AD, enter DistinguishedName. If the type of the LDAP server is OpenLdap, enter EntryDN. In this example, DistinguishedName is used.
Email: the field that matches the email field of IDaaS. In this example, mail is used.
On the OUs and Groups page, choose .
In the LDAP List panel, find the LDAP server and click Import. In the message that appears, click OK. In the OU Temporary Data panel, confirm the organization information and click Confirm Import.
In the OUs section, select the organization. In the organization details section, choose .
In the LDAP List panel, find the LDAP server and click Import. In the message that appears, click OK. In the Account Temporary Data LDAP List panel, confirm the account information, click Confirm Import, and then configure the default password for the accounts to be synchronized.
ImportantClients must provide the passwords that are configured on the AD server for later logon. The password that you specify in this step is the default password of accounts in the IDaaS instance.
Enable LDAP authentication for cloud services.
In the left-side navigation pane, choose .
On the Security Settings page, click the Cloud Product AD Authentication tab.
Select the LDAP authentication source that you created, turn on the switch, and then click Save.
