Array Networks

Array AG 9.
4
CLI Handbook
Copyright Statement
Copyright Statement
Copyright©2000-2018 Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, California 95035,
USA. All rights reserved.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and compilation. No part of this document can be reproduced in any form by any
means without prior written authorization of Array Networks. Documentation is provided “as is”
without warranty of any kind, either express or implied, including any kind of implied or express
warranty of non-infringement or the implied warranties of merchantability or fitness for a
particular purpose.
Array Networks reserves the right to change any products described herein at any time, and
without notice. Array Networks assumes no responsibility or liability arising from the use of
products described herein, except as expressly agreed to in writing by Array Networks. The use
and purchase of this product does not convey a license to any patent copyright, or trademark rights,
or any other intellectual property rights of Array Networks.
Warning: Modifications made to the Array Networks unit, unless expressly approved by
Array Networks, could void the user’s authority to operate the equipment.
Declaration of Conformity
We, Array Networks, Inc., 1371 McCarthy Blvd, Milpitas, CA 95035, 1-866-692-7729; declare
under our sole responsibility that the product(s) Array Networks, Array Appliance complies with
Part 15 of FCC Rules. Operation is subject to the following two conditions: (1) this device can not
cause harmful interference, and (2) this device must accept any interference received, including
interference that can cause undesired operation.
Warning: This is a Class A digital device, pursuant to Part 15 of the FCC rules. These
limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses, and
can radiate radio frequency energy, and if not installed and used in accordance with the
instruction manual, can cause harmful interference to radio communications. In a
residential area, operation of this equipment is likely to cause harmful interference in
which case the user can be required to take adequate measures. In a domestic environment
this product can cause radio interference in which case the user can be required to take
adequate measures.
2000-2018 Array Networks, Inc.

I
All Rights Reserved.
About Array Networks
About Array Networks

Array Networks is a global leader in networking solutions for connecting users and applications
while ensuring performance, availability and security. Using Array, companies can provide access
for any user, anywhere, on any device to applications, desktops and services running in either the
cloud or the enterprise data center. From Web sites to e-commerce to enterprise applications to
cloud services, Array solutions deliver a premium end-user experience and demonstrable security
while ensuring that revenue and productivity gains always outweigh CAPEX and OPEX.
Engineered for the modern data center, Array Networks application, desktop and cloud service
delivery solutions support the scalability, price-performance, software agility and leading-edge
feature innovation essential for successfully transforming today's challenges in mobile and cloud
computing into opportunities for mobilizing and accelerating business.
Contacting Array Networks

Please use the following information to contact us at Array Networks:
Website:
https://www.arraynetworks.com/
Telephone:
Phone: (408)240-8700
Toll Free: 1-866-692-7729 (1-866-MY-ARRAY)
Support: 1-877-992-7729 (1-877-99-ARRAY)
Fax: (408)240-8754
Telephone access to Array Networks is available Monday through Friday, 9 A.M. to 5 P.M. PST.
Email:
[email protected]
Address:
1371 McCarthy Boulevard
Milpitas, California 95035, USA

II
Revision History
Revision History
Date Description
July 4, 2016 9.4.0.49 GA release.
October 18, 2016 Updated for ArrayOS AG 9.4.0.66 patch release.
January 3, 2017 Updated for ArrayOS AG 9.4.0.94 patch release.
Februaray 27, 2017 Updated for ArrayOS AG 9.4.0.107 patch release.
April 24, 2017 Updated for ArrayOS AG 9.4.0.135 patch release.
August 21, 2017 Updated for ArrayOS AG 9.4.0.163 patch release.
October 30, 2017 Updated for ArrayOS AG 9.4.0.170 patch release.
January 2, 2018 Updated for ArrayOS AG 9.4.0.188 patch release
March 30, 2018 Updated for ArrayOS AG 9.4.0.201 patch release

III
Table of Contents
Table of Contents
Copyright Statement ......................................................................................................................... I
Declaration of Conformity ................................................................................................................ I
About Array Networks ..................................................................................................................... II
Contacting Array Networks ............................................................................................................. II
Revision History ............................................................................................................................. III
Table of Contents ............................................................................................................................IV
Chapter 1 CLI Basics ........................................................................................................................ 1
Login to the AG Appliance ....................................................................................................... 2
Levels of Global Access Control .............................................................................................. 2
Levels of Virtual Site Access Control ....................................................................................... 4
Switching Between Global and Virtual Site ............................................................................. 4
Chapter 2 Basic System Operations .................................................................................................. 6
Basic Commands....................................................................................................................... 6
Basic Network Settings ........................................................................................................... 12
DNS Settings ........................................................................................................................... 21
System Tune Settings .............................................................................................................. 26
System Time Settings.............................................................................................................. 29
Chapter 3 Virtual Site ..................................................................................................................... 31
Virtual Site .............................................................................................................................. 31
SSL.......................................................................................................................................... 33
SM2 ................................................................................................................................. 52
Chapter 4 AAA ............................................................................................................................... 57
General Settings ...................................................................................................................... 57
Server ...................................................................................................................................... 59
LocalDB .......................................................................................................................... 60
LDAP .............................................................................................................................. 83
RADIUS .......................................................................................................................... 96
Certificate ...................................................................................................................... 101

IV
Table of Contents
SMS............................................................................................................................... 113
SMX .............................................................................................................................. 120
HTTP............................................................................................................................. 122
SAML ................................................................................................................................... 133
OAuth Authentication ........................................................................................................... 136
Method .................................................................................................................................. 142
Rank ...................................................................................................................................... 144
Accounting ............................................................................................................................ 145
Group Mapping ..................................................................................................................... 146
Hardware ID.......................................................................................................................... 147
Chapter 5 User Policy ................................................................................................................... 158
Role Configuration ................................................................................................................ 158
ACL Configuration ............................................................................................................... 172
Session Management............................................................................................................. 176
Global Settings .............................................................................................................. 176
Per-VS Settings ............................................................................................................. 180
Chapter 6 Access Method ............................................................................................................. 188
Web Access ........................................................................................................................... 188
QuickLink ..................................................................................................................... 188
WRM............................................................................................................................. 191
Custom Rewrite............................................................................................................. 194
URL Policy ................................................................................................................... 195
SSO ............................................................................................................................... 198
Proxy ............................................................................................................................. 202
URL Filter ..................................................................................................................... 204
Statistics ........................................................................................................................ 204
Network Access and Array Client......................................................................................... 205
General Settings ............................................................................................................ 205
Netpool .......................................................................................................................... 206
VPN Resourse/VPN Resource Group ........................................................................... 225

V
Table of Contents
Speed Tunnel................................................................................................................. 230
VPN Valid Code ........................................................................................................... 232
Mobile VPN .................................................................................................................. 233
Site2Site VPN ............................................................................................................... 242
HTTP Setting Commands ..................................................................................................... 243
File Share .............................................................................................................................. 258
Chapter 7 Web Portal .................................................................................................................... 260
Portal Configuration .............................................................................................................. 260
Portal Customization ............................................................................................................. 272
Portal Custom................................................................................................................ 272
Portal Theme ................................................................................................................. 276
DesktopDirect Integration ..................................................................................................... 280
Application SSO ................................................................................................................... 281
Chapter 8 High Availablity ........................................................................................................... 282
Cluster ................................................................................................................................... 282
HA (High Availability) ......................................................................................................... 287
HA Groups .................................................................................................................... 296
Health Check ................................................................................................................. 299
Decision ........................................................................................................................ 309
Chapter 9 WebWall....................................................................................................................... 312
Access List ............................................................................................................................ 312
Access Group ........................................................................................................................ 321
WebWall ............................................................................................................................... 322
Chapter 10 Client Security ............................................................................................................ 324
Chapter 11 System Monitoring ..................................................................................................... 330
Graphic Monitoring............................................................................................................... 330
Logging ................................................................................................................................. 330
Log Customization ........................................................................................................ 332

VI
Table of Contents
Remote Syslog Host ...................................................................................................... 334
Disabling Individual System Log.................................................................................. 337
Log Alert ....................................................................................................................... 337
SNMP Commands................................................................................................................. 338
SNMP Request .............................................................................................................. 339
SNMP Access Control .................................................................................................. 341
SNMP Traps.................................................................................................................. 342
Troubleshooting Commands ................................................................................................. 344
Debug Commands ................................................................................................................. 346
Debug Snapshot ............................................................................................................ 347
Debug Trace .................................................................................................................. 348
Debug Usage ................................................................................................................. 352
Debug File Export ......................................................................................................... 352
Debug Monitor .............................................................................................................. 353
Chapter 12 Admin Tools ............................................................................................................... 356
Administrators....................................................................................................................... 356
Admin User and Admin Access .................................................................................... 356
Role-based Privilege Management ............................................................................... 360
Admin AAA .................................................................................................................. 362
System Access ...................................................................................................................... 371
Console Access ............................................................................................................. 371
WebUI Access............................................................................................................... 371
WebUI SSL Settings ..................................................................................................... 373
SSH Access ................................................................................................................... 373
RESTful API Access ..................................................................................................... 376
XML-RPC Access......................................................................................................... 376
System Management ............................................................................................................. 377
System Information ....................................................................................................... 377

VII
Table of Contents
System Resource Status ................................................................................................ 379
System License ............................................................................................................. 379
System Reboot and Shutdown ...................................................................................... 379
System Update and Fallback ......................................................................................... 381
System Dump ................................................................................................................ 383
Configuration Management .................................................................................................. 383
Viewing Running Configuration and Startup Configuration ........................................ 383
Configuration Backup ................................................................................................... 384
Configuraiton Restore ................................................................................................... 388
Configuration Clearance ............................................................................................... 391
Configuration Factory Reset ......................................................................................... 392
Configuration Synchronization ..................................................................................... 392
Remote Host Access ............................................................................................................. 395
Chapter 13 Advanced System Operations..................................................................................... 397
RTS ....................................................................................................................................... 397
Bond ...................................................................................................................................... 398
NAT ...................................................................................................................................... 399
HTTP Compression............................................................................................................... 400
Chapter 14 IPv6 Support ............................................................................................................... 404
Chapter 15 DesktopDirect ............................................................................................................. 405
Basic ART Commands.......................................................................................................... 405
Name Resolution ........................................................................................................... 405
ART Instance ........................................................................................................................ 406
ART Users, Groups and Desktops ........................................................................................ 408
ART User ...................................................................................................................... 408
ART Group ................................................................................................................... 409
Desktop Publishing ....................................................................................................... 412
Power Management............................................................................................................... 415
Device Based Identification .................................................................................................. 419
Host SSO ............................................................................................................................... 424

VIII
Table of Contents
Registration Policies ............................................................................................................. 425
SMX & VMView SSO ......................................................................................................... 426
Replication ............................................................................................................................ 427
Client Package ...................................................................................................................... 428
Application Publishing .......................................................................................................... 428
Terminal Server............................................................................................................. 428
XenApp Definition ........................................................................................................ 434
Association .................................................................................................................... 436
External Providers ................................................................................................................. 438
Data Protection...................................................................................................................... 444
Client Settings ....................................................................................................................... 447
Client Verification................................................................................................................. 461
ART Import and Export ........................................................................................................ 463
Import ............................................................................................................................ 463
Export ............................................................................................................................ 465
Chapter 16 MotionPro................................................................................................................... 467
Basic Commands................................................................................................................... 467
AAA ...................................................................................................................................... 467
Role ....................................................................................................................................... 471
Client Rule ............................................................................................................................ 472
Web Resources...................................................................................................................... 475
Web APP ....................................................................................................................... 475
Native Applications............................................................................................................... 477
MDM..................................................................................................................................... 479
Backup and Restore .............................................................................................................. 481
Import and Export ................................................................................................................. 481
Portal Configuration .............................................................................................................. 483
Synchronization .................................................................................................................... 484
Appendix I System CLI Boundaries ............................................................................................. 486
Appendix II SNMP OID List ........................................................................................................ 492

IX
Table of Contents

X
Chapter 1 CLI Basics

The CLI allows you to configure and control key functions of the AG appliance to better manage
the performance of your servers and the accessibility to the contents therein.
The AG appliance software has been designed with specific enhancements to make interaction
with the Appliance more user friendly, such as Shorthand. Shorthand is the intuitive method by
which the Appliance completes CLI commands based on the first letters entered. Other user
shortcuts are listed below:
Table 1-1 List of Shortcuts
CLI Shortcuts Operation

Ctrl+a/e Move the cursor to the beginning/end of a line.
Ctrl+f/b Move the cursor forward/backward one character.
Esc+f Move the cursor forward one word.
Esc+b Move the cursor backward one word.
Ctrl+d Delete the character under the cursor.
Ctrl+k Delete from the cursor to the end of the line.
Ctrl+u Delete the entire line.
The AG appliance CLI commands will generally adhere to the following style conventions:
Table 1-2 AG CLI Style Conventions
Style Convention
Bold The body of a CLI command is in Boldface.
Italic CLI parameters are in Italic.
<> Parameters in angle brackets < > are mandatory.
Parameters in square brackets [ ] are optional.
[]
Subcommand such as “no”, “show” and “clear” commands.
Alternative items are grouped in braces and separated by vertical bars.
{x|y|…}
At least one should be selected.
Optional alternative items are grouped in square brackets and separated
[x|y|…]
by vertical bars. One or none is selected.
Note:
 It is recommended to enclose the string-type parameter value by double quotes to

make sure that the appliance can execute the command correctly.
 Please do not use “],” in the parameter value because the combination of these two
characters is resvered as the system’s separator.
For example:
ip address {system_ifname|vlan_ifname|bond_ifname|mnet_ifname} <ip_address>

{netmask|prefix}

1
Login to the AG Appliance

After getting connected to the AG appliance successfully via an SSH or Console connection, the
administrator will be prompted for a login username and a password. The default/initial login
username and password are “array” and “admin”.
The AG appliance provides the recovery mechanism for the “array” account to allow
administrators to:
 Recover the password of the “array” account if changing the password of the “array”
administrator account and forgetting the new password.
 Recover the “array” account if it is deleted mistakenly.
To recover the password of the “array” account or the entire “array” account, please perform the
following steps:
1. Establish a Console connection with the AG appliance.
2. Input the command “recovery” in the CLI.
3. Copy the challenge string generated by the AG appliance and paste it in an email sent to
Array Network Customer Support to request the response string. The challenge string is the
string behind “challenge:”, for example “challenge:waker Parma baker galah woke”.
4. Paste the entire response string returned by the Array Network Customer Support behind the
“response:” prompt and press “Enter”. The response string begins with “--begin--” and ends
with “--end--”.
After the preceding steps are performed, if the “array” account exists, the system will reset the
password of the “array” account to “admin” and the access privilege to “Config”; if the “array”
account does not exist, the system will create the “array” account with password “admin” and the
access privilege “Config”.
Levels of Global Access Control

The AG appliance offers three levels for global configuration and access to the ArrayOS. The CLI
prompt of each level consists of the host name of the AG appliance followed by a unique cursor
prompt, either “>”, “#” or “(config)#”.
The first level of administration is the User level. At this level, the administrator is only authorized
to operate some very basic troubleshooting commands and non-critical functions such as ping and
traceroute. Here is how the User level prompt appears in the CLI.
AN>
The second level of administration is the Enable level. At this level, administrators have (in
addition to User level permissions) access to a majority of view only commands such as “show
version”. In order to gain access to this level of appliance management, the user must run the
“enable” command and supply a special “enable” password. If correct password is entered, the

2
CLI prompt will change from “AN>” to “AN#”, which means the administrator has been granted
access to the Enable level. The default password for the Enable level is null (i.e., leave the
password blank/empty).
AN>enable
Enable password:
AN#
The third level of administration is the Config level. At this level, the administrator can make
changes to the configuration of the AG appliance (in addition to all User and Enable level
permissions). No two administrators can access the Config level at the same time (whether they
are in global or virtual site shell). To gain full configuration access of the AG appliance, the
administrator must use the following command:
AN#config terminal
Once this command is entered, the CLI prompt will change to:
AN(config)#
In the event that another administrator is already in the Config level, the following command can
be run to kick that administrator out of Config level:
AN#admin reset configmode
At any level, the administrator can type “?” to view the currently available commands. For
example, entering “AN(config)#system ?” will display all the commands starting with “system” in
the Config level.
AN(config)#system ? [enter]
command Set command execution timeout when loading configurations
component Component update commands
console Console operation
date Set system date
dump Determine whether system should do sysdump when panic
fallback Set fallback software version to boot if available
flexlicense Disable/enable Array Appliance pre-paid Flex License
interactive Set system interactive mode to control command output messages
license Setting Appliance License Key
mail System mail configuration
reboot Reboot the system
shutdown Shut down system
…

3
Levels of Virtual Site Access Control

For virtual sites, the AG appliance offers three levels of administrative access control. The CLI
prompt of each level consists of the virtual site name followed by a unique cursor prompt, either
“%”, “$” or “(config)$”.
The first level of administration is the User level. At this level, administrators are only authorized
to operate some very basic commands. Here is how the User mode prompt appears in the CLI.
vs1%
The second level of administration is the Enable level. At this level, administrators have access to
a majority of view only commands such as “show user”. The cursor will display the
pre-configured name of the virtual site followed by “$” as such.
vs1$
The third level of administration is the Config level. At this level, administrators can make
changes to the configuration of the virtual site. No two administrators can access the Config level
at the same time (whether they are in global or virtual site shell). To gain full configuration access
for a specific virtual site of the AG appliance, the administrator must run the following command:
vs1$config terminal
vs1(config)$
Note: The global administrators have the ability to access to all virtual sites and global
configuration features and functionality.
Switching Between Global and Virtual Site

The AG appliance allows the administrator to switch between the global scope and the virtual site
scope via the following command:
switch <global|virtual_site_name> [enable|config]
For example, the administrator can switch from global scope to vs1 scope (e.g., a virtual site
named “vs1”) by running the following command:
AN#switch vs1
vs1$
To switch back to the global scope, the administrator can run the following command:
vs1$switch global

4
AN#
By default, when switching between the global scope and virtual site scope the administrator
privilege level (e.g., Enable level or Config level) will stay the same. However, if the
“enable|config” parameter is specified during the switch, the administrator’s privilege level will be
explicitly set accordingly.
For example, the administrator executes the following command:
AN#switch vs1 config
vs1(config)$

5
Chapter 2 Basic System Operations

The commands introduced in this chapter cover some general operations such as basic system
setup, network settings and system tuning.
Basic Commands
help
This command is used to display all available commands based on level and function. This
command can be executed at any level while configuring the AG appliance.
enable [recovery]
This command is used to access the Enable level of the AG appliance. When running this
command, the system will prompt the administrator to supply the Enable level password. The
default password is null (empty).
If the administrator forgets the Enable password, he can reset the password to the default null
(empty) value as follows:
1. Enter “enable recovery” at the User level prompt.
2. A challenge string will be displayed.
3. Email the challenge string to Customer Support at [email protected].
4. The response code will be returned via email by the Customer Support personnel.
5. Copy and paste the response code into the CLI, and press “Enter”. The Enable level password
will then be reset to empty.
passwd enable [password]

This command is used to change the “Enable” password.
password Optional. This parameter specifies the new “Enable” password. Its
value must be a string of 1 to 8 characters. The default password is
empty.
Note: If the new “Enable” password contains “%”, the

administrator needs use “%%” to replace “%” when entering the
password value for accessing the system via WebUI.
configure terminal
This command is used for switching to the “Config” access mode.
admin reset configmode

This command is used to terminate all “Config” mode administrator sessions.

6
configure timeout <timeout>

This command is used to set the administrator “Config” mode timeout limit. The timeout value is
measured in seconds ranging from 30 to 36,000. The default setting is 180 seconds. This limit
determines the length of time that an active “Config” session will remain active even when other
administrators are attempting to switch to the “Config” mode at the same time. Once the active
“Config” session has been active for longer than the “timeout” limit, the next request for “Config”
mode access will be granted and the current active “Config” mode session will be terminated.
show config timeout

This command is used to display the configured timeout limit.
clear config timeout

This command is used to reset the configured timeout limit to the default setting of 180 seconds
(or 3 minutes).
disable
This command is used to return to the User mode from the current privileged mode.
exit
This command is used to return to the next lower-level mode from the current privileged mode. If
the current mode is the User mode, this command will kick the administrator out of the CLI shell
system.
quit
This command is used to leave the CLI shell system from any level.
show tech [message]

This command is used to display real-time statistics of the current running system and network.
message This parameter defines the system message to be displayed.
show system warning

This command is used to check the instant system warning message.
When the yellow LED on the appliance is activated, the administrator can execute this command
to check whether one of the following errors is causing the problem:
1. The CPU fan stopped working.
2. The CPU overheated.
3. The system overheated.
4. One of the dual power supplies failed (If redundant power supply applies to the appliance).

7
Note: If the error is recovered, the warning message will be cleared. But it still can be
traced in system logs.
show statistics tcp

This command is used to display the number of TCP connections based on state:
AN#show statistics tcp

LISTEN: 1
SYN_SENT: 0
SYN_RCVD: 0
ESTABLISHED: 0
CLOSE_WAIT: 0
FIN_WAIT_1: 0
CLOSING: 0
LAST_ACK: 0
FIN_WAIT_2: 0
TIME_WAIT: 432
Compared with the “show memory” output, the “TIME_WAIT” value is the same as “USED”
TCP small pcb. All the rest, from “LISTEN” value to “FIN_WAIT” value, add up to “USED”
TCP pcb.
hostname <host_name>
This command is used to set or change the given host name for an AG appliance.
host_name This parameter defines the host name of the AG appliance. The host
name can be entered as a single set of continuous alphanumeric
characters or a set of alphanumeric characters housed within double
quotation marks. Currently, the maximum length for the host name
is 64 characters.
show hostname
This command is used to display the given host name for an AG appliance.
no hostname
This command is used to clear an AG appliance’s host name. After the host name is cleared, the
default name “AN” will be used as the host name.
system mail from <from_string>

The AG appliance can be configured to send out emails for certain events (e.g., URL filtering,
logging alerts,…,etc.). This command is used to configure the value of the “From” header in the
mail being sent out. The default value for the “from_string” parameter is “%h [email protected]”.

8
% An escape character in both strings.
%h Full host name defined by the “hostname” command.
%q Double quote (“”).
%% A literal percent.
no system mail from

This command is used to reset the “From” header to the default value of “%h [email protected]”
(see previous CLI command above).
system mail hostname <host_name>

The AG appliance can be configured to send out emails for certain events (e.g., URL filtering,
logging alerts,…,etc.). This command is used to configure the value of the host name from which
the mail is recorded as sent. The default value for “host_name” parameter is
“%l.alert_pseudo_domain”.
host_name This parameter defines the SMTP EHLO/HELO host name.
no system mail hostname

This command is used to reset the SMTP ELHO/HELO hostname to the default value of
“%l.alert_pseudo_domain” (see previous CLI command above).
show system mail

This command is used to display system mail configuration.
clear system mail

This command is used to clear the system mail configuration.
system mail relay server <host_name> <relay_server>

This command allows the administrator to create a new system mail relay server.
host_name This parameter specifies the assigned name of the relay host.
relay_server This parameter specifies the IP address or the server name.
no system mail relay server <host_name>

This command is used to delete a system mail relay server.
host_name This parameter specifies the assigned name of the relay host.

9
system mail relay {on|off}

This command is used to enable/disable the system mail relay service. The following CLI example
shows how to set up a mail relay server.
AN(config)#system mail relay server “arraynertworks.com.cn” “relay.com”

AN(config)#system mail relay on
The AG appliance will send emails using “relay.com” with the host name of
“arraynetworks.com.cn”. Please note that the “relay.com” server must be reachable by the AG
appliance.
show system relay

This command is used to display the configuration and status of the relay service.
clear system relay

This command is used to remove all the relay servers and disable mail relay service.
system interactive on
This command is used to enable CLI command interactive mode. If this command is executed,
more command result messages to be displayed.
system interactive off

This command is used to disable CLI command interactive mode. If this command is executed,
less command result messages to be displayed.
show system interactive

This command is used to display the current system interactive setting (on|off).
system command timeout <timeout>

This command is used to set the command execution timeout when the system boots up or users
execute the “config file|config memory” command. Fastlog and syslog will log the timeout
command for troubleshooting.
timeout This parameter specifies the timeout value in seconds. Its value
should be 0 or an integer ranging from 30 to 65,535. The default
value is 0.
show system command timeout

This command is used to display the command execution timeout value.
switch <virtual_site> [enable|config]

This command is used to switch between the global scope and a target virtual site scope, or
between virtual scopes.

10
virtual_site This parameter specifies the name of the virtual site that the
administrator wants to switch to. To switch to the global scope, set
this parameter to “global”.
enable|config This parameter specifies the desired access level when switching to
the target virtual site scope. If this parameter is not specified, then
the current access level will be assumed.
who [virtual_site]
This command is used to display the active administrators in the target virtual site. If the
“virtual_site” parameter is not specified, all active administrators will be displayed.
virtual_site This parameter selects a specific virtual site.
whoami
This command is used to display the current administrator's information.
configure terminal
This command is used to gain access to the Config level to configure the AG appliance.
show statistics cpu

This command is used to display the system CPU usage.
show statistics system

This command is used to display the system CPU, connection and request per second statistics.
show statistics memory

This command is used to display the memory usage statistics.
clear synconfig status

This command is used to delete all synchronous logs for rollback.
system flexlicense {enable|disable}

This command is used to enable or disable the Array appliance pre-paid flex license.
no system license flex

This global command is used to delete Array Networks Flex License Key.
system serialnumber
This command is used to generate vxAG’s serial number. Please provide the vxAG serial number
to the support team to obtain the system license.

11
Note:
 When the vxAG is installed on your virtual environment and started up for the first
time, the system will automatically generate a serial number for the vxAG.
 Under certain circumstances, the serial number on the vxAG may be invalid, for
example the serial number on the cloned vxAG. In this case, run this command to
manually generate a valid serial number.
 It is not recommended to downgrade vxAG to earlier versions after a serial number

has been generated.
registration set <registration_status>

This command is used to set the registration status of the AG appliance as “incomplete”,
“complete” or “never”.
registration_status
This parameter sets the registration status of the AG appliance as
“incomplete”, “complete” or “never”. “incomplete” indicates that
you will register later, “complete” indicates that you will register
now and “never” indicates to never register.
registration status
This command is used to display the registration status of the AG appliance, which is
“incomplete”, “complete” or “never”.
Basic Network Settings

ip address {system_ifname|vlan_ifname|bond_ifname|mnet_ifname}
<ip_address> {netmask|prefix}
This command is used to set the IP address and netmask or prefix length of the system interface,
VLAN interface or bond interface or MNET interface.
system_ifname|vlan_ifname| This parameter specifies the name of the existing interface. Its value
bond_ifname|mnet_ifname must be:
 system_ifname: indicates a system interface. The default

system interface name is “port1”, “port2”, “port3” or
“port4”. The system interface name can be customized by
using the “interface name” command.
 vlan_ifname: indicates a VLAN interface.
 bond_ifname: indicates a bond interface. The default bond

interface names are “bond1”, “bond2”, “bond3” and “bond4”.
The bond interface name can be customized by using the

12
“bond name” command.
 mnet_ifname: indicates a MNET interface.
ip_address This parameter specifies the IP address of the interface. Its value
must be an IPv4 or IPv6 address.
netmask|prefix This parameter specifies the netmask or prefix length of the

interface IP address.
 “netmask” is used for an IPv4 address. Its value must be a

dotted IP address or an integer or an integer ranging from 0 to
32.
 “prefix” is used for an IPv6 address. Its value must be an

integer ranging from 0 to 128.
Example:
AN(config)#ip address port1 209.120.10.1 255.255.255.0

AN(config)#ip address port2 2012:1030::10:3:40:32 64
no ip address <interface_name> [version]

This command is used to delete the IP address from the specified interface.
interface_name This parameter specifies the name of the existing interface.
version Optional. This parameter specifies the version of the IP protocol. Its
value must be:
 4: indicates the IPv4 protocol.
 6: indicates the IPv6 protocol.
The default value is 4.
show ip address
This command is used to display the IP-related configurations of all interfaces.
clear ip address
This command is used to clear all the IP-related configurations of all interfaces.
ip arp <ip> <mac_address>

This command is used to create an ARP entry.
ip This parameter specifies the IP address.

