Table of contents
Combined revision comparison
...
Administrators to whom the administration of a Virtual Hub has been delegated can change their own administration password at any time. They can also change the Virtual Hub's online / offline status at any time. In addition, it is also possible to change various settings relating to the Virtual Hub, create cascade connections and define user and group objects. However, these settings changes may become subject to limitations imposed by the entire VPN Server Administrator. Please refer to 3.5.12#3.5.12# for details on how the VPN Server Administrator can restrict the contents of tasks which can be performed by the Virtual Hub Administrators.
...
Please refer to 2.2 User Authentication#2.2.3# for details on the items which need to be set. There is no need to perform domain controller settings when using NT domain or Active Directory authentication. For details, please refer to #2.2.4#.
...
Groups administer a collection of multiple users and are useful when wishing to apply the same security policies to all users registered in that group. Please refer to #3.5.9# for details on security policies.
...
User authentication methods have to be selected. Please refer to #2.2# for details on each method. At the same time, parameters corresponding to the authentication method must also be designated. These parameters can be set simply with the GUI in the VPN Server Manager, while the same tasks can be carried out in the vpncmd utility using the [UserAnonymousSet], [UserPasswordSet], [UserCertSet], [UserSignedSet], [UserRADIUSSet] and [UserNTLMSet] commands.
...
A list of the trusted certification authority certificates can be administered on the Virtual Hub. This certificate list can be used for the functions in 3.4.12,#3.4.12#, in addition to its use for checking whether the certificate submitted by a user is trusted by signed certificate authentication in user authentication ((#2.2.62.2 User Authentication).
...
When the authentication type of a user registered on the Virtual Hub is signed certificate authorization, it is possible to allow connection only when the CN (Common Name) and serial number of the X.509 certificate submitted by the user are examined and found to match completely the predefined user object setting values. Please refer to section #2.2.6#2.2 User Authentication entitled [Limit of connectable certificate by Common Name or serial number].
...
It is possible to designate an alias for the user name registered as the Virtual Hub user object during RADIUS authentication or NT Domain & Active Directory authentication, and carry out user authentication using this alias by requesting authentication from the RADIUS authentication server and domain controller. For details, please refer to #2.2.3#2.2 User and #2.2.4#.
Authentication.
...
- When security policies are set for a user attempting to connect to the VPN, those settings is adopted.
- When security policies are not set for a user attempting to connect to the VPN and that user belongs to a group, the security policies set for that group are applied to the user.
- Where the user is the Administrator in
#3.4.13#,3.4 Virtual Hub Functions, special Administrator security policies are set. - For all other scenarios, the default security policies (see next section) are applied.
...
| Maximum Number of Multiple Logins policy | |
| Description | Denies users for whom this policy is set from performing more than a set number of simultaneous logins. This security policy can only be enabled in the VPN Server which features the multiple login limit function. |
| Settable Values | [No setting] or 1 - 65,535 (logins) |
| Default Values | [No setting] |
| Remarks | None |
| Deny VoIP / QoS Function policy | |
| Description | Denies use of VoIP / QoS response function in user VPN connection sessions for which this policy is set. This security policy can only be enabled in the VPN Server which features the VoIP / QoS response function. |
| Settable Values | [Enabled] and [Disabled] |
| Default Values | [Disabled] |
| Remarks | None |
...
Users are able to confirm the values of security policy settings applied to the current session when a VPN Client is connected to a VPN Server Virtual Hub. For details, please refer to #4.5.2#.
4.5 Connect to VPN Server.
...
As explained in 3.5.1,#3.5.1#, Virtual Hub Administrators possess the authority to perform most settings on their own hub at their own discretion. However, there may be situations where some functions need to be disabled and made unavailable to the Virtual Hub Administrators such as disabling the cascading function from one Virtual Hub to another or disabling the SecureNAT function.
...