13
mac_address This parameter specifies the MAC address. The MAC address
should follow the format “XX: XX: XX: XX: XX: XX”.
no ip arp <ip_address>
This command is used to delete an ARP entry.
clear ip arp
This command is used to clear all ARP entries.
show ip arp <ip_address>

This command is used to display ARP entries.
ip dhcp {on|off} <interface_name>

This command is used to enable or disable the DHCP function for the specified system interface.
After this function is enabled, the specified system interface will obtain the IP address from the
DHCP server automatically. By default, this function is disabled.
interface_name This parameter specifies an existing system interface name. The

system interface name can be set by using the “interface name”
command. The default system interface name is port1, port2, port3,
port4, etc.
show ip dhcp
This command is used to display the DHCP status of all system interfaces.
ip route default <gateway_ip>

This command is used to set the default gateway IP address for the AG appliance. Only one
default route can be configured for IPv4 address, and one for IPv6 address.
gateway_ip This parameter assigns the gateway IP address. It can be IPv4 or

IPv6 address.
no ip route default <gateway_ip>

The command is used to remove the default IP route from the AG appliance.
gateway_ip This parameter specifies the gateway IP address.

14
ip route static <destination_ip> {netmask|prefix} <gateway_ip>

This command is used to add static route as used by the AG appliance. Multiple static routes are
permitted to be configured.
destination_ip This parameter specifies the destination IP address. It can be an

IPv4 or IPv6 address. Typically it is a network IP address.

destination IP address.
 “netmask” is used for an IPv4 address. Its value should be a

dotted IP address.
 “prefix” is used for an IPv6 address. Its value should range

from 0 to 128.
no ip route static <destination_ip> {netmask|prefix} <gateway_ip>

This command is used to remove the static route from the running configuration.
destination_ip This parameter specifies the destination IP address.

destination IP address.
show ip route
This command is used to display the static routing table.
clear ip route
This command is used to remove both default route and static routes.
show statistics droute

This command is used to display the Direct Route statistics.
clear statistics droute

This command is used to clear the Direct Route statistics.
clear droute
This command is used to clear all the Direct Route statistics.
show statistics ip [ip_address]

15
This command is used to display the gathered information for the specific IP address. If no IP
address is assigned, this command displays all relevant statistics for all configured IP addresses.
ip_address Optional. This parameter specifies a single IP address. It can be

IPv4 or IPv6 address.
clear statistics ip [ip_address]

This command will clear the statistics for a specific IP address. If no IP address is assigned, this
command will clear all.
ip_address Optional. This parameter specifies a single IP address. It can be

interface mtu <interface_id> <mtu_size>

This command is used to set the largest frame size that can be transmitted over the network.
interface_id This parameter specifies the interface ID of a specific physical

interface on the AG appliance (e.g., “port1”, “port2”, “port3”,
“port4”,…“port8”).
mtu_size This parameter specifies the MTU (Maximum Transmission Unit)

size preference. This is the largest frame size that can be transmitted
over the network. The default size is 1,500 bytes. Each interface
used by TCP/IP can have different MTU values.
interface name <interface_id> <interface_name>

This command is used to set the interface name.
interface_id This parameter specifies the default interface ID (e.g., “port1”,

“port2”, “port3”, “port4”,…“port8”) for the physical interfaces on
the AG appliance. The number of the physical interfaces supported
by the AG appliance depends on the appliance model. At most 14
interfaces are supported now.
interface_name This parameter specifies a unique name for the physical interface.
This name should be an alphanumeric string of up to 32 characters.
The default interface names are “port1”, “port2”, “port3”,
“port4”,…“port8”.
interface speed <interface_id> <speed_option>

This command is used to set the interface speed. The interface speed of a 10G port can only be set
to “auto”.

16

speed_option This parameter can be10half (10 Mbps Ethernet half duplex
communications), 100half (100 Mbps Ethernet half duplex
communications), 100full (100 Mbps full duplex communications),
1,000full (1,000 Mbps Ethernet full duplex communications) or
auto.
Note: The AG appliance sets the interface speeds to auto by default. If any interface is
setup to be connected to a device, such as a router or switch with a specific speed and
duplex mode, users will need to set the AG appliance to match those requirements. Run
the “show interface” command to view the current speed settings.
show interface [interface_name]

This command is used to display the statistical information for all the system interfaces. If a
specific interface name is specified, the system will only display the statistical information for that
interface.
interface_name This parameter specifies the interface ID of a specific physical

Note: If the IP statistics function is off, the number of the WebWall permit or drop
packages will be 0 in the output of “show interface” command. The IP statistics function
is disabled by default. But, you can enable it via the “ip statistics on” command.
show route match <source_ip> <source_port> <destination_ip>

<destination_port> <protocol>
This command is used to display a specific route which matches the given conditions.
source_ip This parameter specifies the source IP address.
source_port This parameter specifies the source port.
destination_ip This parameter specifies the destination IP address.
destination_port This parameter specifies the destination port.
protocol This parameter specifies the protocol. It can be set to “tcp”, “udp”
or “any”.

17
clear interface name

This command is used to reset all the interface names to the default.
clear interface speed {interface_id|all}

This command is used to restore the specified interface’s speed and duplex mode. “all” means all
the interfaces.

clear interface mtu {interface_id|all}

This command is used to remove the specified interface’s MTU size limit. “all” means all the
interfaces.

no interface name <interface_id>

This command is used to reset the specified interface name to the default.

ip statistic {on|off}
This command is used to enable/disable the IP statistics.
show ip statistic
This command is used to display IP statistics.
ip ipflow {on|off}
This command is used to enable/ disable the IP flow.
ip ipflow expire <time>

This command is used to define the IP flow timeout.
time This parameter defines the expiration time. It can be set between 1
to 86,400 seconds. The default value is 60 seconds.
ip ipflow priority <priority>

18
This command is used to define the IP flow priority.
priority This parameter defines the IP flow priority. It can be set between 0
to 1999 seconds. The default value is 1,000.
clear ip ipflow
This command is used to reset the IP flow settings to their default.
show ip ipflow
This command is used to display the IP flow settings.
show statistics ipflow

This command is used to display the IP Flow statistics.
clear statistics ipflow

This command is used to clear the IP Flow statistics.
ip mcastfwd <interface_name> <multicast_ip>

This global command is used to configure a multicast IP address to which the specified interface
listens. The multicast IP address represents a multicast group, a group of interested hosts for
receiving multicast traffic.
interface_name This parameter specifies the name of an existing interface. Its value
must be a system or bond interface.
multicast_ip This parameter specifies a multicast IP address. Its value must be an

IPv4 address ranging from 224.0.0.0 to 239.255.255.255.
Note: With a multicast IP address configured, the AG appliance can

listen to and receive the multicast traffic destined for the multicast
group represented by the multicast IP address. Otherwise, all
multicast packets will be discarded.
vlan <interface_name> <vlan_interface_name> <vlan_tag>

This command is used to create a VLAN (Virtual Local Area Network) interface for the specified
system interface or bond interface. The AG appliance supports up to 250 VLAN interfaces.
interface_name This parameter specifies the interface ID of a specific physical

“port4”,…“port8”). Its value should be a string of 1 to 32
characters.
vlan_interface_name This parameter specifies a name for the VLAN interface. Its value

19
should be a string of 1 to 32 characters.
vlan_tag This parameter specifies an ID (integer from 1 to 4,094) for the

VLAN interface.
no vlan <vlan_interface_name>
This command is used to delete the specified VLAN interface.
show vlan
This command is used to display the configuration for all VLAN interfaces.
clear vlan
This command is used to remove the configurations for all VLAN interfaces.
no connection [local_ip] [local_port] [remote_ip] [remote_port]

This command is used to manually delete the specific connection(s).
local_ip This parameter specifies the connections’ local IP address. This

parameter is optional, and the default value is “0.0.0.0”.
local_port This parameter specifies the connections’ local port. This parameter
is optional, and the default value is “0”.
remote_ip This parameter specifies the connections’ remote IP address. This

parameter is optional, and the default value is “0.0.0.0”.
remote_port This parameter specifies the connections’ remote port. This

parameter is optional, and the default value is “0”.
show connection [protocol] [type] [ip_address]

This command is used to display the system's user connections.
protocol Optional. This parameter specifies which protocol connections to

show. It can be set to “tcp” (the default), “udp” or “all”.
type Optional. This parameter can be set to “data” (the default) or

“count”. If it is set to “data”, the AG appliance will display detailed
information. If it is set to “count”, the AG appliance will display the
count of connections.
ip_address Optional. This parameter specifies the local or remote IP address for
which the related connections will be shown. It can be IPv4 or IPv6

20
address.
mnet {system_ifname|bond_ifname} <mnet_interface_name>

This command is used to create a Multi-Netting (MNET) interface on the specified system
interface or bond interface. ArrayOS supports creating at most 32 MNET interfaces.
system_ifname|bond_ifname This parameter specifies the name of the existing interface. Its value
must be:
 system_ifname: indicates a system interface. The default

system interface name is “port1”, “port2”, “port3” or
“port4”. The system interface name can be customized by
using the “interface name” command.
 bond_ifname: indicates a bond interface. The default bond

interface names are “bond1”, “bond2”, “bond3” and “bond4”.
The bond interface name can be customized by using the
“bond name” command.
mnet_interface_name This parameter specifies the name of the MNET interface. Its value
must be a string of 1 to 32characters.
no mnet <mnet_ifname>
This command is used to delete a specified MNET interface.
show mnet
This command is used to display the configurations of all MNET interfaces.
clear mnet
This command is used to clear the configurations of all MNET interfaces.
DNS Settings
ip dns cache {on|off}
This global command is used to enable/disable the DNS cache. The default value is off.
ip dns cache expire <min_seconds> <max_seconds>

This global command is used to configure the DNS cache expiration time. If the TTL (Time to
Live) of the DNS response is shorter than “min_seconds” or longer than “max_seconds”, the
expiration time will be determined based on “min_seconds” and “max_seconds” respectively. The
default value for the “min_seconds” is 60. And, the default value for the “max_seconds” is 3,600.
min_seconds This parameter specifies the minimum cache expiration time in

21
seconds.
max_seconds This parameter specifies the maximum cache expiration time in

seconds.
ip dns host <host_name> <ip>

This global command is used to add a static host entry.
host_name This parameter specifies the host name.
no ip dns host <host_name>

This global command is used to remove a static host entry.
show ip dns host

This global command is used to display all static DNS host entries.
clear ip dns host

This command is used to clear all static DNS host entries.
ip dns nameserver <ip_address>

This global command is used to configure an IPv4 DNS name server.
ip_address This parameter specifies the IPv4 address of the IPv4 DNS name
server.
no ip dns nameserver <ip_address>

This global command is used to delete the specified IPv4 DNS name server.
ip dns nameserver6 <ip_address>

This global command is used to configure an IPv6 DNS name server.
server.
no ip dns nameserver6 <ip_address>

This global command is used to delete the specified IPv6 DNS name server.
ip dns serverredundancy {on|off}

22
This global command is used to enable or disable the DNS server redundancy function for every
virtual site. When this function is enabled, if the “dns useglobal off” command is configured to
instruct a virtual site to use the custom DNS settings to resolve the DNS query, the system will
first try to use the virtual site’s DNS server with the highest priority to resolve the DNS query; if
this DNS server fails to resolve the DNS query, the system will then try to use the virtual site’s
DNS server with the second highest priority to resolve the DNS query; if the second DNS server
still fails to resolve the DNS query, the system at last will try to use the virtual site’s DNS server
with the lowest priority to resolve the DNS query. The earlier the DNS server is configured for the
virtual site, the higher the priority of the DNS server will be. By default, this function is disabled
and only the virtual site’s DNS server with the highest priority can be used to resolve the DNS
query.
ip dns search <path>

This global command is used to add a domain entry to the resolver search path.
path This parameter specifies the domain to add to the resolver search
path.
no ip dns search <path>

This global command is used to remove a domain entry to the resolver search path.
path This parameter specifies the domain to remove from the resolver
search path.
ip dns staticttl [expiration_time]

This global command is used to define the expiration time for the static host entry responses.
expiration_time This optional parameter sets the response expiration time in

seconds. It can be set between 1 to 43,200 seconds (the default
value is “43,200”).
show ip dns config

This global command is used to display DNS cache settings (including the settings made by the
“dns cache on|off” and “dns cache expire” commands).
clear ip dns config

This global command is used to restore the DNS settings to their defaults.
clear ip dns cache content

This global command is used to clear all dynamic DNS cache entries.
ip dns request timeout <second> <millisecond>

This global command is used to define the DNS request timeout value.

23
second This parameter specifies the DNS request time out in seconds.
millisecond This parameter specifies the DNS request time out in milliseconds.
dns cache {on|off}

This command is used to enable/disable DNS cache. The default value is off.
dns cache expire <min_seconds> <max_seconds>

This command is used to configure the DNS cache expiration time. If the TTL (Time to Live) of
the DNS response is shorter than “min_seconds” or longer than “max_seconds”, the expiration
time will be determined based on the “min_seconds” and “max_seconds” respectively. The default
value for the “min_seconds” is 60. And, the default value for the “max_seconds” is 3,600.
min_seconds This parameter specifies the minimum cache expiration time in

seconds.
max_seconds This parameter specifies the maximum cache expiration time in

seconds.
dns host <host_name> <ip>

This command is used to add a static DNS host entry.
no dns host <host_name>

This command is used to remove a static DNS host entry .
show dns host

This command is used to display all static DNS host entries.
clear dns host

This command is used to clear all static DNS host entries.
dns nameserver <ip_address>

This command is used to configure an IPv4 DNS name server.
server.
no dns nameserver <ip_address>

24
This command is used to delete the specified IPv4 DNS name server.
dns nameserver6 <ip_address>

This command is used to configure an IPv6 DNS name server.
server.
no dns nameserver6 <ip_address>

This command is used to delete the specified IPv6 DNS name server.
dns search <path>

This command is used to add a domain entry to the resolver search path.
path This parameter specifies the domain to add to resolver search path.
no dns search <path>

This command is used to remove a domain entry to the resolver search path.
path This parameter specifies the domain to add to resolver search path.
dns staticttl [expiration_time]

This command is used to define the expiration time for the static host entry responses.
expiration_time Optional. This parameter sets the response expiration time in

seconds. It can be set between 1 to 43,200 seconds (the default
value is 43,200).
dns useglobal on
This command is used to instruct the AG appliance to use the global DNS settings for a virtual
site.
dns useglobal off

This command is used to instruct the AG appliance to use the custom DNS settings for a virtual
site.
show dns config

This command is used to display all DNS settings.
clear dns config

This command is used to restore the DNS settings.
clear dns cache content

25
This command is used to clear all dynamic DNS cache entries.
System Tune Settings

show system tune
This command is used to display the user-defined system tuning values.
clear system tune

This command is used to reset the defined system tuning values.
system tune defraglimit <smallest_object_size>

This command is used to consolidate packet data into less frames. Users set the
“smallest_object_size” (measured in bytes) for packets received for defragmentation. Assume the
user is dealing with a 10K object with the server MTU set to 1K. The AG appliance will receive
roughly 10 packets where 10 frames are used to cache the object. If “system tune defraglimit
512” is configured, the AG appliance will have to cache the 10K data from 10 frames onto 20
frames (0.5 K data/frame) to fully utilize the frame memory.
smallest_object_size This parameter sets the cache defragmentation limit.
system tune hwcksum {on|off}

This command is used to enable hardware checksums on the network cards. The default setting is
on.
no system tune hwcksum

This command is used to reset hardware checksums to their default value.
system tune tcpidle <max_idle_time>

This command is used to set the maximum idle time, in seconds, before terminating a TCP
connection. The idle timeout ranges from 60 seconds to 7,200 seconds (the default is 300
seconds).
no system tune tcpidle

This command is used to reset the TCP idle timeout.
system tune tcp retransmit timeout <time>

This command is used to set TCP retransmission timeout.
system tune tcp retransmit dupacks <dupacks>

This command is used to set the number of duplicate ACKs to start TCP fast retransmission. The
default setting is 3. It is recommended that the default settings not be changed without contacting
Array Support.
system tune tcp retransmit policy {newreno|adaptive}

26
This command allows users to change the default policy from NewReno to Adaptive for starting
TCP fast retransmission. It is recommended that the default settings not be changed without
contacting Array Support.
system tune tcp slowstart {on|off}

This command is used to enable/disable the slow start feature. It is recommended that the default
“on” setting not be changed without contacting Array Support.
no system tune tcp slowstart

This command is used to reset the slow start feature to the default “on” setting.
system tune tcp delack count <count>

This command is used to specify the maximum packets that can be ACK delay. The default is “4”.
“0” means no delay ACK.
system tune tcp delack timeout <timeout>

This command is used to specify the maximum timeout (in milliseconds) for ACK delay. The
value of the “timeout” parameter must be a multiple of 10. The default value is 100ms.
no system tune tcp delack

This command is used to reset the TCP ACK delay to the default setting.
no system tune tcp retransmit {timeout|dupacks|policy}

This command is used to reset the TCP retransmit settings (timeout, dupacks or policy) to their
default value.
system tune ip randomid {on|off}

This command is used to enable/disable the feature of setting a random number for an IP packet.
By default, this feature is disabled and the identification of an IP packet will be sequentially
increased. If enabled, the IP packet’s identification will be a random number.
no system tune ip randomid

This command is used to disable the random IP ID.
no system tune defraglimit

This command is used to disable the defragmentation limit.
system tune tcp syntimeout <min_timeout>

This command is used to set the minimum timeout (in seconds) for TCP SYN packets.
no system tune tcp syntimeout

This command is used to reset the SYN timeout value.
no system tune verifycert

27
This command is used to disable certificate verification.
system tune tcp zwdefend {on|off}

This command is used to enable or disable the zero window probe timer. By default, this function
is disabled.
system tune tcp pktdropopt <packet_drop_option>

This command is used to control the packet drop behavior when TCP packets are received and
dropped on a closed TCP port. This function is useful to slow down anyone who is port scanning a
system, attempting to detect vulnerable services on a system. It could potentially also slow down
someone that is attempting a DoS attack.
By default, the system will return a TCP RST.
packet_drop_option Its value must be:
 0: indicates that the system returns a TCP RST.
 1: indicates that the system silently drops TCP SYN, and

returns TCP RST for all other TCP packets.
 2: indicates that the system silently drops all TCP packets.
no system tune tcp pktdropop

This command is used to restore the TCP packet drop behavior.
system tune udp pktdropopt <packet_drop_option>

This command is used to control the packet drop behavior when UDP packets are received and
dropped on a closed UDP port. This function is useful to slow down anyone who is port scanning
a system, attempting to detect vulnerable services on a system. It could potentially also slow down
someone that is attempting a DoS attack.
By default, the system will return an ICMP port unreachable message.
packet_drop_option Its value must be:
 0: indicate that the system returns an ICMP port unreachable

message.
 1: indicates that the system silently drops all UDP packets.
no system tune udp pktdropop

This command is used to restore the UDP packet drop behavior.
system tune vpn nattimeout <timeout>

This command is used to set the maximum timeout for the VPN Netpool NAT function. When the
connection between the AG appliance and the backend server is idle for the specified timeout

28
value, NAT entries for the VPN Netpool NAT function will be cleared. If this command is not
configured, the default maximum timeout for the VPN Netpool NAT function is 300 seconds.
timeout This parameter specifies the maximum timeout in seconds. Its value
must be an integer ranging from 1 to 100,000.
no system tune vpn nattimeout

This command is used reset the maximum timeout for the VPN Netpool NAT function to default.
System Time Settings

system date <year> <month> <day>
In the event that a network does not rely on an NTP server, users can set the AG appliance system
date by running this command. The values for each parameter can be entered as one or two digits
as necessary. For example, if a user wants to enter the date “October 20, 2011” the input should be
as follows:
AN(config)#system date 11 10 20
show date
This command is used to view the current system date and time of the AG appliance.
system time <hour> <minute> <second>

In the event that a network does not rely on an NTP server, users can set the AG appliance system
time by running this command. The values for each parameter can be entered as one or two digits
as necessary (Note: The AG appliance runs on a twenty-four hour/military standard clock.). For
example, if a user wants to enter the time “11:33:51 PM” the input will be as follows:
AN(config)#system time 23 33 51
system timezone [timezone_string]

This command allows users to set the system time zone. When this command is executed, the AG
appliance will present the user with a three-step menu driven process to set the correct time zone.
The first step/menu in the process is to choose the correct continent (i.e. Asia, Europe or North
America). After the desired continent is entered, the next menu will offer the list of supported
countries within the specified continent (i.e. China, Hong Kong, Japan, South Korea, Singapore or
Taiwan). The final step is to choose the specific time zone region from the AG appliance
generated list.
Note: At any time during the time zone setup, users can enter “0” to return to the
previous option (e.g., entering “0” on the country list page will return users to the
continent page).
show system timezone

29
This command is used to display current timezone.
clear system timezone

This command is used to set the system timezone to “GMT” (the default).
ntp {on|off}
This command is used to enable/disable synchronizing the AG appliance clock with the NTP
server. The NTP server settings and NTP time setting received by the AG appliance will preempt
the CLI date and time settings. The “ntp server” command must be configured before the NTP
feature can be enabled.
ntp server <ip> [version]

This command is used to configure an NTP server with which the AG appliance synchronize the
time. The NTP function will not work if the time difference between the NTP server and the AG
appliance is greater than 1,000 seconds (approximately 16 minutes). If the time difference is
greater than 1,000 seconds, please adjust the system time of the AG appliance to a closer value by
using the “system time” command.
ip This parameter specifies the IP address of the NTP server. Its value
must be an IPv4 or IPv6 address.
version Optional. This parameter specifies the NTP version. Its value must
be 1, 2, 3 or 4. The default value is 4.
show ntp
This command is used to display the current NTP configuration. This command will also display
the time dispersion and association of the current server.
clear ntp
This command is used to clear the NTP configuration.

30
Chapter 3 Virtual Site
Virtual Site
virtual site name <virtual_site> [description] [type] [parent_site]
This global command is used to create a virtual site.
virtual_site This parameter specifies the name of the virtual site. Its value
must be a string of 1 to 63 characters. Only 0-9, a-z, A-Z and
characters “_” and “-” are supported.
description Optional. This parameter specifies the description of the virtual

site. Its value must be a string of 1 to 63 characters. If this
parameter is not specified, no description will be displayed for
the virtual site.
If the virtual site is used for the MotionPro feature, the parameter
value should only be “motionPro_dedicated”.
type Optional. This parameter specifies the type of the virtual site. Its
value must be “exclusive”, “shared”, or “alias”. The default
value is “exclusive”.
parent_site Optional. This parameter specifies the name of the parent virtual
site.
 When the “type” parameter is set to “alias”, the parent

virtual site must be an existing shared virtual site.
 When the “type” parameter is set to “exclusive” or

“shared”, the parent virtual site should not be specified.
no virtual site name <virtual_site>

This global command is used to delete the specified virtual site.
show virtual site name

This global command is used to display the name, description, type and parent site information of
all the existing virtual sites.
virtual site ip <virtual_site> <ip_address> [port]

This global command is used to add the IP address and port to a virtual site.
virtual_site This parameter specifies the name of the virtual site.

31
ip_address This parameter specifies the IP address to be assigned to the virtual

site. Its value must be an IPv4 or IPv6 address.
port Optional. This parameter specifies the port to be assigned to the

virtual site. It value must be an integer ranging from 0 to 65,535,
and defaults to 443.
no virtual site ip <virtual_site> <ip_address> [port]

This global command is used to delete the specified IP address and port from the virtual site.
show virtual site ip [virtual_site]

This global command is used to display the IP address and port of the specified virtual site. If the
“virtual_site” parameter is not specified, the IP addresses and ports of all virtual sites will be
displayed.
virtual site domain <virtual_site> <domain_name>

This global command is used to add the domain name to a virtual site.
domain_name This parameter specifies the domain name to be assigned to the

virtual site. Its value must be a string of 1 to 64 characters.
no virtual site domain <virtual_site> <domain_name>

This global command is used to delete the specified domain name from the virtual site.
show virtual site domain [virtual_site]

This global command is used to display the domain name of the specified virtual site. If the
“virtual_site” parameter is not specified, the domain names of all virtual sites will be displayed.
show virtual site config [virtual_site]

This global command is used to display the name, IP and domain configurations of the specified
virtual site.
virtual_site Optional. This parameter specifies the name of the virtual site. If
this parameter is not specified, the configurations of all virtual sites
will be displayed.
clear virtual site config

This global command is used to clear the configurations of all virtual sites.
show info

32
This command is used to display the name, IP and domain configurations of the virtual site.
show statistics virtual

This global command is used to display the statistics under the global scope and each virtual site
scope.
clear statistics virtual

This global command is used to clear the statistics under the global scope and each virtual site
scope.
SSL
ssl csr [key_length] [signature_algorithm]
This command is used to generate a CSR (Certificate Signing Request) and an SSL key pair for
the current virtual site. After this command is executed, the administrator will be led through a
series of prompts so that the system can gather the required information to generate the CSR. The
administrator can choose to set the private key as exportable and set the passphrase for the private
key to protect it.
In addition, this command also generates a “test” certificate for the virtual site. If the administrator
has not uploaded the intermediate CA certificates and root CA certificate of this “test” certificate
using the “ssl import interca” command, a warning message indicating an incomplete certificate
chain will be displayed.
key_length Optional. This parameter specifies the length of the generated SSL
key pair in bits. Its value must be 1024, 2048 or 4096. The default
value is 2048.
signature_algorithm Optional. This parameter specifies the signature algorithm of the

CSR file. Its value must be “sha256”, “sha384”, “sha512” or
“sha1”. The default value is “sha256”.
The requested data will be prompted as follows:
vs(config)$ssl csr
Type 'YES' to generate a new key and overwrite the existing key file.
Type 'NO' will just generate CSR file[YES/(NO)]:YES
Generating key for "vs"...please wait
We will now gather some required information about your ssl virtual site,
This information is encoded into your certificate
Two character country code for your organization (eg. US):
State or province:
Location or local city:
Organization Name:
Organizational Unit:

33
Do you want to use the domain name "vs" as the Common Name (recommended)?(Y/N):
Email address of administrator:
Do you want the private key to be exportable [Yes/(No)]:
Enter passphrase for the private key:
Confirm passphrase for the private key:
Once the above information has been provided, the AG appliance will display a data message that
should be copied over an email and sent to CA (Certificate Authority) for certificate signing. The
lengths of these subject fields in the CSR should conform to the following limits:
 Two Character Country Code: 2 bytes
 Common Name: 64 bytes
 State or Province: 64 bytes
 Location or Local City: 64 bytes
 Organization Name: 64 bytes
 Organizational Unit: 64 bytes
 Email Address for Administrator: 80 bytes
Note:
 Entered characters for the subject fields “Country Code”, “State or Province”,
“Location or Local City”, “Organization Name”, “Organizational Unit”, and
“Common Name” (available when “Site FQDN as Common Name” is set to “No”)
only support a-z, A-Z, numbers, space and characters “'”, “(”, “)”, “+”, “-”, “=”, “,”,
“.”, “:”, “/” and “?”.
 The subject field “Email Address for Administrator” cannot contain any of the
characters “!”, “#”, “$”, “%”, “^”, “*”, “(”, “)”, “~”, “?”, “>”, “<”, “&”, “/”, “\”, “,”,
“"” and “'”.
 The test certificate generated by the “ssl csr” command is only used for testing
purposes, not for production systems.
ssl ecc csr [curve_name] [signature_algorithm_index]

This command is used to generate a CSR (Certificate Signing Request) and an SSL key pair based
on the Elliptic Curve Cryptography (ECC) for the current virtual site. After this command is
executed, the administrator will be led through a series of prompts so that the system can gather
the required information to generate the ECC CSR. The administrator can choose to set the private
key as exportable and set the passphrase for the private key to protect it.
In addition, this command also generates a “test” certificate for the virtual site. If the administrator
has not uploaded the intermediate CA certificates and root CA certificate of this “test” certificate
using the commands “ssl import interca” and “ssl import rootca”, a warning message indicating
an incomplete certificate chain will be displayed.