- allow_hub_admin_change_option
This entry is special in that a value of 1 (Enabled) allows not only the entire VPN Server Administrator but also the Virtual Hub Administrators to alter their own Virtual Hub administration options. - max_users
Designating a value of 1 or more for this entry restricts the maximum number of users which can be registered on the Virtual Hub, and no user objects beyond this value can be registered. - max_groups
Designating a value of 1 or more for this entry restricts the maximum number of groups which can be registered on the Virtual Hub, and no group objects beyond this value can be registered. - max_accesslists
Designating a value of 1 or more for this entry restricts the maximum number of access lists which can be registered on the Virtual Hub, and no access lists entries beyond this value can be registered. - max_sessions
Designating a value of 1 or more for this entry restricts the maximum number of VPN sessions which can be registered on the Virtual Hub, and any VPN connections beyond this value are unable to be simultaneously processed. - max_sessions_client
When the max_sessions_client_bridge_apply entry is 1 (Enabled), the number of client connection sessions which can be simultaneously connected to this Virtual Hub is not able to exceed the value set for max_sessions_client. The max_sessions_client entry value is ignored when the max_sessions_client_bridge_apply entry is set at 0. - max_sessions_bridge
When the max_sessions_client_bridge_apply entry is 1 (Enabled), the number of bridge connection sessions which can be simultaneously connected to this Virtual Hub is not able to exceed the value set for max_sessions_bridge. The max_sessions_bridge entry value is ignored when the max_sessions_client_bridge_apply entry is set at 0. - max_sessions_client_bridge_apply
Only when this entry is 1 (Enabled) are the max_sessions_client and max_sessions_bridge entries meaningful. The max_sessions_client_bridge_apply entry is regarded as being permanently set as 1 when using the SoftEther VPN Server Carrier Edition. - max_bitrates_download
When this entry is set at 1 or more, the value of the [Download bandwidth] security policy is forcibly changed to this entry value and download speed is restricted for all VPN sessions connected to the Virtual Hub. For instance, setting this value at 1000000 means that all VPN connection sessions on this Virtual Hub are not able to exceed the download speed of 1Mbps. - max_bitrates_upload
When this entry is set at 1 or more, the value of the [Upload bandwidth] security policy is forcibly changed to this entry value and upload speed is restricted for all VPN sessions connected to the Virtual Hub. For instance, setting this value at 1000000 means that all VPN connection sessions on this Virtual Hub are not able to exceed the upload speed of 1Mbps. - max_multilogins_per_user
When this entry is set at 1 or more, the multiple login limit security policy for all users connected to the Virtual Hub is permanently overwritten with this value (although when the multiple login limit is set and is smaller than the value designated in here then that multiple login limit value is used). - deny_empty_password
When this entry is 1 (Enabled), users registered on the Virtual Hub are unable to set empty passwords. If there are users who have set empty passwords, they are unable to connect to the VPN (except connections from localhost, which are possible). - deny_bridge
When this entry is 1 (Enabled), bridge is permanently denied for sessions connected to the Virtual Hub regardless of the contents of the user's security policies when connected. It is therefore not possible to connect to the Virtual Hub with the aim of bridging. - deny_qos
When this entry is 1 (Enabled), the VoIP / QoS support function is permanently disabled for sessions connected to the Virtual Hub regardless of the contents of the user's security policies when connected. - deny_routing
When this entry is 1 (Enabled), routing is permanently denied for sessions connected to the Virtual Hub regardless of the contents of the user's security policies when connected. It is therefore not possible to connect to the Virtual Hub with the aim of routing. - deny_change_user_password
When this entry is 1 (Enabled), Virtual Hub users are unable to change their own passwords in the password authentication mode. - no_change_users
When this entry is 1 (Enabled), Virtual Hub Administrators are unable to add new users or delete or edit existing users on the Virtual Hub. - no_change_groups
When this entry is 1 (Enabled), Virtual Hub Administrators are unable to add new groups or delete or edit existing groups on the Virtual Hub. - no_SecureNAT
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enable or disable the SecureNAT function. - no_SecureNAT_enabledhcp
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enable the Virtual DHCP Server in the SecureNAT function. - no_SecureNAT_enablenat
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enable virtual NAT function in the SecureNAT function. - no_cascade
When this entry is 1 (Enabled), Virtual Hub Administrators cannot create, delete or edit cascade connections or put them online/ take them offline. - no_online
When this entry is 1 (Enabled), Virtual Hub Administrators cannot put an offline Virtual Hub online. - no_offline
When this entry is 1 (Enabled), Virtual Hub Administrators cannot take an online Virtual Hub offline. - no_change_log_config
When this entry is 1 (Enabled), Virtual Hub Administrators cannot modify the save settings of the Virtual Hub log files. - no_disconnect_session
When this entry is 1 (Enabled), Virtual Hub Administrators cannot forcefully disconnect designated VPN sessions connected to the Virtual Hub. - no_delete_iptable
When this entry is 1 (Enabled), Virtual Hub Administrators cannot delete designated IP address entries from the Virtual Hub's IP Address Table database. - no_delete_mactable
When this entry is 1 (Enabled), Virtual Hub Administrators cannot delete designated MAC address entries from the Virtual Hub's MAC Address Table database. - no_enum_session
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enumerate a list of VPN sessions currently connected to the Virtual Hub. - no_query_session
When this entry is 1 (Enabled), Virtual Hub Administrators cannot obtain detailed information on a designated VPN session currently connected to the Virtual Hub. - no_change_admin_password
When this entry is 1 (Enabled), Virtual Hub Administrators cannot change the Virtual Hub administration password. - no_change_log_switch_type
When this entry is 1 (Enabled), Virtual Hub Administrators cannot modify the settings of the [Log file switch cycle] in the Virtual Hub log file save settings. - no_change_access_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the Virtual Hub's access list. - no_change_access_control_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the Virtual Hub's IP access control list. - no_change_cert_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the trusted CA certificates list. - no_change_crl_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the Certificates Revocation List. - no_read_log_file
When this entry is 1 (Enabled), Virtual Hub Administrators are unable to enumerate the Virtual Hub's log file or to remotely read it using an administration connection.