34
curve_name Optional. This parameter specifies the elliptic curve name. Its value
must be “prime256v1”, “secp384r1”, or “secp521r1”.
The default value is “prime256v1”.
signature_algorithm_index Optional. This parameter specifies the index of the CSR signature
algorithm. Its value must be sha256, sha384, sha512, and sha1.
The default value is “sha256”.
Note: If the elliptic curve field in the ClientHello message does not match the elliptic
curve in the ECC certificate activated for the virtual site, the SSL handshake will fail.
no ssl csr [csr_type]

This command is used to delete the CSR of the specified type for the current virtual site.
csr_type Optional. This parameter specifies the type of the CSR. Its value
must be:
 rsa: indicates the RSA CSR will be deleted.
 sm2: indicates the SM2 CSR will be deleted.
 ecc: indicates that the ECC CSR will be deleted.
 all: indicates all types of CSRs will be deleted.
The default value is “all”.
show ssl csr [csr_type]

This command is used to display the CSR of the specified type for the current virtual site.
csr_type Optional. This parameter specifies the type of the CSR. Its value
must be:
 rsa: indicates the RSA CSR will be deleted.
 sm2: indicates the SM2 CSR will be deleted.
 ecc: indicates that the ECC CSR will be displayed.
 all: indicates all types of CSRs will be deleted.
ssl import key [key_index] [tftp_ip] [file_name]

35
This command is used to import a private key for the current virtual site. The administrator can
import three private keys at most.
The administrator can execute this command and copy-n-paste the private key directly into the
CLI. The system also supports importing private keys from a remote TFTP server.
key_index Optional. This parameter specifies the index to be associated with

the imported key. Its value must be 1, 2 or 3, and defaults to 1.
tftp_ip Optional. This parameter specifies the IP address of the remote

TFTP server, which is required only when the private key is
imported via TFTP. It value must be an IPv4 address.
file_name Optional. This parameter specifies the file name of the key on the
remote TFTP server, which is required only when the private key is
imported via TFTP. Its value must be a string of 1 to 256 characters,
and defaults to “<host_name>.key”.
ssl export key [key_index] [key_type]

This command is used to export a private key. After this command is executed, the specified key
will be displayed.
key_index Optional. This parameter specifies the index of the imported key to
be exported. Its value must be 1, 2 or 3. If this parameter is not
specified, the active key will be displayed.
key_type Optional. This parameter specifies the type of the private key to be
displayed. Its value must be:
 rsa: indicates that the RSA private key will be displayed.
 ecc: indicates that the ECC private key will be displayed.
 all: indicates that both RSA and ECC private keys will be
displayed.
ssl import certificate [cert_index] [tftp_ip] [file_name]

This command is used to import a certificate for the current virtual site. The administrator can
import three certificates at most. The imported certificate can be activated by the command “ssl
activate certificate [cert_index]”.
The administrator can execute this command and copy-n-paste the PEM format certificate directly
into the CLI. The system also supports importing PEM, DER and PFX formats as well as the
certificates used by IIS 4, IIS 5 and Netscape iPlanet servers from a remote TFTP server.

36
cert_index Optional. This parameter specifies the index to be associated with

the imported certificate. Its value must be 1, 2 or 3, and defaults to
1.

TFTP server, which is required only when the certificate is
imported via TFTP. It value must be an IPv4 address.
file_name Optional. This parameter specifies the file name of the certificate on
the remote TFTP server, which is required only when the certifcate
is imported via TFTP. Its value must be a string of 1 to 256
characters, and defaults to “<host_name>.crt”.
no ssl certificate [cert_index] [cert_type]

This command is used to delete an imported certificate of the specified type for the current virtual
site.
cert_index Optional. This parameter specifies the index of the certificate. Its
value must be 1, 2 or 3. The default value is 1.
cert_type Optional. This parameter specifies the type of the certificate. Its
value must be:
 rsa: indicates that the RSA certificate will be deleted.
 ecc: indicates that the ECC certificate will be deleted.
 all: indicates that both RSA and ECC certificates will be

deleted.
ssl activate certificate [cert_index] [cert_type]

This command is used to activate an imported certificate as the default certificate.
cert_index Optional. This parameter specifies the index of the certificate to be

activated. Its value must be 1, 2 or 3. The default value is 1.
cert_type Optional. This parameter specifies the type of certificate to be

activated. Its value must be:
 rsa: indicates the RSA certificate will be activated.
 sm2: indicates the SM2 certificates will be activated.

37
 ecc: indicates that the ECC certificate will be activated.
 all: indicates all types of certificates will be activated.
Note:
 For each type of certificate, only one certificate/key (with the same index) pair can
stay active in the system. The certificate/key pair generated by the command “ssl
csr” is active by default. The certificate/key pair generated by the command “ssl ecc
csr” is active by default. The certificate/key pair generated by the “ssl sm2 csr”
command is inactive by default.
 If the elliptic curve field in the ClientHello message does not match the elliptic
curve in the ECC certificate activated for the virtual site, the SSL handshake will
fail.
show ssl certificate [display_mode] [cert_index] [cert_type]

This command is used to display an imported certificate.
display_mode Optional. This parameter specifies the display mode of certificate.

Its value must be:
 complete: indicates that all the information of the certificate

will be displayed.
 simple: indicates that only Issuer, Validity and Subject of the

certificate will be displayed.
The default value is “complete”.
cert_index Optional. This parameter specifies the index of the imported

certificate to be displayed. Its value must be 1, 2 or 3. If this
parameter is not specified, the active certificate will be displayed.
cert_type Optional. This parameter specifies the type of certificate to be

displayed. Its value must be:
 rsa: indicates the RSA certificate will be displayed.
 sm2: indicates the SM2 certificates will be displayed.
 ecc: indicates that the ECC certificate will be displayed.
 all: indicates all types of certificates will be displayed.

38
show ssl certinfo <virtual_site>

This global command is used to display the information about the SSL certificate(s) of a specified
virtual site.
virtual_site This parameter specifies the name of an existing virtual site.
For example:
AN#show ssl certinfo vs

RSA certificates status:
Cert Index Imported Status
1 YES Active
2 NO -
3 NO -
ECC certificates status:

1 YES Active
2 NO -
3 NO -
SM2 certificates status:

Sign/Enc
1 YES/NO -
2 NO /NO -
3 NO /NO -
ssl import rootca [tftp_ip] [file_name]

Under the global scope, this command is used to import a trusted CA certificate for all the virtual
sites.
Under the virtual site scope, this command is used to import a trusted CA certificate for the
current virtual site.
The administrator can execute this command and copy-n-paste the trusted CA certificate of PEM
format directly into the CLI. The system also supports importing trusted CA certificate of PEM
and DER formats from a remote TFTP server.

TFTP server, which is required only when the trusted CA certificate
is imported via TFTP. Its value must be an IPv4 address.
file_name Optional. This parameter specifies the file name of the trusted CA
certificate on the remote TFTP server, which is required only when
the trusted CA certificate is imported via TFTP. Its value must be a

39
string of 1 to 256 characters, and defaults to “<host_name>.crt”.
no ssl rootca [certificate_number]

Under the global scope, this command is used to delete an imported trusted CA certificate from all
the virtual sites.
Under the virtual site scope, this command is used to delete an imported trusted CA certificate
from the current virtual site.
certificate_number Optional. This parameter specifies the serial number of the trusted
CA certificate to be deleted. Administrators can find the serial
number of the certificate via the “show ssl rootca” command. If
this parameter is not specified, all the trusted CA certificates will be
deleted.
show ssl rootca [display_mode]

Under the global scope, this command is used to display the trusted CA certificate imported for all
the virtual sites.
Under the virtual site scope, this command is used to display the trusted CA certificate imported
for the current virtual site.

Its value must be:

will be displayed.

ssl import interca [tftp_ip] [file_name]

This command is used to import an intermediate CA certificate for the current virtual site.
The administrator can execute this command and copy-n-paste the intermediate CA certificate of
PEM format directly into the CLI. The system also supports importing intermediate CA certificate
of PEM and DER formats from a remote TFTP server.

TFTP server, which is required only when the intermediate CA
certificate is imported via TFTP. Its value must be an IPv4 address.

40
file_name Optional. This parameter specifies the file name of the intermediate
CA certificate on the remote TFTP server, which is required only
when the intermediate CA certificate is imported via TFTP. Its
value must be a string of 1 to 256 characters, and defaults to
“<host_name>.crt”.
no ssl interca [certificate_number]

This command is used to delete an imported intermediate CA certificate from the current virtual
site.
certificate_number Optional. This parameter specifies the serial number of the

intermediate CA certificate to be deleted. Administrators can find
the serial number of the certificate via the “show ssl interca”
command. If this parameter is not specified, all the intermediate CA
certificates will be deleted.
show ssl interca [display_mode]

This command is used to display the intermediate CA certificate imported for the current virtual
site.

Its value must be:

will be displayed.

ssl backup certificate <file_name> <password>

This command is used to back up the certificate and the private key of the current virtual site into
a PFX file. This PFX file will be zipped with the trusted CA certificate (refer to “ssl import
rootca” command) and intermediate CA certificate (refer to “ssl import interca” command) into
a .tgz file. This .tgz file can be stored in the local system or on a specified TFTP server. If anyone
wants to access the .tgz file, the correct password is required.
file_name This parameter specifies the file name. Its value must be a string of
1 to 256 characters, which is recommended to be enclosed by
double quotes. Only numbers, letters and underscore “_” are
supported.
 To store the backup file locally, use a valid local file name

41
(excluding the path and extension).
 To store the backup file on a remote server, use a properly

formatted TFTP string (e.g., "tftp://server/filename").
password This parameter specifies the password that allows access to the
backup file. Its value must be a string of 1 to 128 characters, which
is recommended to be enclosed by double quotes. Only numbers,
letters and underscore “_” are supported.
no ssl backup certificate <file_name>

This command is used to delete the specified backup certificate/key file stored in the local system.
The parameter “file_name” must be a valid local file name.
show ssl backup certificate

This command is used to display the backup certificate/key file that stored in the local system.
ssl restore certificate <file_name> <password>

The command is used to restore the certificate and the private key from a PFX file, which can be
stored in the local system or on the remote TFTP server. The password string must be identical to
the string entered when this backup file was produced using the “ssl backup certificate”
command.
file_name This parameter specifies the file name.
password This parameter specifies the password that allows access to the
specified backup file.
ssl settings protocol <version>

This command is used to set the supported SSL protocol version for the current virtual site. The
AG appliance supports three types of protocols: SSLv3, TLSv1 and TLSv1.2.
version This parameter specifies the SSL protocol version. Its value must
be:
 SSLv3: indicates that SSLv3 protocol is supported.
 TLSv1: indicates that TLSv1 protocol is supported.
 TLSv12: indicates that TLSv1.2 protocol is supported.
 SM2v11: indicates that SM2v1.1 protocol is supported.
 ALL: indicates that the above four SSL protocols are all
supported.
 To use more than one protocol, use colon “:” to separate each

42
other.
For cipher suites supported by each protocol, please refer to

ArrayOS AG 9.4 User Guide.
For example:
AN(config)#ssl settings protocol SSLv3

AN(config)#ssl settings protocol ALL
ssl settings ciphersuite <cipher_string>

This command is used to set the supported cipher suite for the current virtual site.
cipher_string This parameter specifies the cipher suite. To use more than one
cipher suite, use colon “:” to separate each other.
Below is a list of supported cipher suites:
 DES-CBC3-SHA
 RC4-SHA
 RC4-MD5
 EXP-RC4-MD5
 AES128-SHA
 AES256-SHA
 AES128-SHA256
 AES256-SHA256
 ECDHE-RSA-AES128-SHA
 ECDHE-RSA-AES256-SHA
 ECDHE-RSA-AES128-SHA256
 ECDHE-RSA-AES256-SHA384
 ECDHE-RSA-AES128-GCM-SHA256
 ECDHE-RSA-AES256-GCM-SHA384
 ECDHE-ECDSA-AES128-SHA
 ECDHE-ECDSA-AES256-SHA
 ECDHE-ECDSA-AES128-SHA256
 ECDHE-ECDSA-AES256-SHA384
 ECDHE-ECDSA-AES128-GCM-SHA256

43
 ECDHE-ECDSA-AES256-GCM-SHA384
 ECC-SM4-SM3
 ECDHE-SM4-SM3
Note: Only experienced administrators should use this command. If you have any
questions regarding these settings, please call customer support BEFORE using this
command.
ssl settings signalgo <signature_algorithm>

This command is used to set the signature algorithm that will be used in the ServerKeyExchange
message generated during SSL handshake for the current virtual site. This command takes effect
for only the negotiation of ECDHE cipher suites.
If the signature algorithm field in the ClientHello message matches multiple configured signature
algorithms, the first one configured in this command will be used. If the signature algorithm field
in the ClientHello message does not match any configured signature algorithm, the SSL
handshake will fail. Please note that this configuration takes effect only when the TLSv1.2
protocol is used.
If this command is not configured, the default signature algorithms are

“sha256ECDSA:sha256RSA:sha384ECDSA:sha384RSA:sha512ECDSA:sha512RSA:sha224EC
DSA:sha224RSA:sha1ECDSA:sha1RSA”.
signature_algorithm This parameter specifies the signature algorithm that will be used in
the ServerKeyExchange message generated during SSL handshake.
Its value must be “sha256ECDSA”, “sha256RSA”,
“sha384ECDSA”, “sha384RSA”, “sha512ECDSA”, “sha512RSA”,
“sha224ECDSA”, “sha224RSA”, “sha1ECDSA”, and “sha1RSA”.
Multiple signature algorithms can be configured. To use more than
one signature algorithm, use colon “:” to separate each other.
ssl settings curves <curve_name>

This command is used to set the elliptic curve that will be used in the ServerKeyExchange
message generated during SSL handshake for the current virtual site. This command takes effect
for only the negotiation of ECDHE cipher suites.
If the elliptic curve field in the ClientHello message matches multiple configured elliptic curves,
the first one configured in this command will be used. If the elliptic curve field in the ClientHello
message does not match any configured elliptic curve, the SSL handshake will fail.
If this command is not configured, the default elliptic curves are

“secp256r1:secp384r1:secp521r1”.
curve_name This parameter specifies the name of the elliptic curve that will be
used in the ServerKeyExchange message generated during SSL

44
handshake. Its value must be “secp256r1”, “secp384r1” and

“secp521r1”. Multiple elliptic curves can be configured. To use
more than one elliptic curve, use colon “:” to separate each other.
ssl settings clientcert signalgo <signature_algorithm>

This command is used to set the signature algorithm that will be used in the CertificateRequest
message generated during SSL handshake for the current virtual site.
For TLSv1.2, the signature algorithm field in the CertificateRequest message contains all
configured signature algorithms. For other SSL versions lower than TLSv 1.2, the configured
signature algorithm must contain sha1RSA or sha1ECDSA; otherwise, the SSL handshake will
fail.
If this command is not configured, the default signature algorithms are

“sha256ECDSA:sha256RSA:sha384ECDSA:sha384RSA:sha512ECDSA:sha512RSA:sha224EC
DSA:sha224RSA:sha1ECDSA:sha1RSA”.
signature_algorithm This parameter specifies the signature algorithm that will be used in
the CertificateRequest message generated during SSL handshake.
Its value must be “sha256ECDSA”, “sha256RSA”,
“sha384ECDSA:”, “sha384RSA:”, “sha512ECDSA”,
“sha512RSA:”, “sha224ECDSA:”, “sha224RSA”, “sha1ECDSA”
and “sha1RSA”. Multiple signature algorithms can be configured.
To use more than one signature algorithm, use colon “:” to separate
each other.
ssl settings clientauth [subject_filter]

This command is used to enable the client authentication feature. If the host is an SSL virtual site,
all SSL clients connecting to this virtual site must present a client certificate in order to proceed
with communication. If the host is an SSL real host, it will present a certificate to the server when
requested for further communication.
In addition to basic client certificate validation, the SSL virtual site can also perform pattern
matching of the certificate “Subject” field against a set of configured filter rules. If no match is
found, client access will be denied.
subject_filter Optional. This parameter specifies one or more certificate filter

rules. Its value must be enclosed in double quotes with each rule
separated by “/” (e.g., “/C=US/ST=CA”). If more than one rule is
specified, rules will be enforced with an “AND” relationship (all
rules must be matched). If this parameter is not specified, the
system will not perform filtering on the “Subject” fields.

45
The filter rules can be configured with any of the RDNs (Relative Distinguished Name) supported
by the AG appliances, including:
RDN Standard Name OID

C Country Name 2.5.4.6
ST State or Province Name 2.5.4.8
L Locality Name 2.5.4.7
O Organization Name 2.5.4.10
OU Organizational Unit Name 2.5.4.11
CN Common Name 2.5.4.3
SN Serial Number 2.5.4.5
dnQualifier DN Qualifier 2.5.4.46
Pseudonym Pseudonym 2.5.4.65
Title Title 2.5.4.12
GQ Generation Qualifier 2.5.4.44
Initials Initials 2.5.4.43
Name Name 2.5.4.41
givenName Given Name 2.5.4.42
Surname Surname 2.5.4.4
DC Domain Component 0.9.2342.19200300.100.1.25
emailAddress Email Address 1.2.840.113549.1.9.1
{OID expression} OID information, for example: 1.2.3.4
For example:
AN(config)#ssl settings clientauth

"/C=US/O=Array/OU=QA/[email protected]"
In this example, all client certificates with the country name of “US”, organization name of
“Array”, organizational unit name of “QA” and email address of “[email protected]” in
the certificate “Subject" field will pass the subject filter.
AN(config)#ssl settings clientauth "/2.5.4.6=JP"
In this example, the OID “2.5.4.6” represents “Country Name”. All client certificates with the
OID “2.5.4.6” of “JP” in the certificate “Subject” field will pass the subject filter.
no ssl settings clientauth

This command is used to disable the client authentication feature.
ssl settings ocsp <ocsp_server>

This command is used to configure the OCSP server and enable the OCSP server online check.
After this command is executed, the AG appliance will first attempt to validate client certificates
online through the OCSP server specified in the client certificate. If this validation fails, the AG
appliance will then attempt to validate the client certificate online through the OCSP server
configured by this command.

46
ocsp_server This parameter specifies the IP address of the OCSP server. Its
value must be an IPv4 address.
Note: If both the OCSP server and CRL check are configured, only the OCSP server will
be used to validate the certificate.
no ssl settings ocsp

This command is used to disable the OCSP server online check.
ssl import crlca [tftp_ip] [file_name]

This command is used to import a CRL CA certificate for the current virtual site.
When the AG appliance attempts to validate client certifiates using the CRL (Certificate
Revocation List) issued by CA, CRL CA certificate is needed to verify the validity of the CRL
files.
The administrator can execute this command and copy-n-paste the CRL CA certificate of PEM
format directly into the CLI. The system also supports importing CRL CA certificate of PEM and
DER formats from a remote TFTP server.

TFTP server, which is required only when the CRL CA certificate is
imported via TFTP. Its value must be an IPv4 address.
file_name Optional. This parameter specifies the file name of the CRL CA
certificate on the remote TFTP server, which is required only when
the CRL CA certificate is imported via TFTP. Its value must be a
string of 1 to 256 characters, and defaults to “<host_name>.crt”.
no ssl crlca [certificate_number]

This command is used to delete an imported CRL CA certificate from the current virtual site.
certificate_number Optional. This parameter specifies the serial number of the CRL CA
certificate to be deleted. Administrators can find the serial number
of the certificate via the “show ssl crlca” command. If this
parameter is not specified, all the CRL CA certificates will be
deleted.
show ssl crlca [display_mode]

This command is used to display the CRL CA certificate imported for the current virtual site.

Its value must be:

47

will be displayed.

ssl settings crl online

This command is used to enable the CRL online check.
After this command is executed, the AG appliance will attempt to validate the certificate using the
CRL downloaded from the CDP (CRL Distribution Point) specified in the client certificate. This
command will take effect only when the client authentication feature is enabled.
Note: This command cannot be used together with the “ssl settings crl offline” command.
no ssl settings crl online

This command is used to disable the CRL online check.
ssl settings crl offline <cdp_name> <crl_distribution_point> [time_interval]

[delay_time]
This command is used to enable the CRL offline check.
After this command is executed, the AG appliance will attempt to validate the certificate using the
CRL downloaded from the configured CDP at the desired time interval. HTTP, FTP and LDAP
are supported protocols to fetch the CRL files. For each virtual site, the administrator can
configure ten CDPs. This command will only take effect when the client authentication feature is
enabled.
cdp_name This parameter specifies the name of the CDP. Its value must be a
string of 1 to 32 characters. Only 0-9, a-z, A-Z and underscore “_”
are supported.
crl_distribution_point This parameter specifies the URL address of the CDP. Its value
must be a string of 1 to 512 characters.
time_interval Optional. This parameter specifies the time interval between CRL
file downloads in minutes. Its value must be an integer ranging
from 1 to 65,535, and defaults to 1440.
delay_time Optional. This parameter specifies the delay time of the CRL file
expiration in minutes. Its value must be an integer ranging from 1 to

48
65,535, and defaults to 0.
 When it is larger than 0, the AG appliance will check for

expiration after downloading the CRL file. For example, if the
current time is greater than the sum of the next update time
(expiration time of this file) and delay time, the CRL file is
expired and the AG appliance will refuse all SSL connections
that need to authenticate the client certificate via the CRL. If
the current time is less than or equal to the sum of the next
update time and delay time, the CRL file is valid.
 When it is equal to 0, the AG appliance will not check for

expiration after downloading the CRL file.
Note: Before executing this command, you must first import the CRL CA certificate via
the “ssl import crlca” command.
no ssl settings crl offline [cdp_name]

This command is used to disable the CRL offline check.
cdp_name Optional. This parameter specifies the name of the CDP. Its value
must be:
 the CDP name: indicates that CRL files will not be

downloaded from the specified CDP.
 ALL: indicates that the CRL files will not be downloaded from
any CDP.
The default value is “ALL”.
show ssl crlstatus [cdp_name]

This command is used to display the information of CRL files downloaded from the specified
CDP.
cdp_name Optional. This parameter specifies the name of the CDP. Its value
must be:
 the CDP name: indicates that the system will display the CRL
files downloaded from the specified CDP.
 ALL: indicates that the system will display the CRL files
downloaded from all the CDP.
The default value is “ALL”.
ssl settings authmandatory

49
This command is used to enable the client mandatory authentication mode. By default, the client
mandatory authentication mode is enabled.
no ssl settings authmandatory

This command is used to disable the client mandatory authentication mode.
ssl settings acceptchain

This command is used to enable the accept certificate chain function. Once enabled, the SSL
virtual site will utilize the certificate chain sent by the peer during an SSL handshake to verify that
peer’s certificate. The SSL virtual site will try to use the certificate chain from peer to form the
certificate chain until it finds one CA certificate in its own trust CA list. This command will only
take effect when client authentication is enabled.
no ssl settings acceptchain

This command is used to disable the accept certificate chain function.
ssl settings minimum <cipher_strength> <redirect_url>

This command is used to specify the minimum encryption strength of the client. If any client
connecting to this virtual site does not support the encryption strength specified by the
“cipher_strength” parameter, it will be redirected to the URL specified by the “redirect_url”
parameter. This command should only be used with SSL virtual sites doing HTTPS.
cipher_strength This parameter specifies the minimum encryption strength in bits.

Its value must be 40, 56, 128,168, 256 or 512.
redirect_url This parameter specifies the HTTP or HTTPS URL address to

redirect to. Its value must be a string of 1 to 512 characters.
no ssl settings minimum

This command is used to disable the minimum encryption strength requirement.
ssl settings renegotiation

This command is used to enable the SSL renegotiation function for the current virtual site. By
default, the SSL renegotiation function is disabled for the virtual site.
Note: The SM2v1.1 protocol does not support the SSL renegotiation function.
no ssl settings renegotiation

This command is used to disable the SSL renegotiation function for the current virtual site.
ssl settings reuse

50
This command is used to enable the SSL session reuse function. By default, the SSL session reuse
function is enabled.
no ssl settings reuse

This command is used to disable the SSL session reuse function.
show ssl settings

This command is used to display the SSL settings for the current virtual site.
ssl globals sendclosenotify {on|off}

This global command is used to enable or disable the function of sending SSL close notification.
By default, this function is enabled.
ssl globals ignoreclosenotify {on|off}

This global command is used to enable or disable the function of the AG appliance ignoring the
SSL close notification sent from the client. It applies to all configured SSL virtual sites. By default,
this function is enabled.
 If this function is enabled, the AG appliance will ignore SSL close notify errors when a client
does not terminate an SSL connection correctly (or terminates an SSL connection without
sending the Close Notify Alert). Consequently, the AG appliance will continue to reuse the
associated SSL sessions.
 If this function is disabled, the AG appliance will require the connection to be closed with the
Close Notify Alert. In this case, if a client does not send the Close Notify Alert before closing
a connection then the associated SSL session will be marked as invalid and flushed.
 ssl globals verifycert {on|off}

This global command is used to enable or disable the server certificate verification function. This
function is needed when the AG appliance needs to verify the certificates sent by the backend
servers. After this function is enabled, trusted root CA certificates should be imported under the
global scope. By default, this function is disabled.
ssl globals renegotiation {on|off}

This global command is used to enable or disable the SSL renegotiation function globally. By
default, this function is disabled globally.
Note: When any virtual site uses certificate authentication, the SSL renegotiation
function needs to be enabled globally.
ssl globals fastcrl {on|off}

This global command is used to enable or disable CRL memory. When enabled, the CRL files on
disk will be loaded into memory immediately. By default, this function is disabled.
ssl globals sessiontimeout <timeout>

51
This global command is used to set the SSL session cache timeout value.
timeout This parameter specifies the timeout value in seconds. Its value
must be an integer ranging from 60 to 86,400 characters.
show ssl globals

This global command is used to display SSL global settings.
ssl start
This command is used to enable SSL service for a specific host. All services associated with this
specified SSL virtual site will be affected. The AG appliance will check the certificate chain for
the SSL virtual site when starting the virtual site. A warning message, stating that the certificate
chain is incomplete will be displayed if the certificate chain cannot be formed using the
intermediate CA file and global trusted CA file.
Note: SSL virtual site settings cannot be changed while SSL is enabled. To make
changes, SSL must first be disabled (see the “ssl stop” command below).
ssl stop
This command is used to disable the SSL service for a specific host. It will not remove the
associated information such as key and certificate data.
clear ssl
This command is used to clear the SSL configurations, including the key and certificate pair. If
this command is executed, there is no way to retrieve the key even if there is a copy of the CSR.
To reconfigure SSL for this virtual site, a new key and a replacement certificate will need to be
created.
Note: To execute this command, all services associated with this specified SSL virtual
site will be affected.
show statistics ssl

This command is used to display all the SSL statistics for the current virtual site.
clear statistics ssl

This command is used to clear all relative SSL statistics for the current virtual site.
SM2
ssl globals sm2 {on|off}

This global command is used to enable or disable the SM2 function. By default, this function is
disabled.

52
ssl sm2 csr [curve_name] [csr_format]

This command is used to generate an SM2 CSR and an SM2 signature key pair for the current
virtual site. Please enable the SM2 function first before executing this command. After this
command is executed, the administrator will be led through a series of prompts so that the system
can gather the required information to generate the CSR. The administrator can choose to set the
private key as exportable and set the passphrase for the private key to protect it. In addition, this
command also generates a “test” signature certificate for the virtual site.
Please refer to the “ssl csr” command for the requested data and other details displayed after this
command is executed.
curve_name Optional. This parameter specifies the curve name used by the SM2
algorithm. Its value must only be “sm2”. The default value is
“sm2”.
csr_format Optional. This parameter specifies the CSR format. Its value must
be “SCCA” or “CFCA”. The default value is “SCCA”.
ssl sm2 import enckey [key_index] [tftp_ip] [file_name]

This command is used to import an SM2 encryption key for the current virtual site. The
administrator can import three private keys at most.

the imported SM2 encryption key. Its value must be 1, 2 or 3. The
default value is 1.

TFTP server. This parameter needs to be specified when you want
to import the SM2 encryption key from a remote TFTP server. It
file_name Optional. This parameter specifies the file name of the SM2
encryption key on the remote TFTP server. This parameter needs to
be specified when you want to import the SM2 encryption key from
a remote TFTP server. Its value must be a string of 1 to 256
characters. The default value is “<host_name>.key”.
ssl sm2 export enckey [key_index]

This command is used to export an SM2 encryption key. After this command is executed, the
specified key will be displayed.

53
key_index Optional. This parameter specifies the index of the imported SM2
encryption key to be exported. Its value must be 1, 2 or 3. If this
parameter is not specified, the active key will be displayed.
ssl sm2 import encevp [key_index] [digital_envelope_format] [tftp_ip]

[file_name]
This command is used to import an SM2 digital envelope returned by CA for the current virtual
site. Before importing the SM2 digital envelope of the SCCA format, please import the
corresponding SM2 signature key first using the “ssl sm2 import signkey” command.
The administrator can execute this command and copy-n-paste the SM2 digital envelope directly
into the CLI. The system also supports importing private keys from a remote TFTP server.

the imported SM2 encryption key. Its value must be 1, 2 or 3. The
default value is 1.
digital_envelope_format Optional. This parameter specifies the format of the SM2 digital
envelope obtained from the trusted CA. Its value must be “SCCA”
or “CFCA”. The default value is “SCCA”.

to import the SM2 digital envelope from a remote TFTP server. It
file_name Optional. This parameter specifies the file name of the SM2 digital
envelope on the remote TFTP server. This parameter needs to be
specified when you want to import the SM2 digital envelope from a
remote TFTP server. Its value must be a string of 1 to 256
characters. The default value is “<host_name>.evp”.
ssl sm2 import enccertificate [cert_index] [tftp_ip] [file_name]

This command is used to import an SM2 encryption certificate for the current virtual site. The
administrator can import three certificates at most. The imported certificate can be activated by the
command “ssl activate certificate [cert_index]”.

the imported SM2 encryption certificate. Its value must be 1, 2 or 3.

54

to import the SM2 encryption certificate from a remote TFTP
server. It value must be an IPv4 address.
encryption certificate on the remote TFTP server. This parameter
needs to be specified when you want to import the SM2 encryption
certificate from a remote TFTP server. Its value must be a string of
1 to 256 characters. The default value is “<host_name>.crt”.
no ssl sm2 enccertificate [cert_index]

This command is used to delete an imported SM2 encryption certificate. The corresponding SM2
encryption key pair will also be deleted.
ssl sm2 import signkey [key_index] [tftp_ip] [file_name]

This command is used to import an SM2 signature key for the current virtual site. The
administrator can import three private keys at most.

the imported SM2 signature key. Its value must be 1, 2 or 3. The
default value is 1.

to import the SM2 signature key from a remote TFTP server. It
signature key on the remote TFTP server. This parameter needs to
be specified when you want to import the SM2 signature key from a
remote TFTP server. Its value must be a string of 1 to 256
characters. The default value is “<host_name>.key”.
ssl sm2 export signkey [key_index]

This command is used to export an SM2 signature key. After this command is executed, the
specified key will be displayed.

55
key_index Optional. This parameter specifies the index of the imported SM2
signature key to be exported. Its value must be 1, 2 or 3. If this
parameter is not specified, the active key will be displayed.
ssl sm2 import signcertificate [cert_index] [tftp_ip] [file_name]

This command is used to import an SM2 signature certificate for the current virtual site. The
administrator can import three certificates at most. The imported certificate can be activated by the
command “ssl activate certificate [cert_index]”.

the imported SM2 signature certificate. Its value must be 1, 2 or 3.

to import the SM2 signature certificate from a remote TFTP server.
It value must be an IPv4 address.
signature certificate on the remote TFTP server. This parameter
needs to be specified when you want to import the SM2 signature
certificate from a remote TFTP server. Its value must be a string of
1 to 256 characters. The default value is “<host_name>.crt”.
no ssl sm2 signcertificate [cert_index]

This command is used to delete an imported SM2 signature certificate. The corresponding SM2
signature key pair will also be deleted.

56
Chapter 4 AAA
Chapter 4 AAA
The AAA module provides user authentication, authorization and accounting functions. The
commands in this chapter illustrate how to deploy this module.
General Settings
aaa {on|off}
This command is used to enable or disable the AAA function for the virtual site. When this
function is enabled, users will have to log in before gaining access to internal resources; when this
function is disabled, users will automatically pass authentication and obtain authorized resources
according to their assigned roles. Note that any roles depending on “Group Name” conditions will
no longer work. Roles depending on other conditions still work as before such as “Username” (all
users will be assigned the same “guest” username), AAA method, Source IP, and Login Time. By
default, this function is enabled.
show aaa configure

This command is used to display the AAA configurations of the virtual site.
clear aaa configure

This command is used to clear the AAA configurations of the virtual site.
 AAA Lockout
Note:
 If AAA lockout and LocalDB lockout are both configured, only the configurations of
AAA lockout will take effect.
 The AAA lockout function cannot take effect for the certificate authentication.
 The configurations of AAA lockout cannot be synchronized to the peer HA units.
 For the two-step SMS authentication, the AAA lockout function takes effect only for
the static authentication, such as LocalDB and LDAP, and cannot take effect for the
SMS verification code authentication.
 ForAAA servers with multiple AAA methods configured, the AAA lockout function
takes effect for all AAA methods in the rank list.
 With the system reboot, the recorded number of login failures of all AAA accounts
will be cleared.
aaa lockout auto loginfailure [failure_times] [duration]

57
Chapter 4 AAA
This command is used to enable automatic login-failure lockout for all AAA accounts. A AAA
account will be locked out after the number of login failures using this account reaches the
specified value of the parameter “failure_times”. By default, this function is disabled.
failure_times Optional. This parameter specifies the number of login failures for
locking out AAA accounts. Its value must be an integer ranging
from 1 to 65,535. The default value is 10.
duration Optional. This parameter specifies the duration of the lockout in

seconds. Its value must be an integer ranging from 0 to
4,294,967,295. The default value is 0, indicating that the AAA
account will remain locked out until being manually unlocked by
using the command “aaa lockout unlock”.
no aaa lockout auto loginfailure

This command is used to disable automatic login-failure lockout for all AAA accounts.
show aaa lockout auto loginfailure

This command is used to display the configuration of automatic login-failure lockout for all AAA
accounts.
aaa lockout manual <account_name> [duration]

This command is used to manually lock out a specified AAA account for a specific duration.
account_name This parameter specifies the name of the AAA account to be locked
out.

4,294,967,295. The default value is 0, indicating that the account
will be locked out until being manually unlocked by using the
command “aaa lockout unlock [account_name]”.
aaa lockout list [lockout_type] [account_name] [start] [count]

This command is used to display the currently locked AAA accounts.
lockout_type Optional. This parameter specifies the type of the locked AAA
accounts. Its value must be “auto”, “manual” or “all”. The default
value is “all”, indicating that all types of locked AAA accounts will
be displayed.
account_name Optional. This parameter specifies the name of the locked AAA
account. Its value must be a case-sensitive string of 1 to 64

58
Chapter 4 AAA
characters.
 If the parameter is specified, the specified locked AAA

account will be displayed.
 If the parameter is not specified, all locked AAA accounts will

be displayed.
The default value is empty.
start Optional. This parameter specifies the start of locked AAA accounts
from which to be displayed. Its value must be an integer ranging
from 1 to 4,294,967,295 and the default value is 1.
count Optional. This parameter specifies the number of locked AAA

accounts to be displayed. Its value must be an integer ranging from
1 to 4,294,967,295. The default value is 0, indicating all locked
AAA accounts will be displayed.
aaa lockout unlock [account_name]

This command is used to unlock a previously locked AAA account.
account_name Optional. This parameter specifies the name of the AAA account to
be unlocked. The default value is empty, indicating all locked AAA
accounts will be unlocked.
show aaa lockout count

This command is used to display the statistics of locked AAA accounts.
Server
aaa server name <type> <server_name> [description]
This command is used to define a AAA server of a particular type.
type This parameter specifies the type of the AAA server. Its value must
only be:
 localdb
 ldap
 radius
 certificate

59
Chapter 4 AAA
 sms
 smx
 http
server_name This parameter specifies the name of the AAA server, which must
be unique among all servers in the same virtual site. Its value must
be a string of 1 to 32 characters.
For LocalDB, the server name must be the same as the virtual site
name. In addition, only one LocalDB server can be defined per
virtual site.
For SMX, the characters for the server name must only contain 0-9,
a-z, A-Z, and characters “_” and “-”.
description Optional. This parameter specifies the server description. Its value
must be a string of 1 to 127 characters. If it is not specified, the
default description will be the value of “server_name”.
Note: Please ensure that the SSL renegotiation feature has been enabled both globally
and for the virtual site under the following conditions:
 Multiple AAA methods are configured and one of them uses the Certificate
authentication (no matter the AAA method includes the Certificate authentication
only or is multi-factor authentication including Certificate authentication)
 The AAA rank function is disabled.
no aaa server name <server_name>

This command is used to delete a specified AAA server.
show aaa server name

This command is used to display all the configured AAA servers.
LocalDB
 LocalDB Server
aaa server localdb usernamecaseinsensitive

This command is used to set the username as case-insensitive during the LocalDB authentication.
Note: Please delete LocalDB accounts with usernames different only in case sensitivity
before this command is configured.

60
Chapter 4 AAA
no aaa server localdb usernamecaseinsensitive

This command is used to set the username as case-sensitive during the LocalDB authentication.
aaa server localdb defaultgroup <default_group>

This command is used to define the default group assigned to authenticated users who do not
belong to any other LocalDB group.
default_group This parameter specifies the name of the default LocalDB group. Its
value must be a string of 1 to 80 characters.
no aaa server localdb defaultgroup

This command is used to delete the default LocalDB group configured for authenticated users who
do not belong to any other LocalDB group.
show aaa server localdb defaultgroup

This command is used to display the default LocalDB group configured for authenticated users
who do not belong to any other LocalDB group.
aaa server localdb authmode [mode]

This command is used to set the mode of the LocalDB authentication. If this command is not
configured, the LocalDB server uses only the static password for authentication.
mode Optional. This parameter specifies the mode of the LocalDB

authentication. Its value must be:
 0: indicates that users only need to input the static password to

log into the virtual site.
 1: indicates that users only need to input the dynamic

password (generated by the MotionProOTP application
installed on the mobile phone) to log into the virtual site. For
example, if the dynamic code is “768950”, users should input
“768950” to log into the virtual site.
 2: indicates that users need to input both the static password

and dynamic password to log into the virtual site. For example,
if the static password is “a” and the dynamic code is “768950”,
users should input “a768950” to log into the virtual site.
show aaa server localdb authmode

This command is used to display the mode of the LocalDB authentication.
aaa server localdb dynamiccode rebind {enable|disable}

61
Chapter 4 AAA
This command is used to enable or disable the dynamic code rebinding for LocalDB accounts.
With this function enabled, after logging into the MotionProOTP application in one mobile client,
the user can also log into the MotionProOTP application in another mobile client with the same
LocalDB account. The old registered credential of the user will be replaced by the new registered
credential. By default, this function is disabled.
 LocalDB Account
localdb account <account_name> <password> [phone] [mail] [nfs_group]

[nfs_account] [custom_info1] [custom_info2] [custom_info3] [custom_info4]
[custom_info5]
This command is used to create a new LocalDB account or update the existing LocalDB account.
If the administrator wants to use LocalDB authentication or the Site2Site VPN function, this
command must be configured. For the Site2Site VPN function, a LocalDB account should be
configured for each spoke to log into the virtual site.
account_name This parameter specifies the name of the LocalDB account to be

created or updated. Its value must be a case-sensitive string of 1 to
64 characters.
password This parameter specifies the password of the LocalDB account. Its
value must be a case-sensitive string of 1 to 32 characters enclosed
by double quotes. Only 0-9, a-z, A-Z, the space character and some
special printable ASCII characters such as ! @ # $ % ^ & * ( ) _ - ~
= { } [ ] | \ / ? : ; ’ ` < > , . are allowed.
phone Optional. This parameter specifies the telephone number of the

LocalDB account. Its value must be a string of 1 to 32 characters
enclosed by double quotes. Only numbers, spaces, “+” and “-” are
allowed. The default value is empty.
mail Optional. This parameter specifies the mail address of the LocalDB
account in the format of “[email protected]”. Its value must be a string
of 1 to 128 characters enclosed by double quotes. The default value
is empty.
nfs_group Optional. This parameter specifies the NFS (Network File System)
group ID of the LocalDB account. Its value must be an integer
ranging from 0 to 65,535. The default value is 0.
nfs_account Optional. This parameter specifies the NFS (Network File System)
account of the LocalDB account. Its value must be an integer
ranging from 0 to 65,535. The default value is 0.

62
Chapter 4 AAA
custom_info1 Optional. This parameter specifies the customized user information

of the LocalDB account. Its value must be a string of 1 to 256
characters. The default value is empty.




no localdb account <account_name>

This command is used to delete an existing LocalDB account.
show localdb account [account_name] [group_name] [start] [count] [column]

[index]
This command is used to display the specified LocalDB account.
account_name Optional. This parameter specifies a string to match the existing

LocalDB accounts. Its value must be a case-sensitive string of 1 to
64 characters.
 If the parameter is specified, LocalDB accounts whose names

including this string will be displayed.
 If the parameter is not specified, all LocalDB accounts will be

displayed.
group_name Optional. This parameter specifies the name of the LocalDB group
to which the LocalDB accounts to be displayed belongs to.
 If this parameter is specified, only LocalDB accounts belong

to the LocalDB group will be displayed.

63
Chapter 4 AAA
 If this parameter is not specified, the displayed LocalDB

accounts will not be filtered by the LocalDB group.
start Optional. This parameter specifies the start of LocalDB accounts

from 1 to 4,294,967,295 and the default value is 1.
count Optional. This parameter specifies the number of LocalDB accounts

to be displayed. Its value must be an integer ranging from 1 to
4,294,967,295. The default value is 0, indicating all LocalDB
accounts will be displayed.
column Optional. This parameter specifies the columns of a LocalDB

account entry to be displayed. This parameter supports the
following columns that must be represented by the letters in the
brackets in the parameter value: user_name(U), telephone(T),
e-mail(E), nfs_info(N), coutom_info1-5(C), assigned_group(G),
force_passwd_change(F), lockout_manual(M),
lockout_manual_expires_time(L), passwd_expire_time(P), ip(I),
netmask(K), and user_passwd(W). The parameter value is
case-sensitive and can support multiple columns. The default value
is “UTENC”.
index Optional. This parameter specifies how to sort the displayed

LocalDB accounts in the output. This parameter supports sorting
LocalDB accounts by: user_name (alphabetical or U),
create_time(time), telephone(T), e-mail(E),
coutom_info1-5(coutom_info1-5),
lockout_manual_expires_time(L), passwd_expire_time(P), ip(I), or
netmask(K). This parameter value is case-insensitive and the
default value is “alphabetical”.
clear localdb account

This command is used to delete all existing LocalDB accounts.
show statistics localdb account [account_name] [group_name]

This command is used to display the LocalDB account statistics.
account_name Optional. This parameter specifies a string to match the existing

LocalDB accounts. Its value must be a case-sensitive string of 1 to
64 characters.

64
Chapter 4 AAA
 If this parameter is specified, LocalDB accounts statistics

whose account names including this string will be displayed.
 If the parameter is not specified, the statistics of all LocalDB

group_name Optional. This parameter specifies the name of the LocalDB group
to which the LocalDB accounts to be displayed belongs to.
 If this parameter is specified, only LocalDB account statistics

belongs to the LocalDB group will be displayed.

account statistics will not be filtered by the LocalDB group.
localdb update accountname <account_name> <new_account_name>

This command is used to change the name of the specified LocalDB account.
account_name This parameter specifies the original LocalDB account name.
new_account_name This parameter specifies the new account name for the LocalDB
account. Its value must be a string of 1 to 64 characters.
localdb update password <account_name> <new_password>

This command is used to change the password of the specified LocalDB account. If the command
“localdb passwdqc oldpasswd” is configured, the new password must not be the same as the old
password.
account_name This parameter specifies the name of the LocalDB account.
new_password This parameter specifies the new password of the LocalDB account.
Its value must be a case-sensitive string of 1 to 32 characters
enclosed by double quotes. Only 0-9, a-z, A-Z, the space character
and some special printable ASCII characters such as ! @ # $ % ^ &
* ( ) _ - + = { } [ ] | \ / ? : ; ’ < > , . are allowed. The string cannot
contain any of the characters “ ~ `”.
 LocalDB Group
localdb group <group_name> [nfs_group]

This command is used to add a LocalDB group.

65
Chapter 4 AAA
group_name This parameter specifies the name of the LocalDB group. Its value
must be a case-sensitive string of 1 to 64 characters.
nfs_group Optional. This parameter specifies the name of the NFS file share
group. Its value must be an integer ranging from 0 to 65,535. The
default value is 0.
no localdb group <group_name>

This command is used to delete a specified LocalDB group.
show localdb group [group_name] [account_name] [start] [count] [column]

[index]
This command is used to display the specified LocalDB group.
group_name Optional. This parameter specifies a string to match the existing

LocalDB groups. Its value must be a case-sensitive string of 1 to 64
characters.
 If this parameter is specified, the LocalDB groups whose

names including the string will be displayed.
 If this parameter is not specified, all LocalDB groups will be

displayed.
account_name Optional. This parameter specifies the name of the LocalDB

account.
 If this parameter is specified, only LocalDB groups including

the specified LocalDB accounts will be displayed.

groups will not be filtered by the LocalDB account.
start Optional. This parameter specifies the start of LocalDB groups

from 1 to 4,294,967,295. The default value is 1.
count Optional. This parameter specifies the number of LocalDB groups

to be displayed. Its value must be an integer ranging from 1 to
4,294,967,295. The default value is 0, indicating all LocalDB

66
Chapter 4 AAA
column Optional. This parameter specifies the columns of a LocalDB group

entry to be displayed. This parameter supports the following
columns that must be represented by the letters in the brackets in
the parameter value: user_name(U), telephone(T), e-mail(E),
nfs_info(N), coutom_info1-5(C), assigned_group(G),
force_passwd_change(F), lockout_manual(M),
lockout_manual_expires_time(L), passwd_expire_time(P), ip(I),
netmask(K), and user_passwd(W). The parameter value is
case-sensitive and can support multiple columns. The default value
is “UTENC”.
index Optional. This parameter specifies how to sort the displayed

LocalDB groups in the output. This parameter supports sorting
LocalDB groups by: user_name (alphabetical or U),
create_time(time), telephone(T), e-mail(E),
coutom_info1-5(coutom_info1-5),
lockout_manual_expires_time(L), passwd_expire_time(P), ip(I) or
netmask(K). This parameter value is case-insensitive and the
default value is “alphabetical”.
clear localdb group

This command is used to delete all existing LocalDB groups.
localdb update groupname <group_name> <new_group_name>

This command is used to change the name of an existing LocalDB group.
group_name This parameter specifies the original name of the LocalDB group.
Its value must be a string of 1 to 64 characters.
new_groupname This parameter specifies the new name of the LocalDB group. Its
localdb member <group_name> <account_name>

This command is used to associate an existing LocalDB account with an existing LocalDB group.
One LocalDB account can be associated with 20 LocalDB groups.
group_name This parameter specifies the name of the LocalDB group. Its value
account_name This parameter specifies the name of the LocalDB account. Its
no localdb member <group_name> <account_name>

67
Chapter 4 AAA
This command is used to disassociate an existing LocalDB account from an existing LocalDB
group.
show localdb member account [account_name]

This command is used to display the associations of LocalDB groups with the specified LocalDB
account. If the “account_name” parameter is not specified, all associations between LocalDB
groups and accounts in the LocalDB will be displayed.
show localdb member group [group_name]

This command is used to display the associations of LocalDB accounts with the specified
LocalDB group. If the “group_name” parameter is not specified, all associations between
LocalDB groups and accounts in the LocalDB will be displayed.
clear localdb member [group_name]

This command is used to disassociate all LocalDB accounts from the specified LocalDB group. If
the “group_name” parameter is not specified, all LocalDB accounts are disassociated with all
LocalDB groups.
show statistics localdb group [group_name] [account_name]

This command is used to display the LocalDB group statistics.
group_name Optional. This parameter specifies a string to match the existing

LocalDB groups. Its value must be a case-sensitive string of 1 to 64
characters.
 If this parameter is specified, LocalDB group statistics whose

group names including the string will be displayed.
 If this parameter is not specified, the statistics of all LocalDB

groups will be displayed.

account.
 If this parameter is specified, only LocalDB group statistics

including the specified LocalDB accounts will be displayed.
 If this parameter is not specified, the displayed LocalDB group

statistics will not be filtered by the LocalDB account.
 LocalDB Account Password Settings
localdb passwdqc length [length]

68
Chapter 4 AAA
This command is used to enable the password checking policy requiring a minimum password
length. By default, this policy is disabled. After this command is configured, to update the
password of the existing LocalDB account or create a new account, the length of the new
password must be greater than or equal to the value specified by the parameter “length”.
length Optional. This parameter specifies the minimum length of the

LocalDB account password. Its value must be an integer ranging
from1 to 32. The default value is 8.
no localdb passwdqc length

This command is used to disable the password checking policy requiring a minimum password
length.
localdb passwdqc upperchar

This command is used to enable the password checking policy requiring at least one upper-case
character in the LocalDB account password. By default, this policy is disabled. After this
command is configured, to update the password of the existing LocalDB account or create a new
account, the new password must include at least one upper-case letter.
no localdb passwdqc upperchar

This command is used to disable the password checking policy requiring at least one upper-case
letter in the LocalDB account password.
localdb passwdqc lowerchar

This command is used to enable the password checking policy requiring at least one lower-case
account, the new password must include at least one lower-case character.
no localdb passwdqc lowerchar

This command is used to disable the password checking policy requiring at least one lower-case
letter in the LocalDB account password.
localdb passwdqc numchar

This command is used to enable the password checking policy requiring at least one numeric
account, the new password must include at least one numeric character.
no localdb passwdqc numchar

This command is used to disable the password checking policy requiring at least one numeric
character in the LocalDB account password.
localdb passwdqc nonalphanum

69
Chapter 4 AAA
This command is used to enable the password checking policy requiring at least one
non-alphanumeric character in the LocalDB account password. By default, this policy is disabled.
After this command is configured, to update the password of the existing LocalDB account or
create a new account, the new password must include at least one non-alphanumeric character.
no localdb passwdqc nonalphanum

This command is used to disable the password checking policy requiring at least one
non-alphanumeric character in the LocalDB account password.
localdb passwdqc username

This command is used to enable the password checking policy requiring that the username cannot
be a subset of the password. By default, this policy is disabled. After this command is configured,
to update the password of the existing LocalDB account or create a new account, the new
password cannot include the account name.
no localdb passwdqc username

This command is used to disable the password checking policy requiring that the password cannot
be a subset of the username.
localdb passwdqc oldpasswd

This command is used to enable the password checking policy requiring that the new password
cannot be the same as the old password. By default, this policy is disabled. After this command is
configured, to update the password of the existing LocalDB account or create a new account, the
new password cannot be the same as the old password.
no localdb passwdqc oldpasswd

This command is used to disable the password checking policy requiring that the new LocalDB
account password cannot be the same as the old password.
localdb passwdqc minunique [unique_char]

This command is used to enable the password checking policy requiring that a minimum number
of unique characters included in the LocalDB account password. By default, this policy is disabled.
After this command is configured, to update the password of the existing LocalDB account or
create a new account, the new password must include a specified number (by the parameter
“unique_char”) of unique characters.
unique_char Optional. This parameter specifies the minimum number of unique

characters. Its value must be a number between 1 and 32. The
default value is 5.
no localdb passwdqc minunique

This command is used to disable the password checking policy requiring that a minimum number
of unique characters included in the LocalDB account password.

70
Chapter 4 AAA
localdb passwdqc all

This command is used to enable all the above password checking policies.
no localdb passwdqc all

This command is used to disable all the above password checking policies.
show localdb passwdqc

This command is used to display all the configured password checking policies.
clear localdb passwdqc

This command is used to clear all password checking policies.
localdb passwdexpire age [account_name] [duration] [mode]

This command is used to set the password expiration age for a specified LocalDB account.
account_name Optional. This parameter specifies the name of an existing LocalDB

account. The default value is empty, indicating the password
expiration age is set for all LocalDB accounts.
duration Optional. This parameter specifies the expiration age (counted from
the last password change) of the LocalDB account password in
2,147,483,647. The default value is 99,999,999.
mode Optional. This parameter specifies the time to execute this

command. The parameter value must be empty or “repeat”. If this
parameter is empty, the LocalDB user will be asked to change the
password once and only when the password expiration age has
elapsed since the user changes the password last time. When this
parameter is set to “repeat”, the LocalDB user will be asked to
change the password every time the password expiration age has
elapsed after changing the password. The default value is empty.
no localdb passwdexpire age <account_name>

This command is used to delete the password expiration age configuration for a specified
LocalDB account.
show localdb passwdexpire age [account_name] [mode]

This command is used to display the password expiration age configuration for a specified
LocalDB account. If the “account_name” parameter is not specified, the password expiration age
configuration for all LocalDB accounts will be displayed.
clear localdb passwdexpire age

71
Chapter 4 AAA
This command is used to delete the password expiration age configuration for all LocalDB
accounts.
localdb passwdexpire nextlogin [account_name]

This command is used to enable forcible password expiration upon next login for the specified
LocalDB account. The LocalDB user will be asked to change the password on next login. By
default, this function is disabled.
account_name Optional. This parameter specifies the name of an existing LocalDB

account. The default value is empty, indicating the forcible
password expiration upon next login for all LocalDB accounts will
be enabled.
no localdb passwdexpire nextlogin <account_name>

This command is used to disable forcible password expiration upon next login for the specified
LocalDB account.
show localdb passwdexpire nextlogin [account_name]

This command is used to display the configuration of forcible password expiration upon next login
for the specified LocalDB account. If the “account_name” parameter is not specified, the
password configuration of expiration upon next login for all LocalDB accounts will be displayed.
clear localdb passwdexpire nextlogin

This command is used to delete the configuration of password expiration upon next login for all
LocalDB accounts.
 LocalDB Lockout
localdb lockout auto idletime [idle_time] [duration]

This command is used to enable auto idle lockout for all LocalDB accounts. LocalDB accounts
will be locked out when the idle time is up. By default, this function is disabled.
idle_time Optional. This parameter specifies the idle time after which the
LocalDB account will be locked out, in seconds. Its value must be
integer ranging from 1 to 4,294,967,295. The default value is
99,999,999.
duration Optional. This parameter specifies the duration of the lockout, in

4,294,967,295. If its value is set to “0”, then the LocalDB account
will remain locked out until being manually unlocked by using the
command “localdb lockout unlock [account_name]”. The default
value is 0.

72
Chapter 4 AAA
no localdb lockout auto idletime

This command is used to disable the auto idle lockout for all LocalDB accounts.
show localdb lockout auto idletime

This command is used to display the configuration of the auto idle lockout for all LocalDB
accounts.
localdb lockout auto loginfailure [failure_times] [duration]

This command is used to enable auto login failure lockout for all LocalDB accounts. LocalDB
accounts will be locked out after reaching the number of login failures specified by the parameter
“failure_times”. By default, this function is disabled.
failure_times Optional. This parameter specifies the number of login failures after
which the LocalDB account is locked out. Its value must be an
integer ranging from 1 to 65,535. The default value is 10.

4,294,967,295. The default value is 0, indicating that the LocalDB
account will remain locked out until being manually unlocked by
using the command “localdb lockout unlock [account_name]”.
no localdb lockout auto loginfailure

This command is used to disable auto login failure lockout for all LocalDB accounts.
show localdb lockout auto loginfailure

This command is used to display the configuration of auto login failure lockout for all LocalDB
accounts.
localdb lockout manual [account_name] [duration]

This command is used to manually lock out a specified LocalDB account for a specific duration.
After this command is configured, the specified LocalDB account will be locked out for a specific
duration.
account_name Optional. This parameter specifies the name of the account to be

locked out. The default value is empty, indicating all LocalDB
accounts will be locked out by default.
duration Optional. This parameter specifies the duration in seconds for

which the account will be locked out. Its value must be an integer
ranging from 0 to 4,294,967,295. If its value is set to “0”, the
LocalDB account will be locked out until being manually unlocked
by using the command “localdb lockout unlock [account_name]”.

73
Chapter 4 AAA
show localdb lockout manual [account_name]

This command is used to display the lockout duration of a specified LocalDB account. If the
“account_name” parameter is not specified, the lockout duration of all LocalDB accounts will be
displayed.
localdb lockout list [type] [username] [start] [count]

This command is used to display the currently locked LocalDB accounts.
type Optional. This parameter specifies the lockout type of the locked
LocalDB accounts to be displayed. Its value must only be:
 “loginfailure”: indicates that the LocalDB accounts locked out

due to login failures will be displayed.
 “idletime”: indicates that the LocalDB accounts locked out due

to idle timeout will be displayed.
 “manual”: indicates that the LocalDB accounts locked out

manually by the administrator will be displayed.
 “all”: indicates that the LocalDB accounts of all the preceding

three types will be displayed.
The default value is all.
username Optional. This parameter specifies a string to match the LocalDB

account. Its value must be a string of 1 to 64 characters. All locked
LocalDB accounts whose names including the string will be
displayed. If this parameter is not specified, locked accounts will
not be filtered by username.
start Optional. This parameter specifies the start of locked LocalDB

accounts to be displayed. Its value must be between 1 and
4,294,967,295. The default value is 1.
count Optional. This parameter specifies the number of locked LocalDB

accounts to be displayed. Its value must be an integer ranging from
0 to 4,294,967,295. The default value is 0, indicating all locked
LocalDB accounts matching the other parameter settings will be
displayed.
localdb lockout unlock [account_name]

This command is used to unlock a previously locked LocalDB account.