Version from 18:56, 3 Mar 2013
...
Administrators to whom the administration of a Virtual Hub has been delegated can change their own administration password at any time. They can also change the Virtual Hub's online / offline status at any time. In addition, it is also possible to change various settings relating to the Virtual Hub, create cascade connections and define user and group objects. However, these settings changes may become subject to limitations imposed by the entire VPN Server Administrator. Please refer to #3.5.12# for details on how the VPN Server Administrator can restrict the contents of tasks which can be performed by the Virtual Hub Administrators.
...
Please refer to #2.2.3# for details on the items which need to be set. There is no need to perform domain controller settings when using NT domain or Active Directory authentication. For details, please refer to #2.2.4#.
...
Groups administer a collection of multiple users and are useful when wishing to apply the same security policies to all users registered in that group. Please refer to #3.5.9# for details on security policies.
...
User authentication methods have to be selected. Please refer to #2.2# for details on each method. At the same time, parameters corresponding to the authentication method must also be designated. These parameters can be set simply with the GUI in the VPN Server Manager, while the same tasks can be carried out in the vpncmd utility using the [UserAnonymousSet], [UserPasswordSet], [UserCertSet], [UserSignedSet], [UserRADIUSSet] and [UserNTLMSet] commands.
...
A list of the trusted certification authority certificates can be administered on the Virtual Hub. This certificate list can be used for the functions in #3.4.12#, in addition to its use for checking whether the certificate submitted by a user is trusted by signed certificate authentication in user authentication (#2.2.6).
...
When the authentication type of a user registered on the Virtual Hub is signed certificate authorization, it is possible to allow connection only when the CN (Common Name) and serial number of the X.509 certificate submitted by the user are examined and found to match completely the predefined user object setting values. Please refer to section #2.2.6# entitled [Limit of connectable certificate by Common Name or serial number].
...
It is possible to designate an alias for the user name registered as the Virtual Hub user object during RADIUS authentication or NT Domain & Active Directory authentication, and carry out user authentication using this alias by requesting authentication from the RADIUS authentication server and domain controller. For details, please refer to #2.2.3# and #2.2.4#.
...
- When security policies are set for a user attempting to connect to the VPN, those settings is adopted.
- When security policies are not set for a user attempting to connect to the VPN and that user belongs to a group, the security policies set for that group are applied to the user.
- Where the user is the Administrator in
#3.4.13#,special Administrator security policies are set. - For all other scenarios, the default security policies (see next section) are applied.
...
| Maximum Number of Multiple Logins policy | |
| Description | Denies users for whom this policy is set from performing more than a set number of simultaneous logins. This security policy can only be enabled in the VPN Server which features the multiple login limit function. |
| Settable Values | [No setting] or 1 - 65,535 (logins) |
| Default Values | [No setting] |
| Remarks | |
| Deny VoIP / QoS Function policy | |
| Description | Denies use of VoIP / QoS response function in user VPN connection sessions for which this policy is set. This security policy can only be enabled in the VPN Server which features the VoIP / QoS response function. |
| Settable Values | [Enabled] and [Disabled] |
| Default Values | [Disabled] |
| Remarks | |
...
Users are able to confirm the values of security policy settings applied to the current session when a VPN Client is connected to a VPN Server Virtual Hub. For details, please refer to #4.5.2#.
...
As explained in #3.5.1#, Virtual Hub Administrators possess the authority to perform most settings on their own hub at their own discretion. However, there may be situations where some functions need to be disabled and made unavailable to the Virtual Hub Administrators such as disabling the cascading function from one Virtual Hub to another or disabling the SecureNAT function.
...
- allow_hub_admin_change_option
This entry is special in that a value of 1 (Enabled) allows not only the entire VPN Server Administrator but also the Virtual Hub Administrators to alter their own Virtual Hub administration options. - max_users
Designating a value of 1 or more for this entry restricts the maximum number of users which can be registered on the Virtual Hub, and no user objects beyond this value can be registered. - max_groups
Designating a value of 1 or more for this entry restricts the maximum number of groups which can be registered on the Virtual Hub, and no group objects beyond this value can be registered. - max_accesslists
Designating a value of 1 or more for this entry restricts the maximum number of access lists which can be registered on the Virtual Hub, and no access lists entries beyond this value can be registered. - max_sessions
Designating a value of 1 or more for this entry restricts the maximum number of VPN sessions which can be registered on the Virtual Hub, and any VPN connections beyond this value are unable to be simultaneously processed. - max_sessions_client
When the max_sessions_client_bridge_apply entry is 1 (Enabled), the number of client connection sessions which can be simultaneously connected to this Virtual Hub is not able to exceed the value set for max_sessions_client. The max_sessions_client entry value is ignored when the max_sessions_client_bridge_apply entry is set at 0. - max_sessions_bridge
When the max_sessions_client_bridge_apply entry is 1 (Enabled), the number of bridge connection sessions which can be simultaneously connected to this Virtual Hub is not able to exceed the value set for max_sessions_bridge. The max_sessions_bridge entry value is ignored when the max_sessions_client_bridge_apply entry is set at 0. - max_sessions_client_bridge_apply
Only when this entry is 1 (Enabled) are the max_sessions_client and max_sessions_bridge entries meaningful. The max_sessions_client_bridge_apply entry is regarded as being permanently set as 1 when using the SoftEther VPN Server Carrier Edition. - max_bitrates_download
When this entry is set at 1 or more, the value of the [Download bandwidth] security policy is forcibly changed to this entry value and download speed is restricted for all VPN sessions connected to the Virtual Hub. For instance, setting this value at 1000000 means that all VPN connection sessions on this Virtual Hub are not able to exceed the download speed of 1Mbps. - max_bitrates_upload
When this entry is set at 1 or more, the value of the [Upload bandwidth] security policy is forcibly changed to this entry value and upload speed is restricted for all VPN sessions connected to the Virtual Hub. For instance, setting this value at 1000000 means that all VPN connection sessions on this Virtual Hub are not able to exceed the upload speed of 1Mbps. - max_multilogins_per_user
When this entry is set at 1 or more, the multiple login limit security policy for all users connected to the Virtual Hub is permanently overwritten with this value (although when the multiple login limit is set and is smaller than the value designated in here then that multiple login limit value is used). - deny_empty_password
When this entry is 1 (Enabled), users registered on the Virtual Hub are unable to set empty passwords. If there are users who have set empty passwords, they are unable to connect to the VPN (except connections from localhost, which are possible). - deny_bridge
When this entry is 1 (Enabled), bridge is permanently denied for sessions connected to the Virtual Hub regardless of the contents of the user's security policies when connected. It is therefore not possible to connect to the Virtual Hub with the aim of bridging. - deny_qos
When this entry is 1 (Enabled), the VoIP / QoS support function is permanently disabled for sessions connected to the Virtual Hub regardless of the contents of the user's security policies when connected. - deny_routing
When this entry is 1 (Enabled), routing is permanently denied for sessions connected to the Virtual Hub regardless of the contents of the user's security policies when connected. It is therefore not possible to connect to the Virtual Hub with the aim of routing. - deny_change_user_password
When this entry is 1 (Enabled), Virtual Hub users are unable to change their own passwords in the password authentication mode. - no_change_users
When this entry is 1 (Enabled), Virtual Hub Administrators are unable to add new users or delete or edit existing users on the Virtual Hub. - no_change_groups
When this entry is 1 (Enabled), Virtual Hub Administrators are unable to add new groups or delete or edit existing groups on the Virtual Hub. - no_SecureNAT
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enable or disable the SecureNAT function. - no_SecureNAT_enabledhcp
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enable the Virtual DHCP Server in the SecureNAT function. - no_SecureNAT_enablenat
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enable virtual NAT function in the SecureNAT function. - no_cascade
When this entry is 1 (Enabled), Virtual Hub Administrators cannot create, delete or edit cascade connections or put them online/ take them offline. - no_online
When this entry is 1 (Enabled), Virtual Hub Administrators cannot put an offline Virtual Hub online. - no_offline