74
Chapter 4 AAA

account to be unlocked. The default value is empty, indicating all
locked LocalDB accounts will be unlocked.
show statistics localdb lockout [account_name]

This command is used to display the lockout statistics of a specified LocalDB account.
account_name Optional. This parameter specifies a string to match the account. All
LocalDB accounts including the string will be matched. If the
parameter “account_name” is not specified, the lockout statistics for
all LocalDB accounts will be displayed.
 LocalDB Backup and Restoration
localdb backup <backup_name>

This command is used to back up the virtual site’s LocalDB. A maximum of 20 LocalDB backup
files can be configured in the system. If 20 LocalDB backup files already exist, to create new
LocalDB backup files, the old ones must be deleted.
backup_name This parameter specifies the name of the LocalDB backup. Its value
Note: For the MotionPro-type virtual site, this command will back up all the data in the
LocalDB including the MDM data but excluding the MDM CLI configurations.
no localdb backup <backup_name>

This command is used to delete the specified LocalDB backup file.
show localdb backup

This command is used to display the LocalDB backup files.
clear localdb backup

This command is used to delete all LocalDB backup files.
localdb autobackup <count> [time] [dayofweek]

This command is used to configure the LocalDB auto-backup settings. If this command is not
configured, the default setting “localdb autobackup 3 0:00 0” will be used, which means to
automatically back up the LocalDB daily at 0:00 and at most three auto-backup files can be kept.
If three auto-backup files already exist, new auto-backup files will overwrite the old ones.
count This parameter specifies the number of auto-backup files to be kept

in the system. Its value must be an integer ranging from 0 to 5. If
the parameter is set to “0”, auto-backup will be turned off. When

75
Chapter 4 AAA
the count is exceeded, the oldest backup file would be overwritten.
time Optional. This parameter specifies the time for the auto-backup in
“HH:MM” (24-hour) format, for example, 6:23, 05:05, 23:59. The
default value is 0:00.
dayofweek Optional. This parameter specifies the day of the week for the
auto-backup. Its value must be an integer ranging from 0 to 7. The
default value is 0, indicating the LocalDB database will be backed
up on a daily basis.
If the parameter is set to “1” to “7”, the LocalDB database will be

backed up once a week, respectively from Monday to Sunday.
show localdb autobackup

This command is used to display the settings of the existing LocalDB auto-backup.
localdb restore <backup_name>

This command is used to restore LocalDB from the specified LocalDB backup.
backup_name This parameter specifies the name of the LocalDB backup database.
 LocalDB Export and Import
localdb export <file_name> {account|group|member}

This command is used to export accounts, groups or member relations from the LocalDB database
into a configuration file on the system.
file_name This parameter specifies the name of the file on the system. Its
account|group|member This parameter specifies the type of information to be exported. Its

value must only be “account”, “group” or “member”.
 account: indicates that the account information, such as the

username, password, creation time and so on, will be exported.
 group: indicates that the group information, such as the group

name, expiration time, creation time and so on, will be
exported.
 member: indicates that only the account and group name will
be exported.

76
Chapter 4 AAA
Note: The files exported from LocalDB directly are in the UTF-8 encoding format. To
read or edit the exported file, make sure that your file viewer or editor supports UTF-8
encoding.
no localdb export <file_name> {account|group|member}

This command is used to delete the configuration file exported from the LocalDB database.
show localdb export {account|group|member}

This command is used to display the configuration of accounts, groups or member relations
exported from the LocalDB database.
clear localdb export {account|group|member}

This command is used to delete all configurations of accounts, groups or member relations
exported from the LocalDB database.
localdb netexport scp {account|group|member} <server_name>

<user_name> <file_path>
This command is used to export a file containing accounts, groups or member relations to an SCP
server.



name, the expiration time, creation time and so on, will be
exported.
be exported.
server_name This parameter specifies the name of the server to which data will
be exported. Its value must be a string of 1 to 128 characters.
user_name This parameter specifies the name of the remote user on the SCP
server. Its value must be a string of 1 to 64 characters.
file_path This parameter specifies the path, which must include the file name,
to export the file on the SCP server. Its value must be a string of 1
to 256 characters.

77
Chapter 4 AAA
Note: The files exported via SCP are in the UTF-8 encoding format. To read or edit the
exported file, make sure that your file viewer or editor supports UTF-8 encoding.
localdb netexport tftp {account|group|member} <ip> <file_name>

This command is used to export a file containing accounts, groups or member relations to a TFTP
server.



name, the expiration time, creation time and so on, will be
exported.
be exported.
ip This parameter specifies the IP address of the TFTP server.
file_name This parameter specifies the name of the file to export data on the
TFTP server. Its value must be a string of 1 to 256 characters.
Note: The files exported via TFTP are in the UTF-8 encoding format. To read or edit the
exported file, make sure that your file viewer or editor supports UTF-8 encoding.
localdb import <file_name> {account|group|member} [overwrite|ignore]

This command is used to import a file containing accounts, groups or member relations into
LocalDB from the system.
file_name This parameter specifies the name of the file to be imported into
LocalDB. Its value must be a string of 1 to 127 characters.
account|group|member This parameter specifies the type of information to be imported. Its


username, password, creation time and so on, will be imported.

imported.

78
Chapter 4 AAA
be imported.
overwrite|ignore Optional. This parameter specifies how to handle the conflicted

duplicate data. Its value must only be:
 overwrite: The duplicate data will be merged with the existing

data.
 ignore: The duplicate data will not be imported.
If this parameter is not specified, the administrator must execute

this command based on the CLI prompt.
Note: The files imported to LocalDB directly must be in the UTF-8 encoding format.
Otherwise, the importing might fail.
localdb netimport http {account|group|member} <url> {overwrite|ignore}

This command is used to import a file containing accounts, groups or member relations from an
HTTP resource.



exported.
be exported.
url This parameter specifies the URL of the HTTP resource. Its value
overwrite|ignore This parameter specifies how to handle the conflicted duplicate

data. Its value must be “overwrite” and “ignore”.

data.
Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the
importing might fail.

79
Chapter 4 AAA
localdb netimport scp {account|group|member} <server_name>

<user_name> <file_name> {overwrite|ignore}
This command is used to import a file containing accounts, groups or member relations from an
SCP server.



imported.
be imported.
server_name This parameter specifies the name of the server from which data
will be imported. Its value must be a string of 1 to 127 characters.
user_name This parameter specifies the name of the remote user on the SCP
to import the file from the SCP server. Its value must be a string of
1 to 256 characters.
overwrite|ignore This parameter specifies how to handle the conflicted duplicate

data. Its value must be “overwrite” and “ignore”.

data.
Note: The files imported via SCP must be in the UTF-8 encoding format. Otherwise, the
importing might fail.
localdb netimport tftp {account|group|member} <ip> <file_name>

{overwrite|ignore}
This command is used to import a file containing accounts, groups or member relations from a
TFTP server.

80
Chapter 4 AAA


imported.
be imported.
ip This parameter specifies the IP address of the TFTP server.
file_name This parameter specifies the name of the file to import data from on
the TFTP server. Its value must be a string of 1 to 256 characters.
overwrite|ignore This parameter specifies how to handle conflict, e.g., duplicate data.
Its value must be “overwrite” and “ignore”.

data.
Note: The files imported via TFTP must be in the UTF-8 encoding format. Otherwise,
the importing might fail.
 LocalDB IP
localdb ip account <account_name> <ip_address> <netmask>

This command is used to set a fixed IP address for the specified LocalDB account. After the fixed
IP address is set for the specified LocalDB account:
 For users accessing the backend resources through the L3VPN tunnel, the system will assign
the fixed IP address to the LocalDB account while ignoring the IP address assignment by the
Netpool authorized to the LocaDB account.
 For users accessing the backend resources through the Site2Site VPN tunnel, the system will
assign the fixed IP address (tunnel IP) to the LocalDB account.
account_name This parameter specifies the name of the LocalDB account.
ip_address This parameter specifies the IP address assigned to the LocalDB

account. Its value must be given in dotted decimal notation.
netmask This parameter specifies the netmask of subnet to which the IP

81
Chapter 4 AAA
address belongs. Its value must be given in dotted decimal notation.
no localdb ip account <account_name>

This command is used to delete the fixed IP address set for the specified LocalDB account.
show localdb ip account <account_name>

This command is used to display the fixed IP address set for the specified LocalDB account.
 LocalDB SSO
localdb sso account <account_name> <sso_account> <sso_passwd>

[sso_domain]
This command is used to configure an application login credential for the specified LocalDB
account in the LocalDB server.
account_name This parameter specifies the LocalDB account name. Its value must
sso_account This parameter specifies the account name of the application login
credential used for Application SSO. Its value must be a string of 1
to 64 characters.
sso_passwd This parameter specifies the password of the application login

credential used for Application SSO. Its value must be a string of 1
to 64 characters. Only 0-9, a-z, A-Z and printable ASCII characters
are allowed.
sso_domain Optional. This parameter specifies the domain or workgroup used

for Application SSO. Its value must be a string of 1 to 256
characters. By default, this parameter is not specified.
Note:
 The portal login username must be the same as the LocalDB account username
associated with the application login credential.
 If the Application SSO function is enabled for DesktopDirect applications, the

administrator needs to associate the DesktopDirect resources with the application
login name used for Application SSO instead of the binding LocalDB account using
the command “art desktop assign user” or “art application associate user”.
no localdb sso account <account_name>

This command is used to delete the application login credential configured for the specified
LocalDB account.

82
Chapter 4 AAA
show localdb sso account <account_name>

This command is used to display the application login credential configured for the specified
LocalDB account.
 LocalDB Status
show localdb config <virtual_site>

This global command is used to display all LocalDB configurations for a particular virtual site.
show localdb config

This command is used to display all LocalDB configurations of the virtual site.
 LocalDB Statistics
show statistics aaa

This command is used to display the AAA statistics of the virtual site.
show statistics aaa [virtual_site]

This global command is used to display the AAA statistics of the specified virtual site. If the
parameter “virtual_site” is not specified, the AAA statistics of all virtual sites will be displayed.
clear statistics aaa

This command is used to delete the AAA statistics of the virtual site.
clear statistics aaa [virtual_site]

This global command is used to delete the AAA statistics of the specified virtual site. If the
parameter “virtual_site” is not specified, the AAA statistics of all virtual sites will be deleted.
LDAP
aaa server ldap host <ldap_server_name> <ip> <port> <username>

<password> <base_dn> <timeout> [index] [tls_flag]
This command is used to configure an LDAP host for the specified LDAP server. A maximum of
three LDAP hosts can be configured for one LDAP server.
ldap_server_name This parameter specifies the name of an existing LDAP server. Its
ip This parameter specifies the IP address of the LDAP host. Its value
must be an IPv4 address.
port This parameter specifies the port of the LDAP host. Its value must
be an integer ranging from 1 to 65,535.

83
Chapter 4 AAA
username This parameter specifies the username of the LDAP server

administrator. Its value must be a string of 1 to 127 characters.
password This parameter specifies the password of the LDAP server

administrator.
base_dn This parameter specifies the Distinguished Name (DN) of the

LDAP entry at which to start the search for users. Its value must be
a string of 1 to 900 characters.
timeout This parameter specifies the timeout value of the search in seconds.
Its value must be an integer ranging from 1 to 65,535.
index Optional. This parameter specifies the host index. Its value must be
1, 2 or 3. The default value is 1.
tls_flag Optional. This parameter specifies whether to access the LDAP

server over the TLS protocol. Its value must be:
 “tls”: indicates that the LDAP server is accessed over the TLS
protocol.
 empty: indicates the LDAP server is not accessed over the

TLS protocol.
no aaa server ldap host <ldap_server_name> <index>

This command is used to delete an LDAP host of the specified LDAP server.
show aaa server ldap host <ldap_server_name>

This command is used to display the LDAP server host(s) configured for the specified LDAP
server.
aaa server ldap idletime <ldap_server_name> [idle_time]

This command is used to set the idle timeout value for the specified LDAP server. The connection
to the LDAP server will be terminated when the connection is idle for the specified timeout value.
ldap_server_name This parameter specifies the name of an existing LDAP server.
idle_time Optional. This parameter specifies the idle timeout value in

seconds. Its value must be an integer ranging from 60 to 3000. The
default value is 600.

84
Chapter 4 AAA
no aaa server ldap idletime <ldap_server_name>

This command is used to delete the idle timeout setting of the specified LDAP server.
show aaa server ldap idletime <ldap_server_name>

This command is used to display the idle timeout value configured for the specified LDAP server.
aaa server ldap searchfilter <ldap_server_name> <filter_string>

This command is used to configure a search filter for the specified LDAP server. The search filter
plays an important role in authenticating and authorizing users through LDAP. For the functions
of the search filter in static and dynamic binding, please refer to the commands “aaa server ldap
bind dynamic” and “aaa server ldap bind static”.
filter_string This parameter specifies a filter string used to search for the LDAP
entries. Its value must be a string of 1 to 80 characters enclosed by
double quotes.
The filter string consists of:
 attribute: Common Name (cn), Distinguished Name (dn), User

Id (uid), Organization Unit (ou) and so on.
 comparison operator: “>”, “<” or “=”.
 logical operator: “& (and),” “| (or)”, “! (not)”, “= (equal to)”,

or “* (any)”.
Please refer to the RFC for details of the LDAP filter string.
The filter string can contain at most three tokens represented by

“<USER>”, which is case-insensitive. For example, if the
“filter_string” parameter is set to “cn=<USER>”, the system will
generate a search filter by replacing “<USER>” with an end user’s
real username upon receiving authentication or authorization
requests.
Note: If this command is not configured for the specified LDAP server, AAA uses
“uid=<USER>” as the default search filter string.
For example:
Search an entry with cn being the real username:
vs(config)aaa server ldap searchfilter ldap1 "cn=<USER>"
Search an entry without cn being the real username:

85
Chapter 4 AAA
vs(config)aaa server ldap searchfilter ldap1 "(!(cn=<USER>))"
Search an entry with objectClass being Person and with sn being the real username or cn being a
value containing the real username:
vs(config)aaa server ldap searchfilter ldap1

"(&(objectClass=Person)(|(sn=<USER>)(cn=<USER>*)))"
no aaa server ldap searchfilter <ldap_server_name>

This command is used to delete the search filter configured for the specified LDAP server.
show aaa server ldap searchfilter <ldap_server_name>

This command is used to display the search filter configured for the specified LDAP server.
aaa server ldap attribute group <ldap_server_name> <attribute>

This command is used to specify the attribute used to obtain the external LDAP group of the user
from the LDAP entry for the specified LDAP server.
attribute This parameter specifies the name of the attribute used to obtain the
external LDAP group of the user from the LDAP entry. Its value
no aaa server ldap attribute group <ldap_server_name>

This command is used to delete the configuration of the attribute used to obtain the external LDAP
group from the LDAP entry for the specified LDAP server.
show aaa server ldap attribute group <ldap_server_name>

This command is used to display the configuration of the attribute used to obtain the external
LDAP group from the LDAP entry for the specified LDAP server.
aaa server ldap attribute phonenumber <ldap_server_name> <attribute>

This command is used to specify the attribute used to obtain the mobile phone number of the user
from the LDAP entry for the specified LDAP server.
attribute This parameter specifies the name of the attribute used to obtain the
mobile phone number of the user from the LDAP entry. Its value
no aaa server ldap attribute phonenumber <ldap_server_name>

86
Chapter 4 AAA
This command is used to delete the configuration of the attribute used to obtain the mobile phone
number of the user from the LDAP entry for the specified LDAP server.
show aaa server ldap attribute phonenumber <ldap_server_name>

This command is used to display the configuration of the attribute used to obtain the mobile phone
number of the user from the LDAP entry for the specified LDAP server.
aaa server ldap attribute defaultgroup <ldap_server_name> <group>

This command is used to configure the default group assigned to authenticated users for whom no
LDAP group is obtained for the specified LDAP server.
ldap_server_name This parameter specifies an existing name of the LDAP server.
group This parameter specifies the default group name for the user for
whom no LDAP group is obtained. Its value must be a string of 1 to
80 characters.
no aaa server ldap attribute defaultgroup <ldap_server_name>

This command is used to delete the configuration of the default group assigned to authenticated
users for whom no LDAP group is obtained for the specified LDAP server.
show aaa server ldap attribute defaultgroup <ldap_server_name>

This command is used to display the configuration of the default LDAP group assigned to
authenticated users for whom no LDAP group is obtained for the specified LDAP server.
aaa server ldap bind dynamic <ldap_server_name>

This command is used to enable the “dynamic” LDAP bind mode for the specified LDAP server.
In this case, AAA will fetch the DN from the LDAP server first.
After the “dynamic” LDAP bind mode is enabled, AAA sends a bind request containing the end
user’s username and password to the LDAP server and then a search request containing the search
filter string configured by the command “aaa server ldap searchfilter” to obtain the LDAP entry
of the end user. Then AAA sends the DN obtained from the LDAP entry together with the
password of the end user in another bind request to the LDAP server. After the end user passes the
authentication, AAA reuses the obtained LDAP entry to authorize the end user.
no aaa server ldap bind dynamic <ldap_server_name>

This command is used to disable the “dynamic” LDAP bind mode for the specified LDAP server.
aaa server ldap bind static <ldap_server_name> <dn_prefix> <dn_suffix>

This command is used to enable the “static” LDAP bind mode for the specified LDAP server. In
this case, the system will construct the user’s DN by concatenating the strings

87
Chapter 4 AAA
“<dn_prefix><USER><dn_suffix>”. <USER> is the username used to log into the virtual site.
“<dn_prefix>” and “<dn_suffix>”must be the same for all users using the same virtual site.
After the “static” LDAP bind mode is enabled, AAA sends the DN
(<dn_prefix><USER><dn_suffix>) together with the password of the end user in a bind request to
the LDAP server. After the end user passes the authentication, AAA sends a search request
containing the search filter string configured by the command “aaa server ldap searchfilter” to
obtain the LDAP entry of this end user. Then, it authorizes the end user based on the obtained
LDAP entry.
dn_prefix This parameter specifies the DN prefix extracted from the LDAP
dn_suffix This parameter specifies the DN suffix extracted from the LDAP
For example:
vs(config)aaa server ldap bind static "AD" "cn=" ",ou=array,dc=spxad,dc=cn"
no aaa server ldap bind static <ldap_server_name>

This command is used to disable the “static” LDAP bind mode for the specified LDAP server.
show aaa server ldap bind <ldap_server_name>

This command is used to display the configuration of the LDAP bind mode for the specified
LDAP server.
Note: The “static” and “dynamic” LDAP bind function cannot be enabled at the same
time.
aaa server ldap pwdexpirewarning <ldap_server_name>

<password_expiry_warning>
This command is used to configure password expiry warning, that is, configure whether and when
to display a password expiry warning message on the welcome page for the specified LDAP
server. After this command is configured, if the remaining valid time of the LDAP user’s
password is equal to or less than the value of the “password_expiry_warning” parameter at user
login, a password expiry warning message will be displayed on the welcome page. If this
command is not configured, no password expiry warning message will be displayed on the
welcome page.
ldap_server_name This parameter specifies the name of the existing LDAP server.

88
Chapter 4 AAA
password_expiry_warning This parameter specifies the time in seconds that a warning

message will be displayed on the welcome page preceding to the
user’s LDAP password expiry. Its value must be an integer ranging
from 1 to 1,209,600.
Note:
Before using the LDAP password change function, please make sure that:
 On related LDAP servers, the lifetime of LDAP passwords has been configured.
 For the OpenLDAP server, the external default policy has been configured.
 For the Windows Active Directory (AD) server, its system time must be the same as
the system time of the AG appliance.
 On the AG appliance, the related Windows AD servers have been configured to use
port 636 and to be accessed using the TLS protocol.
no aaa server ldap pwdexpirewarning <ldap_server_name>

This command is used to delete the configuration of the password expiry warning for the specified
LDAP server.
show aaa server ldap pwdexpirewarning <ldap_server_name>

This command is used to display the configuration of the password expiry warning for the
specified LDAP server.
aaa server ldap pwdpolicy <ldap_server_name> <password_policy_DN>

This command is used to set the policy DN for the specified LDAP server when the LDAP server
is an OpenLDAP server.
Before configuring password expiry warning for the OpenLDAP server, you must execute this
command to set the policy DN first. Otherwise, the password expiry warning configuration will
not be accepted by the OpenLDAP server.
ldap_server_name This parameter specifies the name of an existing LDAP server. Its
password_policy_DN This parameter specifies the policy DN. Its value must be a string of
1 to 32 characters and must be the same as the default policy DN
set on the OpenLDAP server.
For example:
vs(config)$ aaa server ldap pwdpolicy AD "cn=pwspolicy"
no aaa server ldap pwdpolicy <ldap_server_name>

89
Chapter 4 AAA
This command is used to delete the configuration of the policy DN for the specified LDAP server.
show aaa server ldap pwdpolicy <ldap_server_name>

This command is used to display the configuration of the policy DN for the specified LDAP
server.
aaa group in dn
This command is used to enable the function of extracting the DN as the user’s group. The
administrator can use the command to “aaa group regex” to define which part of the DN will be
extracted as the user’s group. By default, this function is disabled.
no aaa group in dn
This command is used to disable the function of extracting the DN as the user’s group.
aaa group regex <expression>

This command is used to define which part of the DN to be extracted as the user’s group.
expression This parameter specifies a regular expression that indicates the part
of the DN to be extracted as the user’s group. Its value must be a
string of 1 to 64 characters. The “()” meta-character is supported. At
most five “()” meta-characters can be configured.
For example,
vs(config)$ aaa group regex "OU=([^,]*), OU=([^,]*)"
If the DN is “OU=Information Department, OU=Users, OU=1025, DC=staff, DC=org”, the

“Information Department” and “Users” will be extracted respectively as two groups of the user.
 LDAP Autosearch
aaa server ldap autosearch profile <profile_name>

This command is used to define an LDAP auto-search profile. A maximum of five LDAP
auto-search profiles can be configured for a virtual site.
profile_name This parameter specifies the name of the LDAP auto-search profile.
no aaa server ldap autosearch profile <profile_name>

This command is used to delete the specified LDAP auto-search profile.
show aaa server ldap autosearch profile

This command is used to display all LDAP auto-search profiles.
aaa server ldap autosearch host <profile_name> <ip> <port> <username>

<password> <base_dn> <timeout> <tls_flag>

90
Chapter 4 AAA
This command is used to configure an LDAP host for the specified LDAP auto-search profile. The
LDAP host must be configured before the profile is enabled using the command “aaa server ldap
autosearch on <profile_name>”.
profile_name This parameter specifies the name of an existing LDAP auto-search

profile.
username This parameter specifies the username of the LDAP server

administrator.
password This parameter specifies the password of the LDAP server

administrator.
base_dn This parameter specifies the DN of the LDAP entry at which to start
the search for users. Its value must be a string of 1 to 900
characters.
timeout This parameter specifies the maximum timeout in seconds. Its value

protocol.

TLS protocol.
no aaa server ldap autosearch host <profile_name>

This command is used to delete the LDAP host configured for the specified LDAP auto-search
profile.
show aaa server ldap autosearch host <profile_name>

This command is used to display the LDAP host configured for the specified LDAP auto-search
profile.

91
Chapter 4 AAA
aaa server ldap autosearch filter <profile_name> <filter_string>

This command is used to configure the search filter for the specified LDAP auto-search profile.
The search filter must be configured before the profile is enabled using the command “aaa server
ldap autosearch on <profile_name>”.
This command is also used to modify the existing configuration of the search filter for the
specified LDAP auto-search profile.
filter_string This parameter specifies a filter string used to filter the LDAP
entries. Its value must be a string of 1 to 128 characters, which must
be enclosed by double quotes.
Please refer to the command “aaa server ldap searchfilter” for

details of the parameter explanation.
no aaa server ldap autosearch filter <profile_name>

This command is used to delete the search filter configured for the specified LDAP auto-search
profile.
show aaa server ldap autosearch filter <profile_name>

This command is used to display the search filter configured for the specified LDAP auto-search
profile.
aaa server ldap autosearch attribute <profile_name> <search_attribute>

This command is used to configure the LDAP attribute to be searched for the specified LDAP
auto-search profile. The LDAP attribute must be configured before the profile is enabled using the
command “aaa server ldap autosearch on <profile_name>”.
This command is also used to modify the existing configuration of the LDAP attribute to be
searched for the specified LDAP auto-search profile.

profile.
search_attribute This parameter specifies the name of the LDAP attribute to be

searched. Its value must be a string of 1 to 32 characters.
no aaa server ldap autosearch attribute <profile_name>

This command is used to delete the configuration of the LDAP attribute to be searched for the
show aaa server ldap autosearch attribute <profile_name>

92
Chapter 4 AAA
This command is used to display the configuration of the LDAP attribute to be searched for the
aaa server ldap autosearch time daily <profile_name> <hour>

This command is used to configure a daily auto-search frequency for the specified LDAP
auto-search profile. By default, auto-search is performed on 0:00 daily for the LDAP auto-search
profile.
This command is also used to modify the existing configuration of the daily auto-search frequency
for the specified LDAP auto-search profile.

profile.
hour This parameter specifies the hour when the daily auto-search is
carried out. Its value must be an integer ranging from 0 to 23,
indicating the hour ranging from 0:00 to 23:00.
aaa server ldap autosearch time weekly <profile_name> <hour> <day>

This command is used to configure a weekly auto-search frequency for the specified LDAP
auto-search profile.
This command is also used to modify the existing configuration of the weekly auto-search
frequency for the specified LDAP auto-search profile.

profile.
hour This parameter specifies the hour when the weekly auto-search is
day This parameter specifies the day when the weekly auto-search is
carried out. Its value must be “Monday”, “Tuesday”, “Wednesday”,
“Thursday”, “Friday”, “Sataurday” and “Sunday”, which is
case-insensitive.
aaa server ldap autosearch time monthly <profile_name> <hour> <date>

This command is used to configure a monthly auto-search frequency for the specified LDAP
This command is also used to modify the existing configuration of the monthly auto-search
frequency for the specified LDAP auto-search profile.

93
Chapter 4 AAA

profile.
hour This parameter specifies the hour when the monthly auto-search is
date This parameter specifies the date when the monthly auto-search is
carried out. Its value must be an integer ranging from 1 to 31.
If a month does not have the specified date, such as 31 in June, the
search will not be carried out in this month.
no aaa server ldap autosearch time <profile_name>

This command is used to delete the setting of the auto-search frequency for the specified LDAP
show aaa server ldap autosearch time <profile_name>

This command is used to display the setting of auto-search frequency for the specified LDAP
aaa server ldap autosearch email <profile_name> <email_address>

This command is used to configure the email address for the specified LDAP auto-search profile.
When the search result is different from the last search result, an email will be sent to the
configured email addresses to notify the administrators of the LDAP entry changes. A maximum
of five “aaa server ldap autosearch email” configurations are supported for every profile. This
command configuration is optional for every profile.
email_address This parameter specifies the email address. Its value must be a
string of 1 to 128 characters enclosed by double quotes.
no aaa server ldap autosearch email <profile_name> <email_address>

This command is used to delete the configuration of an email address for the specified LDAP
show aaa server ldap autosearch email <profile_name>

This command is used to display all the email addresses configured for the specified LDAP
aaa server ldap autosearch subject <profile_name> <email_subject>

94
Chapter 4 AAA
This command is used to configure the email subject for the specified LDAP auto-search profile.
The subject will be used for sending emails to all the email addresses of this profile. This
command configuration is optional for every profile.
email_subject This parameter specifies the email subject. Its value must be a
string of 1 to 256 characters enclosed by double quotes.
no aaa server ldap autosearch subject <profile_name>

This command is used to delete the configuration of the email subject for the specified LDAP
show aaa server ldap autosearch subject <profile_name>

This command is used to display the email subject configured for the specified LDAP auto-search
profile.
aaa server ldap autosearch {on|off} <profile_name>

This command is used to enable or disable the specified LDAP auto-search profile. Before
enabling the LDAP auto-search profile, make sure that related LDAP auto-search configurations
have been made.

profile.
show aaa server ldap autosearch status <profile_name>

This command is used to display the status of the specified LDAP auto-search profile.
aaa server ldap autosearch update <profile_name>

This command is used to carry out a search immediately based on the specified LDAP auto-search
profile.
profile_name This parameter specifies the name of an exisiting LDAP

aaa server ldap autosearch result <profile_name>

This command is used to display the search results and result changes of the specified LDAP

profile.
aaa server ldap autosearch acknowledge <profile_name>

95
Chapter 4 AAA
This command is used to acknowledge the search result changes of the specified LDAP

profile.
RADIUS
aaa server radius host <radius_server_name> <ip> <authentication_port>

<secret> <retries> <timeout> [index] [accounting_port]
This command is used to configure a RADIUS host for a specified RADIUS server. A maximum
of three RADIUS hosts can be configured for one RADIUS server.
radius_server_name This parameter specifies the name of an existing RADIUS server.

ip This parameter specifies the IP address of the RADIUS host. Its

authentication_port This parameter specifies the port number used for RADIUS
authentication. Its value must be an integer ranging from 1 to
65,535.
secret This parameter specifies the shared secret text string used by the
AG appliance and the RADIUS server to encrypt passwords and
exchange responses.
retries This parameter specifies the retry times to connect the RADIUS
server. Its value must be an integer ranging from 1 to 65,535.
accounting_port Optional. This parameter specifies the port number used for
RADIUS accounting. Its value must be an integer ranging from 1 to
65535. The default value is 1813.
no aaa server radius host <radius_server_name> <index>

This command is used to delete a RADIUS host configured for the specified RADIUS server.

96
Chapter 4 AAA
show aaa server radius host <radius_server_name>

This command is used to display the RADIUS host(s) configured for the specified RADIUS
server.
aaa server radius attribute group <radius_server_name> <attribute>

This command is used to specify an attribute used to obtain the external RADIUS group of the
user from the RADIUS entry for the specified RADIUS server. Please note that individual
attributes may vary depending on the individual network requirements.
attribute This parameter specifies the ID of the attribute used to obtain the
external RADIUS group of the user from the RADIUS entry. Its
value must be an integer ranging from 1 to 63. For details of each
attribute, please refer to the following list.
Please note that the attributes may vary depending on the individual
network requirements.
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)

97
Chapter 4 AAA
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor Specific
27 Session Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
40-59 (rev. for accounting)
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
Note: To modify the existing attribute, please delete the existing configuration using the
command “no aaa server radius attribute group” first.

98
Chapter 4 AAA
no aaa server radius attribute group <radius_server_name>

This command is used to delete the configuration of the attribute used to obtain the external
RADIUS group of the user from the RADIUS entry for the specified RADIUS server.
show aaa server radius attribute group <radius_server_name>

This command is used to display the configuration of the attribute used to obtain the external
RADIUS group of the user from the RADIUS entry for the specified RADIUS server.
aaa server radius attribute clientip <radius_server_name> <attribute_ip>

<attribute_netmask>
This command is used to specify the attribute used to obtain the VPN client IP and netmask of the
user from the RADIUS entry for the specified RADIUS server.
attribute_ip This parameter specifies the ID of the attribute used to obtain the
VPN client IP of the user from the RADIUS entry for the specified
RADIUS server.
attribute_netmask This parameter specifies the ID of the attribute used to obtain the
VPN netmask of the user from the RADIUS entry for the specified
RADIUS server.
no aaa server radius attribute clientip <radius_server_name>

This command is used to delete the configuration of the attributes used to obtain the VPN client IP
and netmask of the user from the RADIUS entry for the specified RADIUS server.
show aaa server radius attribute clientip <radius_server_name>

This command is used to display the configuration of the attributes used to obtain the VPN client
IP and netmask of the user from the RADIUS entry for the specified RADIUS server.
aaa server radius attribute phonenumber <radius_server_name>

<attribute>
This command is used to specify the attribute used to obtain the mobile phone numbers of the user
from the RADIUS entry for the specified RADIUS server.
attribute This parameter specifies the mobile phone numbers of users

extracted from the RADIUS server. Its value must be a string of 1
to 80 characters.
no aaa server radius attribute phonenumber <radius_server_name>

99
Chapter 4 AAA
This command is used to delete the attribute used to obtain the mobile phone number of the user
show aaa server radius attribute phonenumber <radius_server_name>

This command is used to display the attribute used to obtain the mobile phone number of the user
aaa server radius defaultgroup <radius_server_name> <group>

RADIUS group is obtained for the specified RADIUS server.
group This parameter specifies the default RADIUS group name. Its value
no aaa server radius defaultgroup <radius_server_name>

This command is used to delete the default group assigned to authenticated users for whom no
show aaa server radius defaultgroup <radius_server_name>

This command is used to display the default group assigned to authenticated users for whom no
aaa server radius nasip <radius_server_name> <nasip>

This command is used to set the “NAS-IP-Address” (IP address of NAS, Network Access Server)
attribute in the RADIUS requests for the specified RADIUS server. If this command is not
configured, the system will select an available port IP address as the NAS IP address in the
sequence of “port1, port2, port3…”.
nasip This parameter specifies the NAS IP address for the RADIUS
server. Its value must be an IPv4 address.
Note: The “NAS-IP-Address” attribute must be specified if only the bond or VLAN
interface is configured with the IP address but no system interface is configured with the IP
address on the AG appliance.
no aaa server radius nasip <radius_server_name>

This command is used to delete the setting of the “NAS-IP-Address” attribute for the specified
RADIUS server.
show aaa server radius nasip <radius_server_name>

100
Chapter 4 AAA
This command is used to display the setting of the “NAS-IP-Address” attribute for the specified
RADIUS server.
Certificate
aaa server certificate authenticate type <cert_server_name>

<authentication_type>
This command is used to set the Certificate server used for authentication and the authentication
type of the Certificate server.
cert_server_name This parameter specifies the name of an existing Certificate server

used for authentication.
authentication_type This parameter specifies the authentication type of the Certificate

server. Its value must be:
 anonymous: indicates the system will only authenticate the

user’s SSL client certificate.
 challenge: indicates the system will authenticate the user’s

SSL client certificate and validate that the username and
password of the user’s account exists on the LDAP or
LocalDB server assisting the Certificate server in
authentication.
 nochallenge: indicates the system will authenticate the user’s

SSL client certificate and validate that the username of the
user’s account exists on the LDAP or LocalDB server assisting
the Certificate server in authentication.
Note: For the authentication types “challenge” and “nochallenge”, the administrator needs
to set the type of the AAA server assisting this Certificate server in authentication using
the “aaa server certificate authenticate server” command and configure other related
settings. For the authentication types “challenge”, after passing the certificate
authentication, the user will be directed to the challenge page, requiring the user to enter
the (username and) password. For details, please refer to the command “aaa server
certificate authenticate userid”.
no aaa server certificate authenticate type <cert_server_name>

This command is used to delete the configuration of the Certificate server used for authentication.
show aaa server certificate authenticate type <cert_server_name>

This command is used to display the configuration of the Certificate server used for
authentication.

101
Chapter 4 AAA
aaa server certificate anonymous <cert_server_name> <cert_field>

This command is used to set the certificate field used to obtain the username of the user account
from the certificate for the specified Certificate server used for authentication of the “anonymous”
type. If this command is not configured, the default username of the user account is “cert user”.
The value of the specified certificate field will be used as the account name of the user and will be
displayed on the portal welcome page when the user passes the certificate authentication.
cert_server_name This parameter specifies the name of an existing Certificate server.
cert_field This parameter specifies the certificate field used to obtain the
username of the user account from the certificate. Its value must be
a string of 1 to 256 characters and must be:
 Standard certificate field names
 All standard OIDs in the standard certificate fields (in the

format of x.x.x.x and must be enclosed by double quotes)
 Standard extension OIDs in the extension field (in the format

of x.x.x.x and must be enclosed by double quotes)
 Combination of the DN name and OID (in the format of

DN.OID)
 Standard extension field names in the extension field (only

ext.subjectAltName and ext.issuerAltName).
For detailed description for the values of the “cert_field” parameter,

please refer to the command “aaa server certificate
externalgroup”.
The following table describes the values of the “cert_field” parameter in detail.
Value Description
The “cert_field” parameter supports the following standard
certificate field names:
 subject and
subject.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/s
urname/givenname/initials/dnqualifier/gq/dn/dc (certificate’s
Standard certificate field subject field)
names
 issuer and
issuer.cn/c/o/ou/st/l/emailaddress/pseudonym/title/sn/name/su
rname/givenname/initials/dnqualifier/gq/dc (certificate’s
issuer field)
 serial (certificate’s serial number field)

102
Chapter 4 AAA
Value Description
 notbefore (certificate’s not before field)
 notafter (certificate’s not after field)
 commonname (certificate’s common name field, same as the

subject.cn)
 validity (certificate’s validity field)
 publickey (certificate’s public key field)
All standard OIDs in the

OIDs for the standard certificate field names
standard certificate fields
The “cert_field” parameter supports the following standard
extension OIDs enclosed by double quotes:
 2.5.29.35
 2.5.29.14
 2.5.29.15
 2.5.29.32
 2.5.29.33
 2.5.29.17
Standard extension OIDs in  2.5.29.18

the extension field
 2.5.29.9
 2.5.29.19
 2.5.29.30
 2.5.29.36
 2.5.29.37
 2.5.29.31
 2.5.29.54
 2.5.29.46
The “cert_field” parameter supports the following combinations of

the DN name and OID:
 subject.oid: for example, subject.1.2.840.113549.1.9.1

Combination of the DN
indicates the OID 1.2.840.113549.1.9.1 (email address) in the
name and OID
certificate’s subject field.
 issuer.oid: for example, issuer.1.2.840.113549.1.9.1 indicates

the OID 1.2.840.113549.1.9.1 (email address) in the

103
Chapter 4 AAA
Value Description
certificate’s issuer field.
 ext.oid: for example, ext.2.5.29.35 indicates the OID

2.5.29.35 in the certificate’s extension field.
 oid.oid: for example, oid.2.5.29.17 indicates the OID

2.5.29.17 in the entire certificate’s To Be Signed (TBS) part.
The “cert_field” parameter supports only the following two

standard extension field names:
Standard extension field
names in the extension field  ext.subjectAltName
 ext.issuerAltName
no aaa server certificate anonymous <cert_server_name>

This command is used to delete the configuration of the certificate field used to obtain the
username of the user account from the certificate for the specified Certificate server used for
authentication of the “anonymous” type.
show aaa server certificate anonymous <cert_server_name>

This command is used to display the configuration of the certificate field used to obtain the
username of the user account from the certificate for the specified Certificate server used for
authentication of the “anonymous” type.
aaa server certificate authenticate userid <cert_server_name> <id_action>

This command is used to set the user ID action for the specified Certificate server whose
authentication type is “challenge”. When this command is not configured, the username text box
will not be displayed for the user to enter the username on the Certificate challenge page. The
value of the certificate field specified by the command “aaa server certificate ldap search” or
“aaa server certificate localdb search” will be used as the username.
This command is also used to modify the existing configuration of the user ID action of the
specified Certificate server used for authentication.

whose authentication type is “challenge”.
id_action This parameter specifies the user ID action for the Certificate
server. Its value must be:
 showid: indicates that the username text box will be displayed

on the Certificate challenge page and the value of the
certificate field specified by the command “aaa server
certificate ldap search” or “aaa server certificate localdb
search” is displayed as the username.

104
Chapter 4 AAA
 getid: indicates that the username text box will be displayed on

the Certificate challenge page and the user needs to enter the
username manually.
no aaa server certificate authenticate userid <cert_server_name>

This command is used to delete the configuration of the user ID action for the specified Certificate
server whose authentication type is “challenge”.
show aaa server certificate authenticate userid <cert_server_name>

This command is used to display the configuration of the user ID action for the specified
Certificate server whose authentication type is “challenge”.
aaa server certificate authenticate server <cert_server_name>

<server_type>
This command is used to set the type of the AAA server assisting the specified Certificate server
in authentication. This command needs to be configured only when the authentication type of the
Certificate server is “challenge” or “nochallenge”.

server_type This parameter specifies the type of the AAA server assisting the
Certificate server for authentication. Its value must be:
 localdb: indicates that the virtual site’s LocalDB server will

assist the Certificate server in authentication.
 ldap: indicates that the LDAP server specified by the “aaa

server certificate ldap serverid” command will assist the
Certificate server in authentication.
no aaa server certificate authenticate server <cert_server_name>

This command is used to delete the configuration of the type of the AAA server assisting the
specified Certificate server in authentication.
show aaa server certificate authenticate server <cert_server_name>

This command is used to display the configuration of the type of the AAA server assisting the
specified Certificate server in authentication.
aaa server certificate ldap serverid <cert_server_name>

<ldap_server_name>
This command is used to set the LDAP server used to assist the specified Certificate server in
authentication or authorization.

105
Chapter 4 AAA
no aaa server certificate ldap serverid<cert_server_name>

This command is used to delete the configuration of the LDAP server used to assist the specified
Certificate server in authentication or authorization.
show aaa server certificate ldap serverid<cert_server_name>

This command is used to display the configuration of the LDAP server used to assist the specified
Certificate server in authentication or authorization.
aaa server certificate ldap search <cert_server_name> <cert_field>

<ldap_attribute> [user_id]
This command is used to configure the search filter for the specified Certificate server using an
LDAP server to assist in authentication or authorization.
When the authentication type of the Certificate server is “nochallenge” or “challenge”, the LDAP
attribute specified by the “ldap_attribute” parameter and the value of the certificate field specified
by the “cert_field” parameter in the client certificate will constitute the search filter. For the
authentication type “nochallenge”, if any LDAP entry on the LDAP server matches this search
filter, the user passes the authentication and the value of the certificate field specified by the
“cert_field” parameter in the client certificate will be displayed as the username in the portal
welcome page. For the authentication type “challenge”, if any LDAP entry on the LDAP server
matches this search filter and the username and password on the Certificate challenge page, the
user passes the authentication and the value of the LDAP attribute specified by the “user_id”
parameter in the retrieved LDAP entry will be displayed as the username in the portal welcome
page.
a string of 1 to 256 characters. Its value must be:



DN.OID)

106
Chapter 4 AAA


externalgroup”.
ldap_attribute This parameter specifies the LDAP attribute used to constitute the
search filter. Its value must be a string of 1 to 80 characters.
user_id Optional. This parameter specifies the LDAP attribute used to

identify the user. If this parameter is not specified, the default value
is the same as the value of the “ldap_attribute” parameter.
no aaa server certificate ldap search <cert_server_name>

This command is used to delete the search rule configured for the specified Certificate server
using an LDAP server to assist in authentication or authorization.
show aaa server certificate ldap search <cert_server_name>

This command is used to display the search filter configured for the specified Certificate server
using an LDAP server to assist in authentication or authorization.
aaa server certificate localdb search <cert_server_name> <cert_field>

This command is used to configure the search filter for the specified Certificate server using the
LocalDB server to assist in authentication or authorization.
For the authentication type “nochallenge”, if the username of any LocalDB account on the
LocalDB server matches the value of the certificate field specified by the “cert_field” parameter in
the client certificate, the user passes the authentication and the certificate field specified by the
“cert_field” parameter in the client certificate will be displayed as the username in the portal
welcome page. For the authentication type “challenge”, if the username and password of any
LocalDB account on the LocalDB server match the username and password on the certificate
challenge page, the user passes the authentication and the username used by the certificate
Challenge page will be displayed as the username in the portal welcome page.

a string of 1 to 32 characters and must be:

107
Chapter 4 AAA


DN.OID)


externalgroup”.
no aaa server certificate localdb search <cert_server_name>

This command is used to delete the search filter configured for the specified Certificate server
using the LocalDB server to assist in authentication or authorization.
show aaa server certificate localdb search <cert_server_name>

This command is used to display the search filter configured for the specified Certificate server
using the LocalDB server to assist in authentication or authorization.
The following commands are used to configure authorization using the Certificate server.
During the authorization using the Certificate server, the external group name of the user can be
obtained from three ways:
 Specified certificate field in the client certificate
 LDAP server
 LocalDB
The three ways are mutually exclusive for one Certificate server used for authorization.
aaa server certificate externalgroup <cert_server_name> <cert_field>

This command is used to set the certificate field used to obtain the external group name for the
specified Certificate server. The value of the certificate field in the client certificate will be used as
the external group name of the user.
external group name in the client certificate. Its value must be a
string of 1 to 64 characters. Its value must be:

108
Chapter 4 AAA


DN.OID)

no aaa server certificate externalgroup <cert_server_name>

This command is used to delete the configuration of the certificate field used to obtain the external
group name for the specified Certificate server.
aaa server certificate externaldefault <cert_server_name> <default_group>

This command is used to configure the default group assigned to a user for the specified
Certificate server when the system fails to obtain the external group name from the specified
certificate field in the client certificate.
default_group This parameter specifies the default group name. Its value must be a
string of 1 to 64 characters.
no aaa server certificate externaldefault <cert_server_name>

This command is used to delete the configuration of the default group assigned to a user for the
specified Certificate server when the system fails to obtain the external group name from the
specified certificate field in the client certificate.
aaa server certificate authorize server <cert_server_name> <server_type>

This command is used to sets the type of the AAA server assisting the specified Certificate server
in authorization.

used for authorization. Its value must be a string of 1 to 32
characters.
server_type This parameter specifies the type of the AAA server assisting the
specified Certificate server in authorization. Its value must be:
 localdb: indicates that the virtual site’s LocalDB server will

assist the Certificate server in authorization.
 ldap: indicates that the LDAP server specified by the “aaa

server certificate ldap serverid” command will assist the

109
Chapter 4 AAA
Certificate server in authorization.
Note: If the “server_type” parameter is set to “ldap” and the system fails to obtain the
external group name for the user from the LDAP server, the system will use the default
group setting configured for the LDAP server itself using the command “aaa server ldap
attribute defaultgroup”.
no aaa server certificate authorize server <cert_server_name>

This command is used to delete the configuration of the type of the AAA server assisting the
specified Certificate server in authorization.
show aaa server certificate authorize server <cert_server_name>

This command is used to display the configuration of the type of the AAA server assisting the
specified Certificate server in authorization.
aaa server certificate localdb defaultgroup <cert_server_name>

<default_group>
This command is used to configure the default group assigned to users for the specified the
Certificate server when the system fails to obtain the group name for the user from the LocalDB
server. If this command is not configured and the system fails to obtain the group name for the
user from the LocalDB server, the group name of the user will be empty rather than the default
group setting for the LocalDB server itself.
default_group This parameter specifies the name of the default group in LocalDB.
no aaa server certificate localdb defaultgroup <cert_server_name>

This command is used to delete the configuration of the default group assigned to users for the
specified the Certificate server when the system fails to obtain the group name for the user from
the LocalDB server.
show aaa server certificate localdb defaultgroup <cert_server_name>

This command is used to display the configuration of the default group assigned to users for the
specified Certificate server when the system fails to obtain the group name for the user from the
LocalDB server.
aaa server certificate sms type <cert_server_name>

{certificate|ldap|localdb}
This command is used to set how to obtain mobile phone numbers of users from the specified
Certificate server.

110
Chapter 4 AAA
certificate|ldap|localdb This parameter specifies how to obtain mobile phone numbers of

users. Its value must be:
 certificate: indicates that the system obtains mobile phone

numbers of users from certificates stored on the Certificate
server.
 ldap: indicates that the system obtains mobile phones numbers

of users from the LDAP server that is used by the Certificate
server for authentication or authorization.
 localdb: indicates that the system obtains mobile phones

numbers of users from LocalDB that is used by the Certificate
server for authentication or authorization.
Note: If the “certificate|ldap|localdb” parameter is set to “ldap” or “localdb”, the associated

LDAP server or LocalDB configured in the command “aaa server certificate authenticate
server <server_name> {localdb|ldap}” or “aaa server certificate authorize server
<server_name> {localdb|ldap}” must be actually used for certification and authorization.
Otherwise, mobile phone numbers of users cannot be obtained.
no aaa server certificate sms type <cert_server_name>

This command is used to delete the configuration of how to obtain mobile phone numbers of users
from the specified Certificate server.
show aaa server certificate sms type <cert_server_name>

This command is used to display the configuration of how to obtain mobile phone numbers of
users from the specified Certificate server.
aaa server certificate sms certificate <cert_server_name> <cert_field>

This command is used to set the certificate field used to obtain mobile phone numbers of users on
the specified Certificate server. This command needs to be configured when the
“certificate|ldap|localdb” parameter is set to “certificate” in the command “aaa server certificate
sms type”.
cert_field This parameter specifies the certificate field used to obtain mobile
phone numbers of users. Its value must be a string of 1 to 80
characters and must be:


111
Chapter 4 AAA


DN.OID)


externalgroup”.
no aaa server certificate sms certificate <cert_server_name>

This command is used to delete the configuration of the certificate field used to obtain mobile
phone numbers of users on the specified Certificate server.
show aaa server certificate sms certificate <cert_server_name>

This command is used to delete the configuration of the certificate field used to obtain mobile
phone numbers of users on the specified Certificate server.
aaa server certificate sms ldap <cert_server_name> <attribute>

This command is used to set the LDAP entry’s attribute used to obtain mobile phone numbers of
users from the LDAP server used by the Certificate server for authentication or authorization. This
command needs to be configured when the “certificate|ldap|localdb” parameter is set to “ldap” in
the command “aaa server certificate sms type”.
attribute This parameter specifies the LDAP entry’s attribute from which the
AAA obtains mobile phone numbers of users. Its value must be a
no aaa server certificate sms ldap <cert_server_name>

This command is used to delete the configuration of the LDAP entry’s attribute used to obtain
mobile phone numbers of users from the LDAP server used by the Certificate server for
show aaa server certificate sms ldap <cert_server_name>

This command is used to display the configuration of the LDAP entry’s attribute used to obtain
mobile phone numbers of users from the LDAP server used by the Certificate server for

112
Chapter 4 AAA
SMS
aaa server sms host <sms_server_name> <host_ip> <host_port> <protocol>

[user_name] [password] [service_id] [source_number]
[conn_reuse|conn_close] [tls_flag]
This command is used to configure a host for the specified Short Message Service (SMS) server.
Only one host can be configured for each SMS server.
sms_server_name This parameter specifies the name of an existing SMS server.
host_ip This parameter specifies the IP address of the SMS host. Its value
host_port This parameter specifies the port used by the host to communicate
with the AAA. Its value must be an integer ranging from 0 to
65535.
protocol This parameter specifies the protocol type used by the SMS server.
Its value is case-insensitive and must be:
 CMPP2: indicates the CMPPv2.0 protocol.
 CMPP3: indicates the CMPPv3.0 protocol.
 EM: indicates the EM proprietary protocol.
 CUSTOM: indicates the custom protocol.
If the administrator needs to use the CUSTOM protocol, the SMS

authentication request template must be imported via the “aaa
server sms custom import request” command and SMS
authentication response filter rule must be configured via the “aaa
server sms custom result” command.
user_name Optional. This parameter specifies the username used to log into the
host of the SMS server. Its value must be enclosed by double quotes
when beginning with a non-alphabetical character.
The default value is empty, indicating that authentication is not

required by the SMS host.
password Optional. This parameter specifies the password used to log into the
host of the SMS server. Its value must be enclosed by double quotes
The default value is empty, indicating that authentication is not

113
Chapter 4 AAA
required by the SMS host.
service_id Optional. This parameter specifies the ID of the SMS service. Its
This parameter is used only when the “protocol” parameter is set to

“CMPP2” or “CMPP3”. The SMS service ID can be obtained when
you subscribe to SMS services from China Mobile. The default
value is empty.
source_number Optional. This parameter specifies the source number of SMS

messages. Its value must be a string of 1 to 21 characters.

“CMPP2” or “CMPP3”. The source number can be obtained when
you subscribe to SMS services from China Mobile. The default
value is empty.
conn_reuse|conn_close Optional. This parameter specifies how to handle the connection

between the AG appliance and the SMS server after the AG
appliance receives SMS authentication response. Its vaule must be:
 conn_reuse: indicates the connection will be reused after the

AG appliance receives SMS authentication response.
 conn_close: indicates the connection will be forcefully

disconnected after the AG appliance receives SMS
authentication response.
The default value is “conn_reuse”.
tls_flag Optional. This parameter specifies whether to access the SMS host
over the TLS protocol. Its value must be:
 “tls”: indicates that the TLS protocol is used to access the SMS
host.
 empty: indicates that the TLS protocol is not used to access the
SMS host.

“CUSTOM”.
no aaa server sms host <sms_server_name>

This command is used to delete the host configured for the specified SMS server.

114
Chapter 4 AAA
show aaa server sms host <sms_server_name>

This command is used to display the host configured for the specified SMS server.
aaa server sms companyinfo <sms_server_name> <company_name>

<contactor> <phone_number> <mobile_number> <email> <fax> <address>
<postcode>
This command is used to configure the information about the company that subscribes to SMS
services from Emay for the specified SMS server. The company information is required to register
the SMS service account on the SMS server.
company_name This parameter specifies the company name. Its value must be a
string of 1 to 60 characters enclosed by double quotes when
beginning with a non-alphabetical character.
contactor This parameter specifies the name of the contact person of the
company. Its value must be a string of 1 to 20 characters enclosed
by double quotes when beginning with a non-alphabetical character.
phone_number This parameter specifies the telephone number of the company. Its
value must be a string of 1 to 20 characters enclosed by double
quotes when beginning with a non-alphabetical character.
mobile_number This parameter specifies the mobile phone number of the company.
Its value must be a string of 1 to 15 characters enclosed by double
quotes when beginning with a non-alphabetical character.
email This parameter specifies the email of the company. Its value must
be a string of 1 to 60 characters enclosed by double quotes when
fax This parameter specifies the fax of the company. Its value must be a
string of 1 to 20 characters enclosed by double quotes when
address This parameter specifies the address of the company. Its value must
be a string of 1 to 60 characters enclosed by double quotes when
postcode This parameter specifies the postcode of the company. Its value
must be a string of 1 to 6 characters enclosed by double quotes

115
Chapter 4 AAA
no aaa server sms companyinfo <sms_server_name>

This command is used to delete the company information setting of the specified SMS server.
show aaa server sms companyinfo <sms_server_name>

This command is used to display the company information on the specified SMS server.
aaa server sms message <sms_server_name> <string> [escape_flag]

This command is used to modify the content of the short message sent to the mobile phone for the
specified SMS server. The verification code is contained in the short message for SMS
authentication. If this command is not configured, the default content of the short message sent to
the mobile phone is “Verification code: <OTP>”.
string This parameter specifies the content of the short message sent to the
mobile phone. Its value must be a string of 1 to 60 characters
enclosed by double quotes.
This parameter supports regular expressions “<OTP>” and

“<USER>”. “<OTP>” is mandatory in the string and stands for the
verification code sent to a mobile phone; “<USER>” stands for the
user name of a mobile phone.
escape_flag Optional. This parameter specifies whether to escape the short

message. This parameter needs to be specified when the short
message is sent in the URL of the HTTP request. Its value must be:
 0: indicates the short message will not be escaped.
 1: indicates the short message will be escaped.
For example:
vs(config)$aaa server sms message sms_server "Hi <USER>, the verification code is
<OTP>" 0
vs(config)$aaa server sms message sms_server "Verification code is <OTP>" 0
no aaa server sms message <sms_server_name> <string>

This command is used to reset the content of the short message sent to the mobile phone to the
default value “Verification code: <OTP>” for the specified SMS server.
show aaa server sms message <sms_server_name>

116
Chapter 4 AAA
This command is used to display the content of the short message sent to the mobile phone for the
specified SMS server.
aaa server sms verificationcode <sms_server_name> <length>

<character_type>
This command is used to modify the length and character type of verification codes for the
specified SMS server. If this command is not configured, the default length of verification codes is
8 bytes, and verification codes comprise both letters and numbers by default.
length This parameter specifies the length of verification codes in bytes.