When this entry is 1 (Enabled), Virtual Hub Administrators cannot take an online Virtual Hub offline. - no_change_log_config
When this entry is 1 (Enabled), Virtual Hub Administrators cannot modify the save settings of the Virtual Hub log files. - no_disconnect_session
When this entry is 1 (Enabled), Virtual Hub Administrators cannot forcefully disconnect designated VPN sessions connected to the Virtual Hub. - no_delete_iptable
When this entry is 1 (Enabled), Virtual Hub Administrators cannot delete designated IP address entries from the Virtual Hub's IP Address Table database. - no_delete_mactable
When this entry is 1 (Enabled), Virtual Hub Administrators cannot delete designated MAC address entries from the Virtual Hub's MAC Address Table database. - no_enum_session
When this entry is 1 (Enabled), Virtual Hub Administrators cannot enumerate a list of VPN sessions currently connected to the Virtual Hub. - no_query_session
When this entry is 1 (Enabled), Virtual Hub Administrators cannot obtain detailed information on a designated VPN session currently connected to the Virtual Hub. - no_change_admin_password
When this entry is 1 (Enabled), Virtual Hub Administrators cannot change the Virtual Hub administration password. - no_change_log_switch_type
When this entry is 1 (Enabled), Virtual Hub Administrators cannot modify the settings of the [Log file switch cycle] in the Virtual Hub log file save settings. - no_change_access_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the Virtual Hub's access list. - no_change_access_control_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the Virtual Hub's IP access control list. - no_change_cert_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the trusted CA certificates list. - no_change_crl_list
When this entry is 1 (Enabled), Virtual Hub Administrators cannot operate the Certificates Revocation List. - no_read_log_file
When this entry is 1 (Enabled), Virtual Hub Administrators are unable to enumerate the Virtual Hub's log file or to remotely read it using an administration connection.
Version as of 18:32, 4 Mar 2013
...
Please refer to 2.2 User Authentication for details on the items which need to be set. There is no need to perform domain controller settings when using NT domain or Active Directory authentication.
...
A list of the trusted certification authority certificates can be administered on the Virtual Hub. This certificate list can be used for the functions in 3.4.12, in addition to its use for checking whether the certificate submitted by a user is trusted by signed certificate authentication in user authentication (2.2 User Authentication).
...
When the authentication type of a user registered on the Virtual Hub is signed certificate authorization, it is possible to allow connection only when the CN (Common Name) and serial number of the X.509 certificate submitted by the user are examined and found to match completely the predefined user object setting values. Please refer to section 2.2 User Authentication entitled [Limit of connectable certificate by Common Name or serial number].
...
It is possible to designate an alias for the user name registered as the Virtual Hub user object during RADIUS authentication or NT Domain & Active Directory authentication, and carry out user authentication using this alias by requesting authentication from the RADIUS authentication server and domain controller. For details, please refer to 2.2 User Authentication.
...
- When security policies are set for a user attempting to connect to the VPN, those settings is adopted.
- When security policies are not set for a user attempting to connect to the VPN and that user belongs to a group, the security policies set for that group are applied to the user.
- Where the user is the Administrator in 3.4 Virtual Hub Functions, special Administrator security policies are set.
- For all other scenarios, the default security policies (see next section) are applied.
...
| Maximum Number of Multiple Logins policy | |
| Description | Denies users for whom this policy is set from performing more than a set number of simultaneous logins. This security policy can only be enabled in the VPN Server which features the multiple login limit function. |
| Settable Values | [No setting] or 1 - 65,535 (logins) |
| Default Values | [No setting] |
| Remarks | None |
| Deny VoIP / QoS Function policy | |
| Description | Denies use of VoIP / QoS response function in user VPN connection sessions for which this policy is set. This security policy can only be enabled in the VPN Server which features the VoIP / QoS response function. |
| Settable Values | [Enabled] and [Disabled] |
| Default Values | [Disabled] |
| Remarks | None |
...
Users are able to confirm the values of security policy settings applied to the current session when a VPN Client is connected to a VPN Server Virtual Hub. For details, please refer to 4.5 Connect to VPN Server.
...
As explained in 3.5.1, Virtual Hub Administrators possess the authority to perform most settings on their own hub at their own discretion. However, there may be situations where some functions need to be disabled and made unavailable to the Virtual Hub Administrators such as disabling the cascading function from one Virtual Hub to another or disabling the SecureNAT function.
...