Its value must be an integer ranging from 6 to 16.
character_type This parameter specifies the character type of verification codes. Its
value must be:
 letter: indicates that verification codes comprise only letters.
 num: indicates that verification codes comprise only numbers.
 both: indicates that verification codes comprise both letters

and numerals.
no aaa server sms verificationcode <sms_server_name>

This command is used to reset the length and character type of verification codes to the default
configuration for the specified SMS server.
show aaa server sms verificationcode <sms_server_name>

This command is used to display the length and character type of verification codes for the
specified SMS server.
aaa server sms expiretime <sms_server_name> <time>

This command is used to modify the expiration time of verification codes for the specified SMS
server. If this command is not configured, the default expiration time of verification codes is 300
seconds.
time This parameter specifies the effective time of verification codes for
the SMS server in seconds. Its value must be an integer ranging
from 5 to 600.
no aaa server sms expiretime <sms_server_name>

117
Chapter 4 AAA
This command is used to reset the expiration time of verification codes to the default value 300
seconds for the specified SMS server.
show aaa server sms expiretime <sms_server_name>

This command is used to display the expiration time of verification codes for the specified SMS
server.
aaa server sms custom import request <sms_server_name> <url>

This command is used to import the SMS authentication request template for the specified SMS
server. AG constructs the SMS authentication request using the SMS authentication request
template and sends the constructed SMS authentication request to the SMS server for
authentication. Only one SMS authentication request template can be imported.
sms_server_name This parameter specifies the name of an existing custom SMS

server.
url This parameter specifies the HTTP or FTP URL from which the
custom SMS authentication request template is imported. Its value
The format of the SMS authentication request template is as follows:
POST /smsend.jsp HTTP/1.1\r\n

Accept: */*\r\n
Accept-Encoding: NONE\r\n
Host: <SMS_SERVER_IP>:<SMS_SERVER_PORT>\r\n
Connection: Keep-Alive\r\n
Content-Length: <CONTENT_LENGTH>
Cache-Control: no-cache\r\n
\r\n
username=<USERNAME>&password=<PASSWORD>&dst=<PHONE>&msg=<MESSAGE>&r
eport=0&sendtime=0&seqid=<SEQID>&uname=<RT_USERNAME>&passwd=<RT_PASSWO
RD>
When preparing the SMS authentication request template, please bear the following information in
the mind:
 The field <SMS server IP> and <SMS server port> will be replaced by the IP address and
port of the SMS host selected by AG.
 The <CONTENT_LENGTH> field will be filled with the value of the transfer-length of the
HTTP request body.
 The fields <USERNAME> and <PASSWORD> will be filled with the username and
password used to log into the host of the SMS server. The <phone> field will be filled with
the mobile phone number of the end user.

118
Chapter 4 AAA
 The field <MESSAGE> will be replaced by the message configured via the “aaa server sms
message” command by AG.
 The field <SEQID> will be filled by AG according to the request ID of the SMS
authentication request.
 The fields <RT_USERNAME> and <RT_PASSWORD> will be filled with the username
and password of the user used to log into the virtual site.
Note: The SMS authentication request template must be a plain text file.
show aaa server sms custom template <sms_server_name> <type>

This command is used to display the SMS authentication request template for the specified custom
SMS server.

server.
type This parameter specifies the file type of the custom SMS
authentication request template. Its value must be “request”.
aaa server sms custom result <sms_server_name> <regex> <end_flag>

This command is used to configure an SMS authentication response filter rule for the specified
custom SMS server.

server.
regex This parameter specifies the regular expression indicating the

successful SMS authentication response. Its value must be a string
of 1 to 256 characters. If the SMS authentication response received
by AG matches this regular expression, AG displays the SMS
authentication page for the user to enter the verification code.
end_flag Optional. This parameter specifies the end location of the SMS
authentication response. Its value must be a string of 1 to 256
characters.
If this parameter is specified:
 AG will begin to parse the received SMS authentication

response when the SMS authentication response received by
AG contains “end_flag”.

119
Chapter 4 AAA
If this parameter is not specified or the configured “end_flag”

parameter is not found in the SMS authentication response:
 When the SMS authentication response received by AG

contains the header “Content-Length”, AG begins to parse the
received SMS authentication response after the whole body of
the SMS authentication response is received. When the SMS
authentication response received by AG contains the header
“Transfer-Encoding: chunked”, AG begins to parse the
received SMS authentication response after all data chunks of
the response are received.
 When the SMS authentication response received by AG does

not contain the header “Content-Length”, AG begins to parse
the received SMS authentication response after the first
segment of the response is received.
Note: The SMS authentication response must include the request ID <SEQID> of the SMS
authentication request.
no aaa server sms custom result <sms_server_name>

This command is used to delete the SMS authentication response matching rule for the specified
custom SMS server.
show aaa server sms custom settings <sms_server_name>

This command is used to display the configurations of the custom SMS server.
SMX
aaa server smx host <smx_server_name> <host_name> <host_port>

[host_index]
This command is used to create a host for the specified SMX (SECUREMATRIX) server. A
maximum of two hosts can be configured for an SMX server and they have different index values
specified by the parameter “host_index”.
smx_server_name This parameter specifies the name of an existing SMX server.
host_name This parameter specifies the host name or IP address of the host.
For the host name, its value must be a string of 1 to 128 characters;
for the IP address, its value must be an IPv4 address enclosed by

120
Chapter 4 AAA
double quotes.
host_port This parameter specifies the port number used by the host. Its value
is an integer ranging from 0 to 65535.
host_index Optional. This parameter specifies the index of the host among
hosts of the SMX server. Its value must be:
 1: indicates that this is a primary host.
 2: indicates that this is a secondary host.
The secondary host is used only when the user fails the
authentication performed by the primary host or when the primary
host is unavailable.
no aaa server smx host <smx_server_name> <host_index>

This command is used to delete a host from the specified SMX server.
show aaa server smx host <smx_server_name>

This command is used to show the host(s) created for the specified SMX server.
aaa server smx certimport <smx_server_name> <host_index>

<user@remote_host> <password> <file_path>
This command is used to import the certificate file for the specified SMX host from a remote host.
smx_server_name This parameter specifies the name of an existing SMX server.
host_index This parameter specifies the index of the host among hosts of the
SMX server.
user@remote_host This parameter specifies the remote host from which the certificate
file is imported and the username for logging into the remote host.
Its value must be a string of 1 to 512 characters in the format of
“user@remote_host”, which must be enclosed by double quotes.
password This parameter specifies the password for logging into the remote
host.
file_path This parameter specifies the path, which includes the certificate file
name, of the certificate file on the remote host. Its value must be a
string of 1 to 1024 characters. The certificate file is a .zip file

121
Chapter 4 AAA
containing the private key, cert file and CA file.
HTTP
aaa server http host <http_server_name> <host_name> [host_port] [tls_flag]

[timeout] [retries] [index] [max_connections]
This command is used to configure an HTTP host for the specified HTTP AAA server. A
maximum of three HTTP hosts can be configured for one HTTP AAA server.
http_server_name This parameter specifies the name of an existing HTTP AAA server.
host_name This parameter specifies the host name or IP address of the HTTP
host. For the host name, its value must be a string of 1 to 128
characters; for the IP address, its value must be an IPv4 address
host_port Optional. This parameter specifies the port of the HTTP host (The
HTTP host of the HTTP AAA server can be an HTTP or HTTPS
server used for authentication/authorization). Its value must be an
integer ranging from 0 to 65,535.
The default value is 0, indicating the default port. For the HTTP
server, “0” indicates the port 80; for the HTTPS server, “0”
indicates the port 443.
tls_flag Optional. This parameter specifies whether to access the HTTP host
over the TLS protocol. Its value must be:
 “tls”: indicates that the HTTPS server is used.
 empty: indicates that the HTTP server is used.
timeout Optional. This parameter specifies the maximum time that AG waits
for the HTTP response, in seconds. If not receiving the HTTP
response in the specified time, AG will resend the HTTP
authentication request. Its value must be an integer ranging from 0
to 65,535. “0” indicates no timeout. The default value is 5.
retries Optional. This parameter specifies the retry times send the HTTP
authentication request to the HTTP host. Its value must be 1, 2 or 3.

122
Chapter 4 AAA
max_connections Optional. This parameter specifies the maximum number of

concurrent connections allowed by the HTTP AAA host. Its value
must be an integer ranging from 0 to 65,535. The default value is 0,
indicating no limitation on the maximum number of concurrent
connections.
no aaa server http host <http_server_name> <index>

This command is used to delete an HTTP host of the specified HTTP AAA server.
show aaa server http host <http_server_name>

This command is used to display the HTTP hosts configured for the specified HTTP AAA server.
aaa server http login template <http_server_name> <request_url>

This command is used to import an HTTP authentication login template for the specified HTTP
AAA server. When receiving an HTTP authentication login request from the client, AG constructs
the HTTP authentication login request using the HTTP authentication login template by replacing
the dynamic data in the template with user information of the user to be authenticated and sends
the constructed HTTP request to the HTTP AAA server for authentication.
Only one HTTP authentication request template can be configured for one HTTP AAA server.
request_url This parameter specifies the HTTP or FTP URL of the HTTP
authentication login template to be imported. Its value must be a
The format of the HTTP authentication login template is as follows:
POST /iaccess/services HTTP/1.1

Accept-Encoding: NONE
Host: <an_serverhost>
Content-Length: <an_content-length>
SOAPAction: "http://IaccessMessageFlow/login"
User-Agent: Axis2
<?xml version='1.0' encoding='UTF-8'?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:login xmlns:ns1="http://IaccessMessageFlow">
<username><an_username></username>

123
Chapter 4 AAA
<password><an_password></password>
<deviceid><an_cus-define-var1></deviceid>
<devicetype>P</devicetype>
<clientversion>9.0.0.0</clientversion>
<clientip><an_clientip></clientip>
<regionid><an_cus-define-var2></regionid>
<regioncolor>G</regioncolor>
</ns1:login>
</soapenv:Body>
</soapenv:Envelope>
When preparing the HTTP authentication login template, please bear the following information in
the mind:
 The fields <an_username>, <an_password> and <an_clientip> will be filled with user
information of the user to be authenticated.
 The field <an_serverhost> will be replaced by the IP address of the HTTP host selected by
AG.
 The field <an_content-length> will be filled by AG according the actual length of the
content.
 The fields <an_cus-define-var1> and <an_cus-define-var2> will be filled with the

customized user variables configured using the “portal custom variant name” command.
Note:
 The HTTP authentication login template must be plain text file only.
 For HTTP authentication request with customized user information, the portal theme
login page should be used.
 no aaa server http login template <http_server_name>

This command is used to delete the HTTP authentication login template imported for the specified
HTTP AAA server.
show aaa server http login template <http_server_name> <seperate>

This command is used to display the HTTP authentication login template imported for the
specified HTTP AAA server.
seperate Optional. This parameter specifies whether to display the dynamic

data in the HTTP authentication login template separately. Its value
must be:

124
Chapter 4 AAA
 0: indicates the dynamic data will not be displayed separately.
 1: indicates the dynamic data will be displayed separately.
aaa server http login challengemessage <http_server_name>

<login_response_id> <login_response_filter> <message>
This command is used to set the HTTP authentication login challenge message for the specified
HTTP AAA server. This command should be configured when the backend server needs more
user information to perform the authentication. A maximum of five HTTP authentication login
challenge messages can be configured.
login_response_id This parameter specifies the ID of the HTTP authentication login

response. Its value must be an integer ranging from 1 to 5.
login_response_filter This parameter specifies the filter condition for the HTTP
authentication login response. Its value must be a string of 1 to 255
characters. The value can contain the variables and related rules
defined by the commands “aaa server http variant response
name” and “aaa server http variant response profile”.
message This parameter specifies the challenge message included in the

HTTP authentication login response. Its value must be a string of 1
to 255 characters. The value can contain the variables defined by
the “aaa server http variant response name” command.
For example:
When the HTTP authentication login response contains an “an_ret” variable whose vaule is 2, a
challenge is required and the challenge message will be “please enter the login PIN number.”
vs(config) aaa server http login challengemessage "http_server" "1" "<an_ret>=2" "please
enter the login PIN number"
no aaa server http login challengemessage <http_server_name>

<login_response_id>
This command is used to delete a specified HTTP authentication login challenge message for the
show aaa server http login configure <http_server_name>

This command is used to display the configuration of HTTP authentication login challenge
messages for the specified HTTP AAA server.

125
Chapter 4 AAA
aaa server http challenge template <http_server_name> <challenge_id>

<request_url>
This command is used to import an HTTP authentication challenge template for the specified
HTTP AAA server. When receiving an HTTP authentication challenge request from the client,
AG constructs the HTTP authentication challenge request using the HTTP authentication
challenge template and sends the constructed HTTP authentication challenge request to the HTTP
AAA server. A maximum of five HTTP authentication challenge templates can be configured for
one HTTP AAA server.
This command should be used together with the “aaa server http challenge require” command.
The HTTP challenge template is similar to the HTTP authentication login template. For details,
please refer to the “aaa server http login template” command.
challenge_id This parameter specifies the ID of the HTTP authentication

challenge template. Its value must be an integer ranging from 1 to
5.
request_url This parameter specifies the HTTP or FTP URL of the HTTP
challenge template to be imported. Its value must be a string of 1 to
256 characters.
no aaa server http challenge template <http_server_name> <challenge_id>

This command is used to delete the specified HTTP authentication challenge template for the
show aaa server http challenge template <http_server_name>

<challenge_id> [seperate]
This command is used to display the specified HTTP authentication challenge template for the

challenge template.
seperate Optional. This parameter specifies whether to display the dynamic

data in the HTTP authentication login template separately. Its value
must be:
 0: indicates the dynamic data will not be displayed separately.
 1: indicates the dynamic data will be displayed separately.

126
Chapter 4 AAA
aaa server http challenge require <http_server_name> <challenge_id>

[challenge_condition]
This command is used to set a challenge condition based upon which to select the HTTP
authentication challenge template for the specified HTTP AAA server. Please define a customized
user variable using the “portal custom variant name” command first before configuring this
command.

challenge template.
challenge_condition This parameter specifies the challenge condition based on which to

select the HTTP authentication challenge template. Its value must
be a string of 1 to 255 characters in the format of “<an_xx>=yy”,
such as “<an_param1>=chal1”.
For example:
vs(config) aaa server http challenge require "http_server" "1" "<an_param1>=chal1"
no aaa server http challenge require <http_server_name> <challenge_id>

This command is used to delete a specified challenge condition based upon which to select the
HTTP authentication challenge template for the specified HTTP AAA server.
aaa server http challenge challengemessage <http_server_name>

<challenge_id> <login_response_id> <challenge_response_filter>
<message>
This command is used to set the HTTP authentication challenge message for the specified HTTP
AAA server. This command should be configured if a further challenge is required after the HTTP
authentication login challenge. A maximum of five HTTP authentication challenge messages can
be configured.

challenge template.
login_response_id This parameter specifies the ID of the HTTP authentication login

response.

127
Chapter 4 AAA
challenge_response_filter This parameter specifies the filter condition for the HTTP
authentication challenge message. Its value must be a string of 1 to
255 characters. The value can contain the variables and related rules
defined by the commands “aaa server http variant response
name” and “aaa server http variant response profile”.
message This parameter specifies the message included in the HTTP

authentication challenge response. Its value must be a string of 1 to
255 characters. The value can contain the variables defined by the
“aaa server http variant response name” command.
For example:
When the challenge response contains an “an_random” variable whose vaule is 1, a further
challenge is required and the challenge message will be “Please use the UTF-8 encoding format if
multi-byte characters are used.”
vs(config) aaa server http challenge challengemessage http_server" "1" "1"

"<an_random>=1" "Please use the UTF-8 encoding format if multi-byte characters are
used."
no aaa server http challenge challengemessage <http_server_name>

<challenge_id> <login_response_id>
This command is used to delete the specified HTTP authentication challenge message for the
show aaa server http challenge configure <http_server_name>

<challenge_id>
This command is used to display the configurations of HTTP challenge authentication for the
aaa server http variant response name <http_server_name> <var_name>

[var_filter]
This command is used to configure the customized user variable included in the HTTP
authentication login response and set a single-variable parsing rule for the specified HTTP AAA
server. The configured customized user variable can be used for the constitution of the HTTP
authentication login challenge message.
var_name This parameter specifies the name of the customized user variable
in the HTTP authentication login response. Its value must be a
string of 1 to 32 characters in the format of <an_xx>, such as
<an_param1>.

128
Chapter 4 AAA
var_filter Optional. This parameter specifies the filter used to parse this
variable included in the HTTP authentication login response. Its
value must be a string of 1 to 256 characters. The default value is
empty.
For example:
vs(config) aaa server http variant response name " http_server" "<an_need_challenge>"
"var_AN_need_challenge=<an_need_challenge>;"
no aaa server http variant response name <http_server_name>

<var_name>
This command is used to delete a specified customized user variable included in the HTTP
authentication login response and the associated single-variable resolution rule for the specified
HTTP AAA server.
aaa server http variant response profile <http_server_name> <var_filter>

<priority>
This command is used to set a multi-variable parsing rule for the specified HTTP AAA server.
This command should be used together with the command “aaa server http variant response
name”. The configured multi-variable parsing rule can be used for the constitution of an HTTP
authentication login challenge message.
var_filter This parameter specifies the filter condition used to parse the single
user variable included in the HTTP authentication login response.
priority Optional. This parameter specifies the priority of the rule. Its value
must be an integer ranging from 1 to 100. The lower the value, the
higher the priority. The default value is 50.
For example:
vs(config) aaa server http variant response name "http_server" "<an_var1>"

vs(config) aaa server http variant response profile "http_server" "var
_AN_var=<an_var1>::<an_var2>::<an_var3>;"
no aaa server http variant response profile <http_server_name>

<var_filter>

129
Chapter 4 AAA
This command is used to delete a specified multi-variable parsing rule for the specified HTTP
AAA server.
show aaa server http variant response <http_server_name>

This command is used to display the configurations of customized user variables included in the
HTTP authentication login response and the associated variable parsing rules for the specified
HTTP AAA server.
aaa server http result <http_server_name> <regex> [user_name]

[group_name] [phone] [picture_url] [uid] [end_flag] [error_message]
This command is used to configure an HTTP response filter rule for the specified HTTP AAA
server. Only one HTTP response filter rule can be configured for one HTTP AAA server.
This parameter specifies the name of an existing HTTP AAA server.

http_server_name
regex This parameter specifies the regular expression indicating the

successful HTTP authentication response. If the HTTP
(authentication) response received by AG matches this regular
expression, the end user passes the HTTP authentication.
Note: It is recommended to simplify the parameter value to increase

the matching efficiency.
user_name Optional. This parameter specifies the way to obtain the username
from the HTTP (authorization) response. If the username is
successfully obtained from the HTTP response, AG will display the
obtained username on the welcome portal page.

“xxx<an_value>xxx”. Besides, the parameter supports the
following escape characters:
 \r\n: indicates the line break.
 \q: indicates the quotes.
 \\: indicates the backslash.
The default value is empty, indicating not obtaining the username

from the HTTP response.
group_name Optional. This parameter specifies the way to obtain the group
name of the end user from the HTTP (authorization) response. The

130
Chapter 4 AAA
obtained group name may be further used for the user authorization.

The default value is empty, indicating not obtaining the group name
from the HTTP response.
phone Optional. This parameter specifies the way to obtain the phone
number of the end user from the HTTP (authorization) response.
The obtained phone number is used for SMS authentication when
both HTTP authentication and SMS authentication are required.

The default value is empty, indicating not obtaining the phone

number from the HTTP response.
picture_url Optional. This parameter specifies the way to obtain the avatar
picture URL of the end user from the HTTP (authorization)
response.
This parameter needs to be specified when the HTTP-type AAA

server is used for OAuth authentication.
uid Optional. This parameter specifies the way to obtain the UID of the
end user from the HTTP (authorization) response. Its value must be
in the format of “uid=<an_value>”.
This parameter needs to be specified when the HTTP-type AAA

server is used for OAuth authentication.

131
Chapter 4 AAA
end_flag Optional. This parameter specifies the end location of the HTTP
response to be filtered. Its value must be a string of 1 to 256
characters.
If the “end_flag” parameter is configured:
 When the HTTP response received by AG contains the

“end_flag”, AG starts the HTTP response filter process.
If the “end_flag” parameter is not configured or the configured

“end_flag” parameter is not found in the HTTP response:
 When the HTTP response received by AG contains the header

“Content-Length”, AG starts the HTTP response filter process
after the whole HTTP body of the HTTP response is received.
When the HTTP response received by AG contains the header
“Transfer-Encoding: chunked”, AG starts HTTP response
filter process after all data chunks of the HTTP response are
received.
 When the HTTP response received by AG does not contain the

header “Content-Length”, AG starts the HTTP response filter
process after the first segment of the HTTP response is
received.
error_message Optional. This parameter specifies the error message to display if

the user fails to pass HTTP authentication. The default error
message is empty.
For example:
vs(config)$aaa server http result "http" "welcome" "username<an_value>\r\n"

"groupname<an_value>\r\n" "phonenumber<an_value>\r\n" "" "" "abc"
"error=<an_value>;"
vs(config)$aaa server http result "oauth_server" "access_token" "username=<an_value>;"
"" "" "pic_url=<an_value>;" "uid=<an_value>;" "" "error=<an_value>;"
no aaa server http result <http_server_name>

This command is used to delete the HTTP response filter rule configured for the specified HTTP
AAA server.
show aaa server http result <http_server_name>

This command is used to display the HTTP response filter rule configured for the specified HTTP
AAA server.

132
Chapter 4 AAA
aaa server http defaultgroup <http_server_name> <default_group>

HTTP group is obtained for the specified HTTP AAA server.
default_group This parameter specifies the name of the default HTTP group. Its
no aaa server http defaultgroup <http_server_name>

This command is used to delete the configuration of the default group assigned to authenticated
users for whom no HTTP group is obtained for the specified HTTP AAA server.
show aaa server http defaultgroup <http_server_name>

This command is used to display the configuration of the default group assigned to authenticated
users for whom no HTTP group is obtained for the specified HTTP AAA server.
SAML
Security Assertion Markup Language (SAML) is an XML-based open standard for describing and
exchanging security information between on-line business partners. AG supports authentication
and authorization using the SAML protocol. In the SAML architecture, AG works as a Service
Provider (SP), providing resources for users and depending on the assertion of the Identity
Provider (IdP) for user authentication and authorization.
The section covers the commands for configuring the SAML function.
aaa saml {enable|disable}

This command is used to enable or disable the SAML function. By default, this function is
disabled.
When the SAML function is enabled, the virtual site will use only SAML for authentication and
authorization, and ignore the other authentication and authorization configuration of the AAA
function, such as LocalDB and LDAP. When the SAML function is disabled, the virtual site will
use the authentication and authorization configuration of the AAA function.
aaa saml idp name <idp_name>

This command is used to configure an IdP. A maximum of three IdPs can be configured for one
virtual site.
idp_name This parameter specifies the name of an IdP. Its value must be a
no aaa saml idp name <idp_name>

133
Chapter 4 AAA
This command is used to delete a specified IdP.
aaa saml sp idp <idp_name>

This command is used to enable the specified IdP for the SAML SP (AG).
Before enabling an IdP, you need to import the metadata of the IdP using the “aaa saml idp
metadata” command and specify the attributes used to obtain the user identity information from
the SAML Assertion response returned by the IdP using the “aaa saml idp attributes” command.
If no IdP is enabled, all available IdPs will be displayed for the user to select for authentication.
idp_name This parameter specifies the name of the existing IdP specified by
the “aaa saml idp name” command.
no aaa saml sp idp

This command is used to disable the specified IdP that has been enabled for the SAML SP. After
this command is executed, all available IdPs will be displayed for the user to select for
authentication.
aaa saml idp metadata <idp_name> <url>

This command is used to import the metadata of the specified IdP to the SAML SP (AG). Please
note that if the metadata of the IdP has changed, you need to import the new metadata to the
SAML SP.
url This parameter specifies the HTTP, HTTPS or FTP URL to obtain
the metadata of the IdP. Its value must be a string of 1 to 900
characters.
show aaa saml idp metadata <idp_name>

This command is used to display the imported metadata of the specified IdP.
aaa saml sp metadata

This command is used to list the URLs where the metadata of the SAML SP can be downloaded.
This metadata should be imported to the IdP enabled for the SAML SP. Please note that the SP
metadata on the IdP should be updated if the attributes configured using the “aaa saml idp
attributes” command or the binding types configured by the “aaa saml sp slo” command is
changed.
Note: Because multiple IP addresses and domain names can be configured for a virtual
site (via the commands “virtual site ip” and “virtual site domain”), there may be
multiple URLs for the metadata of the SP server. The administrator can select the

134
Chapter 4 AAA
metadata as required.
aaa saml idp attributes <idp_name> <username> [groupname] [external_acl]

[netpool]
This command is used to specify the attributes used to obtain the user identity information from a
SAML Assertion response returned by the specified IdP.
username This parameter specifies the attribute to obtain the username from
the SAML Assertion response. The obtained username will be used
for further authorization. Its value must be a string of 1 to 900
characters. Besides, the special value “subject.nameid” is also
supported, indicating the NameID field in the SAML Assertion
response.
groupname Optional. This parameter specifies the attribute to obtain the group
name from the SAML Assertion response. The obtained group
name will be used for further authorization. Its value must be a
string of 1 to 900 characters. The default value is empty.
external_acl Optional. This parameter specifies the attribute to obtain the

external ACL rule from the SAML Assertion response. The
obtained external ACL rule will be used for further authorization Its
empty.
netpool Optional. This parameter specifies the attribute to obtain the netpool
from the SAML Assertion response. The obtained netpool will be
used for further authorization. Its value must be a string of 1 to 900
aaa saml sp acs [type]

This command is used to specify the binding type of the Assertion Consumer Service (ACS) on
the SP. The binding type of the ACS will be included in the SP metadata, based on which the IdP
returns the SAML Assertion response to the ACS of the SP.
type This parameter specifies the binding type for the ACS. Its value
must be:
 post: indicates the HTTP POST binding.
 artifact: indicates the HTTP Artifact binding.

135
Chapter 4 AAA
The default value is “post”. For more details about SAML bindings,
please refer to http://docs.oasis-open.org/security/saml/v2.0/.
aaa saml sp slo [type]

This command is used to specify the binding type for the Single Logout (SLO) service on the SP.
The IdP uses the specified binding type when communicating with the SLO service on the SP.
type This parameter specifies the binding type for the SLO service.
Its value must be:
 redirect: indicates the HTTP redirect binding.
 post: indicates the HTTP POST binding.
 both: indicates both the HTTP redirect binding and the HTTP
POST binding.
The default value is “both”.
Note: The synchronous SOAP binding is not supported.
show aaa saml config

This command is used to display all the configurations of the SAML function.
clear aaa saml config

This command is used to reset all the configurations of the SAML function. After this command is
executed, the SAML function is disabled.
OAuth Authentication
aaa oauth enable
This command is used to enable OAuth authentication for the virtual site.
When OAuth authentication is enabled for the virtual site, a program of the OAuth client is started
for the virtual site in the system. To communicate with a third-party OAuth server, the OAuth
client should authenticate itself to the OAuth server. Therefore, you need to register the OAuth
client to obtain the Client ID and Secret and register the Redirection URL on the developer
platform of the OAuth server’s service provider. For information on how to register the OAuth
client and the Redirection URL, please contact the service provider of the OAuth server.
By default, OAuth authentication is disabled.
aaa oauth disable

This command is used to disable OAuth authentication for the virtual site.

136
Chapter 4 AAA
aaa oauth id <oauth_server_id>

This command is used to define an OAuth server.
oauth_server_id This parameter specifies the ID of a third-party OAuth server.

Currently, its value must be:
 google: indicates the Google OAuth server.
 wechat: indicates the WeChat OAuth server.
When the Google OAuth server is defined, the system automatically adds the following
configurations:
aaa oauth tokenurl "google" "https://accounts.google.com/o/oauth2/token"

aaa oauth jwksurl "google" "https://www.googleapis.com/oauth2/v3/certs"
aaa oauth authenticatorurl "google" "https://accounts.google.com/o/oauth2/auth"
aaa oauth registration "google"
When the WeChat OAuth server is defined, the system automatically adds the following
configurations:
aaa oauth tokenurl "wechat" "https://api.weixin.qq.com/sns/oauth2/access_token"

aaa oauth authenticatorurl "wechat" "https://open.weixin.qq.com/connect/qrconnect"
aaa oauth resourceurl "wechat" "https://api.weixin.qq.com/sns/userinfo"
aaa oauth registration "wechat"
aaa oauth wechat serviceauthenticatorurl
"https://open.weixin.qq.com/connect/oauth2/authorize"
no aaa oauth id <oauth_server_id>

This command is used to delete a specified OAuth server.
aaa oauth authenticatorurl <oauth_server_id> <authenticator_url>

This command is used to set the URL of the specified OAuth server’s login page.
oauth_server_id This parameter specifies an existing OAuth server.
authenticator_url This parameter specifies the URL of the OAuth server’s login page.
no aaa oauth authenticatorurl <oauth_server_id>

This command is used to delete the URL setting of the specified OAuth server’s login page.
aaa oauth tokenurl <oauth_server_id> <token_url>

This command is used to set the URL from which to obtain an access token from the specified
OAuth server.

137
Chapter 4 AAA
token_url This parameter specifies the URL where the OAuth client obtains
the access token from the OAuth server. Its value must be a string
of 1 to 900 characters.
no aaa oauth tokenurl <oauth_server_id>

This command is used to delete the setting of the URL from which to obtain an access token from
the specified OAuth server.
aaa oauth jwksurl <oauth_server_id> <jwks_url>

This command is used to set the URL from which to obtain the JSON Web Key (JWK) set of the
specified OAuth server. This command needs to be configured only for the Google OAuth server
currently.
jwks_url This parameter specifies the URL where to obtain the JWK set of
the OAuth server. Its value must be a string of 1 to 900 characters.
no aaa oauth jwksurl <oauth_server_id>

This command is used to delete the setting of the URL from which to obtain the JWK set of the
specified OAuth server.
aaa oauth registerid <oauth_server_id><register_id>

This command is used to set the registered client ID for the OAuth client to communicate with the
specified OAuth server.
register_id This parameter specifies the registered client ID for the OAuth
client. Its value must be a string of 1 to 128 characters.
no aaa oauth registerid <oauth_server_id>

This command is used to delete the setting of the registered client ID for the OAuth client to
communicate with the specified OAuth server.
aaa oauth registersecret <oauth_server_id><register_secret>

This command is used to set the registered client secret for the OAuth client to communicate with
the specified OAuth server.

138
Chapter 4 AAA
register_secret This parameter specifies the registered client secret for the OAuth
client. Its value must be a string of 1 to 128 characters.
no aaa oauth registersecret <oauth_server_id>

This command is used to delete the setting of the registered client secret for the OAuth client to
communicate with the specified OAuth server.
aaa oauth redirecturl <oauth_server_id> <redirect_url>

This command is used to set the URL to which the specified OAuth server will redirect responses.
redirect_url This parameter specifies the URL to which the OAuth server will
redirect responses. Its value must be a string of 1 to 900 characters.
 For the Google OAuth server, its value must be the same as the
Redirection URL
(“https://<virtual_site_domain_name>/prx/000/http/localh/oaut
h_code”) registered on Google’s third-party developer
platform.
 For the WeChat OAuth server, its value must be its value must
be in the format of
“https://<virtual_site_domain_name>/prx/000/http/localh/oaut
h_wechat_code” and its virtual site domain name must have
been registered on WeChat’s developer platform.
no aaa oauth redirecturl <oauth_server_id>

This command is used to delete the setting of the URL to which the specified OAuth server will
redirect responses.
aaa oauth resourceurl <oauth_server_id> <resource_url>

This command is used to set the URL from which the OAuth client obtains the user information
from the specified OAuth server. This command needs to be configured only for the WeChat
OAuth server currently.
resource_url This parameter specifies the URL where the OAuth client obtains
the user information from the resource server. Its value must be a
Note: The Google OAuth server will return the user information in the Access Token
responses and therefore this configuration is not required.

139
Chapter 4 AAA
no aaa oauth resourceurl <oauth_server_id>

This command is used to delete the setting of the URL from which the OAuth client obtains the
user information from the specified OAuth server.
aaa oauth registration <oauth_server_id>

This command is used to enable post-OAuth user registration for the specified OAuth server.
When this function is enabled, OAuth users are required to register to the system after passing the
OAuth authentication. During the user registration, users need to authenticate themselves to the
authentication server in the AAA method specified by the “aaa method register” command. After
the user passes the authentication, the system will bind the obtained OAuth user IDs (UIDs) with
the usernames used for registration. The usernames used for registration instead of the obtained
OAuth usernames will be used for further authorization and displayed on the welcome page.
By default, post-OAuth user registration is enabled.
no aaa oauth registration <oauth_server_id>

This command is used to disable post-OAuth user registration for the specified OAuth server.
When post-OAuth user registration is disabled, the obtained OAuth usernames (email accounts for
the Google OAuth server or nicknames for the WeChat OAuth server) will be used for
authorization. Therefore, the authorization server in the same AAA method as the OAuth server
should have accounts with the same usernames as the obtained OAuth usernames. Otherwise, the
authorization will fail. After the OAuth users pass the authorization, the OAuth usernames will be
displayed.
aaa oauth prefixasusername <oauth_server_id>

This command is used to enable the option of using an email account prefix as the OAuth
username for the specified OAuth server. By default, this option is disabled.
Note: This option can be used when post-OAuth user registration is disabled.
no aaa oauth prefixasusername <oauth_server_id>

This command is used to disable the option of using an email account prefix as the OAuth
username for the specified OAuth server.
aaa oauth authorizationfilter <oauth_server_id> <authorization_filter>

This command is used to configure the post-OAuth authorization filter for the specified OAuth
server. The system will continue to perform authorization for an OAuth user after OAuth
authentication only when the OAuth username (email account for the Google OAuth server or
nickname for the WeChat OAuth server) matches the post-OAuth authorization filter.

140
Chapter 4 AAA
If the post-OAuth authorization filter is not configured, the system will continue to perform
authorization for all users passing OAuth authentication.
authorization_filter This parameter specifies the regular expression used to filter

usernames. Its value must be a string of 1 to 64 characters.
no aaa oauth authorizationfilter <oauth_server_id>

This command is used to delete the post-OAuth authorization filter configured for the specified
OAuth server.
To use a WeChat service account to provide the virtual site’s resources to end users, you also need
to configure the following advanced settings for successful WeChat OAuth authentication.
aaa oauth wechat serviceauthenticatorurl <service_authenticator_url>

This command is used to set the URL from which to authenticate service accounts for WeChat
OAuth authentication.
service_authenticator_url This parameter specifies the URL where to authenticate service

accounts. Its value must be a string of 1 to 900 characters.
no aaa oauth wechat serviceauthenticatorurl

This command is used to delete the setting of the URL from which to authenticate service
accounts for the WeChat OAuth server.
aaa oauth wechat serviceregisterid <service_appid>

This command is used to set the registered AppID of the service account for WeChat OAuth
authentication.
service_appid This parameter specifies the registered AppID of the service

account for WeChat OAuth authentication. Its value must be a
no aaa oauth wechat serviceregisterid

This command is used to delete the setting of the registered AppID of the service account for
WeChat OAuth authentication.
aaa oauth wechat serviceregistersecret <service_appsecret>

This command is used to set the registered AppSecret of the service account for WeChat OAuth
authentication.
service_appsecret This parameter specifies the registered AppSecret of the service

account for WeChat OAuth authentication. Its value must be a

141
Chapter 4 AAA
no aaa oauth wechat serviceregistersecret

This command is used to delete the setting of the registered AppSecret of the service account for
WeChat OAuth authentication.
show aaa oauth config

This command is used to display the configurations related to OAuth authentication.
clear aaa oauth config

This command is used to clear the configurations related to OAuth authentication.
Method
aaa method name <method_name> [description]
This command is used to add a AAA method. AAA method specifies the AAA server(s) used for
authentication and the AAA server authorization. A maximum of five AAA methods can be
configured.
method_name This parameter specifies the name of the AAA method. Its value
must be a case-insensitive string of 1 to 32 characters enclosed by
double quotes when beginning with a non-alphabetical character.
description Optional. This parameter specifies the description of the method. Its
value must be a string of 1 to 127 characters enclosed by double
quotes when beginning with a non-alphabetical character. If this
parameter is not specified, the default description will be the value
of “method_name”.
no aaa method name <method_name>

This command is used to delete the specified AAA method.
show aaa method name

This command is used to display all AAA methods.
aaa method server <method_name> <authentication_server>

[authorization_server]
This command is used to configure the authentication and authorization server(s) for the specified
AAA method.
method_name This parameter specifies the name of the existing AAA method.

142
Chapter 4 AAA
authentication_server This parameter specifies the authentication server(s). A maximum

of three authentication servers can be configured for one AAA
method .These three authentication servers can be of the same type
or different types. If multiple authentication servers are configured,
they must be separated by comma(s) and enclosed by double
quotes.
authorization_server Optional. This parameter specifies the authorization server. Its value
must be:
 authorization server: indicates that the virtual site uses the

specified AAA server as authorization server.
 “none”: indicates that the virtual site skips the authorization.
 empty: indicates that the only authentication server will be

used as the authorization server.
Note:
 When the “authentication_server” parameter specifies more

than one authentication server, its value can only be a AAA
server name or “none”. The authorization server will be the
same as the authentication server.
 When the “authentication_server” parameter specifies only

one authentication server, the default value is empty.
Note: The authorization server cannot be specified as an SMX server.
no aaa method server <method_name>

This command is used to delete the configuration of the authentication and authorization servers
for the specified AAA method.
show aaa method server <method_name>

This command is used to display the authentication and authorization servers of the specified
AAA method.
Note: Different AAA server scenarios can meet specific needs. Following are examples of
how to configure AAA servers:
 Authentication server but no authorization server:
aaa method server m1 radius none

143
Chapter 4 AAA
 Authentication server and authorization server:
aaa method server m1 radius ldap
 Authentication server same as authorization server:
aaa method server m1 radius
 Multiple authentication servers and authorization server:
aaa method server m1 “radius, ldap” localdb
 Multiple authentication servers but no authorization server:
aaa method server m1 “radius, ldap” none
aaa method otp <method_name> <otp_server>

{authentication_server|authorization_server}
This command is used to configure the One-time password (OTP) server and the server from
which the mobile phone numbers of users will be obtained for the specified AAA method.
otp_server_name This parameter specifies the name of an existing OTP server. The
OTP server must be the SMS server configured by the command
“aaa server name sms”.
authentication_server|author This parameter specifies the name of an existing server from which
ization_server the mobile phone numbers of users will be obtained. The server
must be the one used for authentication or authorization configured
by the command “aaa method server” and the server type must be
LocalDB, LDAP, RADIUS or Certificate.
Note: If the related authentication or authorization server is deleted by executing the

command “no aaa method server”, this command configuration will also be deleted.
no aaa method otp <method_name>

This command is used to delete the OTP server and the authentication or authorization server
configured for the specified AAA method.
show aaa method otp <method_name>

This command is used to display the OTP server and the authentication or authorization server
configured for the specified AAA method.
Rank
aaa method rank include <method_name> <number>

144
Chapter 4 AAA
This command is used to add a AAA method to the rank list of AAA methods and set the rank
number of the AAA method in the rank list.
number This parameter specifies the rank number of the AAA method in the
rank list. Its value must be 1, 2, 3 or 4. The smaller the value, the
higher the rank. For example, the parameter value “1” indicates that
the AAA method ranks number 1 in the rank list.
no aaa method rank include <number>

This command is used to delete a specified AAA method from the rank list of AAA methods.
show aaa method rank

This command is used to display the current AAA rank configuration.
aaa method rank {on|off}

This command is used to enable or disable the AAA rank function. Before the AAA rank function
is enabled, please add the AAA method to the rank list of AAA methods by the “aaa method
rank include” command first. By default, the AAA rank function is disabled.
Note: If the administrator deletes all AAA methods from the rank list, the AAA rank
function will automatically become disabled.
Accounting
aaa accounting {on|off}
This command is used to enable or disable the RADIUS accounting function. By default, this
function is disabled.
aaa accounting server <server_name>

This command is used to configure the RADIUS server used for accounting.
server_name This parameter specifies an existing RADIUS server name.
no aaa accounting server

This command is used to delete the RADIUS server used for accounting.
aaa accounting login

This command is used to enable the sending of accounting records to the RADIUS server when
users login or logout.
no aaa accounting login

145
Chapter 4 AAA
This command is used to disable the sending of accounting records to the RADIUS server when
users login or logout.
aaa accounting vpn

This command is used to enable the sending of accounting records to the RADIUS server when
VPN tunnels are established or terminated.
no aaa accounting vpn

This command is used to disable the sending of accounting records to the RADIUS server when
VPN tunnels are established or terminated.
aaa accounting fail allowaccess

This command is used to enable the user access permission when the RADIUS accounting fails.
no aaa accounting fail allowaccess

This command is used to disable the user access permission when the RADIUS accounting fails.
Group Mapping
aaa map group <ext_grp_name> <int_grp_name>
This command is used to map an external group to an internal LocalDB group. The maximum
number of group mappings varies with the number of LocalDB groups.
ext_grp_name This parameter specifies the external group name. Its value must be
Note: This parameter value cannot contain spaces or characters like

“,”, “;” and “:”.
int_grp_name This parameter specifies the internal LocalDB group name.
Note: This parameter value cannot contain the character “:”.
no aaa map group <ext_grp_name> <int_grp_name>

This command is used to delete a mapping between an external group and an internal LocalDB
group.
show aaa map group [ext_grp_name]

This command is used to display the group mappings for the specified external group. If the
“ext_grp_name” parameter is not specified, all the mappings between external groups and internal
LocalDB groups will be displayed.
clear aaa map group

146
Chapter 4 AAA
This command is used to delete all mappings between external groups and internal LocalDB
groups.
Hardware ID
aaa hardwareid {on|off}
This command is used to enable or disable the Hardware ID authorization function. By default, the
Hardware ID authorization function is disabled.
aaa hardwareid initmode activex

This command is used to set the initiation mode of the Hardware ID authorization component to
“ActiveX”.
aaa hardwareid initmode java

This command is used to set the initiation mode of the Hardware ID authorization component to
“Java”.
aaa hardwareid initmode autoswitch

This command is used to enable auto switch of the initiation mode for the Hardware ID
authorization component. When the auto switch of the initiation mode is enabled, the system will
switch to another initiation mode if it fails to start the Hardware ID authorization component using
the first initiation mode.
no aaa hardwareid initmode autoswitch

This command is used to disable auto switch of the initiation mode for the Hardware ID
authorization component.
localdb hardwareid email <email>

This command is used to set an email address for the administrator to receive Hardware ID
authorization requests from end users.
email This parameter specifies the email address. Its value must be a
no localdb hardwareid email

This command is used to delete the configuration of the email address for the administrator to
receive Hardware ID authorization requests from end users.
show localdb hardwareid email

This command is used to display the email address configured for the administrator to receive
Hardware ID authorization requests from end users.
localdb hardwareid {on|off} <group_name>

147
Chapter 4 AAA
This command is used to enable or disable Hardware ID authorization for the specified LocalDB
group.
group_name This parameter specifies the name of an existing LocalDB group.
localdb hardwareid aggregation <group_name>

This command is used to enable the aggregation function for the specified LocalDB group. When
the aggregation function is enabled for a LocalDB group, administrators can configure the
Hardware ID rule to authorize all users of this group to use the specified client device to access the
virtual site. When the aggregation function is disabled for the group, administrators can configure
the Hardware ID rule to authorize only a specified user in the group to use this specified client
device to access the virtual site.
no localdb hardwareid aggregation <group_name>

This command is used to disable the aggregation function for the specified group.
localdb hardwareid group <status> <group_name> <hardware_id>

[host_name]
This command is used to configure a Hardware ID rule for the specified LocalDB group.
status This parameter specifies the status of the device. Its value must be:
 approve: indicates that the users in this group can use the
device to access internal resources.
 pending: indicates that the users in this group can use the
device to access internal resources only after the
administrator’s approval.
 deny: indicates that the users in this group cannot use the
device to access internal resources.
hardware_id This parameter specifies the hardware ID of the device. Its value
host_name Optional. This parameter specifies the host name corresponding to

the hardware ID. Its value must be a string of 1 to 511 characters.
The default value is “empty”.

148
Chapter 4 AAA
Note: For an external group, the administrator can map the external group to a LocalDB
group using the “aaa map group” command. Then when the users in this external group
access the virtual site, the Hardware ID rules for the mapping LocalDB group will work
for these users.
no localdb hardwareid group <status> <group_name> <hardware_id>

This command is used to delete a Hardware ID rule configured for the specified LocalDB group.
localdb hardwareid policy <group_name> [mac_any|mac_all|machineid]

This command is used to set the Hardware ID matching policy for the specified LocalDB group.
mac_any|mac_all|machineid Optional. This parameter specifies the Hardware ID matching

policy. Its value must be:
 mac_any: indicates that a Hardware ID rule will take effect

when any of the client’s MAC address matches a MAC
address in the rule.
 mac_all: indicates that a Hardware ID rule will take effect

when all the client’s MAC addresses match the MAC
addresses in the rule and the number of the client’s MAC
addresses is equal to that of the MAC addresses in the rule.
 machineid: indicates that a Hardware ID rule will take effect

when the client’s MachineID matches the MachineID in the
rule.
The default value is “machineid”.
show localdb hardwareid rule [type] [status] [keyword] [match_mode] [offset]

[count] [orderby]
This command is used to display the configured Hardware ID rules.
type Optional. This parameter specifies the type of Hardware ID rules to

be displayed. Its value must be:
 account: indicates that Hardware ID rules configured for users

will be displayed.
 group: indicates that Hardware ID rules configured for groups

will be displayed.
 all: indicates that Hardware ID rules of both types will be

149
Chapter 4 AAA
displayed.
status Optional. This parameter specifies the status of the Hardware ID

rules to be displayed. Its value must be “approve”, “pending”,
“deny” or “all”. The default status is “all”, indicating that Hardware
ID rules of all status will be displayed.
keyword Optional. This parameter specifies a string to match the hardware

ID, the user account name or LocalDB group name of the Hardware
ID rules. Its value must be a string of 0 to 256 characters. The
default value is “empty”, indicating all matching Hardware ID rules
will be displayed.
match_mode Optional. This parameter specifies the matching mode of Hardware

ID rules to be displayed. Its value must be:
 exact: indicates that the Hardware ID rules exactly matching

the keyword string will be displayed.
 substring: indicates the Hardware ID rules partly matching the

keyword string will be displayed.
The default value is “exact”.
offset Optional. This parameter specifies the start of Hardware ID rules

from which to be displayed. The default value is 0, indicating all
matching Hardware ID rules will be displayed.
count Optional. This parameter specifies the number of Hardware ID rules

to be displayed. The default value is 0, indicating all matching
Hardware ID rules will be displayed.
orderby Optional. This parameter specifies the order by which to display the
hardware ID rules. Its value must be “name”, “type”, “status”,
“hardwareid”, “hostname”, and “synced”. You can enter mulitple
values separated with commas. The default value is “name”. If you
want to display the hardware ID rules in reverse order, enter DESC
behind the value.
clear localdb hardwareid rule [type] [status] [keyword]

This command is used to delete the specified Hardware ID rules.
localdb hardwareid grouplimit <limit>

150
Chapter 4 AAA
This command is used to set the maximum number of Hardware ID rules with status “approve” for
every LocalDB group with the aggregation function enabled. If this command is not configured,
the default maximum number of Hardware ID rules for every LocalDB group with the aggregation
function enabled is 16.
limit This parameter specifies the maximum number of Hardware ID

rules. Its value must be an integer ranging from 0 to 65,535.
no localdb hardwareid grouplimit

This command is used to reset the maximum number of Hardware ID rules with status “approve”
for every LocalDB group with the aggregation function enabled to the default setting 16.
localdb hardwareid autocollect <group_name>

This command is used to enable the auto collect function for the specified LocalDB group. When
this function is enabled, the system automatically collects the MAC/MachineID with status set to
“pending” from clients even if no matching Hardware ID rule exists. To use this function, the
aggregation function must be enabled for the specified LocalDB group.
no localdb hardwareid autocollect <group_name>

This command is used to disable the auto collect function for the specified LocalDB group.
localdb hardwareid autoapprove <group_name>

This command is used to enable the auto approve function for the specified LocalDB group. When
this function is enabled, the system automatically approves the hardware ID with the status
“pending” set by the auto collect function. To use this function, the aggregation and auto collect
functions must be enabled for the specified LocalDB group.
no localdb hardwareid autoapprove <group_name>

This command is used to disable the auto approve function for the specified LocalDB group.
localdb hardwareid account <status> <account_name> <hardwareid_id>

[host_name]
This command is used to configure a Hardware ID rule for the specified user account.
status This parameter specifies the status of the device. Its value must be:
 approve: indicates that the user can use the device to access
internal resources.
 pending: indicates that the user can use the device to access

151
Chapter 4 AAA
internal resources only after the administrator’s approval.
 deny: indicates that the user cannot use the device to access
internal resources.
account_name This parameter specifies the username of an existing user account.
hardware_id This parameter specifies the hardware ID of the device. Its value
host_name Optional. This parameter specifies the host name corresponding to

the hardware ID. Its value must be a string of 1 to 511 characters.
no localdb hardwareid account <status> <account_name> <hardware_id>

This command is used to delete a Hardware ID rule configured for the specified LocalDB account.
localdb hardwareid userlimit <limit>

This command is used to set the maximum number of Hardware ID rules with status “approve” for
every user belonging to the LocalDB group with the aggregation function disabled. If this
command is not configured, the default maximum number of Hardware ID rules with status
“approve” for every user belonging to the LocalDB group with the aggregation function disabled
is 1.
limit This parameter specifies the maximum number of Hardware ID

rules per user who do not belong to the aggregated group. Its value
must be an integer ranging from 0 to 255.
no localdb hardwareid userlimit

This command is used to reset the maximum number of Hardware ID rules with status “approve”
for every user belonging to the LocalDB group with the aggregation function disabled to the
default setting 1.
show localdb hardwareid userlimit

This command is used to display the maximum number of Hardware ID rules with status
“approve” for every user belonging to the LocalDB group with the aggregation function disabled.
show localdb hardwareid settings [group_name]

This command is used to display the settings of Hardware ID authorization for a specified
LocalDB group. If the “group_name” parameter is not configured, the settings of Hardware ID
authorization for all LocalDB groups will be displayed.
clear localdb hardwareid config [group_name]

152
Chapter 4 AAA
This command is used to clear the configurations of Hardware ID authorization for a specified
LocalDB group. If the “group_name” parameter is not configured, all configurations of Hardware
ID will be cleared.
localdb hardwareid devicelimit <limit>

This command is used to set the maximum number of LocalDB accounts that can be bound to a
device with the aggregation function disabled. If this command is not configured, the default
maximum number of LocalDB accounts that can be bound to a device is 0 with the aggregation
function disabled.
limit This parameter specifies the maximum number of LocalDB

accounts that can be bound to a device. Its value must be an integer
ranging from 0 to 255. If the parameter value is set to “0”, LocalDB
accouts that can be bound to a device will not be limited.
no localdb hardwareid devicelimit

This command is used reset the maximum number of LocalDB accounts that can be bound to a
device with the aggregation function disabled to default.
show localdb hardwareid devicelimit

This command is used to display the maximum number of LocalDB accounts that can be bound to
a device with the aggregation function disabled.
localdb hardwareid sync {on|off}

This command is used to enable or disable the automatic Hardware ID synchronization function.
When the automatic Hardware ID synchronization is enabled, the Hardware ID rules specific to
user accounts in the “Approve” status will be synchronized to the Hardware ID synchronization
host (which is an external account management platform) in real time. If the status of a Hardware
ID rule specific to a user account is changed from “Approve” to “Pending” or “Deny” or one
Hardware ID rule specific to a user account is deleted, the corresponding Hardware ID rule
specific to this user account will be deleted from the Hardware ID synchronization host too.
To use this function, the Hardware ID synchronization host must be configured using the “localdb
hardwareid sync host” command and the HTTP request template must be configured using the
“localdb hardwareid sync req” command.
localdb hardwareid sync manual [account_name] [hardware_id]

This command is used to manually synchronize certain Hardware ID rules specific to user
accounts in the “Approve” status to the Hardware ID synchronization host (configured using the
“localdb hardwareid sync host”) command.
To use this function, the Hardware ID synchronization host must be configured using the “localdb
hardwareid sync host” command and the HTTP request templates must be configured using the
“localdb hardwareid sync req” command.

153
Chapter 4 AAA
account_name Optional. This parameter specifies the username of an existing user

account.
 If this parameter is specified, the Hardware ID rules of this

user will be synchronized.
 If this parameter is not specified, the Hardware ID rules of all

users will be synchronized.
hardware_id Optional. This parameter specifies the hardware ID of the device to

be synchronized. Its value must be a string of 1 to 511 characters.
 If this parameter is specified, the Hardware ID rules matching

the Hardware ID will be synchronized.
 If this parameter is not specified, the Hardware ID rules

matching all Hardware IDs will be synchronized.
localdb hardwareid sync host <sync_host> [port] [key] [timeout] [retries]

[tls_flag] [auth_code] [index]
This command is used to configure a Hardware ID synchronization host used to receive the
Hardware ID rules. This command can be also used to modify the settings of an existing Hardware
ID synchronization host. A maximum of three Hardware ID synchronization hosts can be
configured.
sync_host This parameter specifies the host name or IP address of the

Hardware ID synchronization host. For the host name, the value
must be a string of 1 to 900 characters. For the IP address, the value
must be an IPv4 address. Please note that the Hardware ID
synchronization host should be a Web host.
port Optional. This parameter specifies the port number of the Hardware
ID synchronization host. Its value must be an integer ranging from
1 to 65,535. The default value is 80.
key Optional. This parameter specifies the encryption key used to

encrypt the Hardware ID rules to be synchronized. Its value must be
a string of 1 to 18 characters. The default value is empty, indicating
the data will not be encrypted.
timeout Optional. This parameter specifies the timeout value of the

synchronization in seconds. Its value must be an integer ranging

154
Chapter 4 AAA
from 0 to 60. If the parameter value is set to 0, the system will keep
waiting for the response from the synchronization host. The default
value is 5.
retries Optional. This parameter specifies the retry times of the

synchronization. Its value must be an integer ranging from 0 to 10.
If the parameter value is set to 0, the system will keep trying to
connect to the synchronization host. If the parameter value is set to
1, the synchronization operation will be performed only one time.
tls_flag Optional. This parameter specifies whether to access the Hardware

ID synchronization host over the TLS protocol. Its value must be:
 “tls”: indicates that the Hardware ID synchronization host is

accessed over the TLS protocol.
 empty: indicates the Hardware ID synchronization host is not

accessed over the TLS protocol.
auth_code Optional. This parameter specifies the username and password used
for accessing the Hardware ID synchronization host. Its value must
be a string of 1 to 64 characters. The username and password
should be separated by a colon (:). The default value is empty,
indicating the no authentication is required by the Hardware ID
synchronization host.
index Optional. This parameter specifies the index of the Hardware ID

synchronization host. Its value must be 1, 2 or 3. The default value
is 1.
Note: If the synchronization fails in the specified timeout and retry times, the system will
try to synchronize the data again after the synchronization host is UP.
no localdb hardwareid sync host <index>

This command is used to delete a Hardware ID synchronization host with a specified index.
index This parameter specifies the index of the Hardware ID

synchronization host to be deleted. Its value must be 1, 2 or 3.
localdb hardwareid sync req <type> <action> <url> [index]

155
Chapter 4 AAA
This command is used to set the HTTP request template used to synchronize Hardware ID rules
for a specified Hardware ID synchronization host.
type This parameter specifies the type of the Hardware ID

synchronization operation. Its value must be “add” or “delete”.
action This parameter specifies the HTTP method. Its value must be “get”,
“post”, “put” and “delete”.
url This parameter specifies the request URL. Its value must be a string
of 1 to 900 characters and begin with “/”, such as
“/array/addhardwareid”.
index Optional. This parameter specifies the index of the Hardware ID

synchronization host. Its value must be 1, 2 or 3. The default value
is 1.
The following table describes the mapping relationship between the parameters “type” and
“action”.
Type Action
Get
Add Post
Put
Get
Delete Post
Delete
For example:
vs(config)$localdb hardwareid sync req add post "/secsys/1.0/hardwareid" 1

vs(config)$localdb hardwareid sync req delete delete "/secsys/1.0/hardwareid" 2
You can also use the following example:
vs(config)$localdb hardwareid sync req add post "/secsys/1.0/addhardwareid" 1

vs(config)$localdb hardwareid sync req delete post "/secsys/1.0/deletehardwareid" 2
no localdb hardwareid sync req <index> <type>

This command is used to delete an HTTP request template of synchronizing Hardwar ID rule
configured for a specified t Hardware ID synchronization host.
index This parameter specifies the index of the Hardware ID

synchronization host. Its value must be 1, 2 or 3.
type This parameter specifies the type of the Hardware ID

synchronization operation. Its value must be “add”, “delete” or

156
Chapter 4 AAA
“all”. If the parameter value is set to “all”, all the HTTP request
templates for the Hardware ID synchronization host will be deleted.
show localdb hardwareid sync

This command is used to display the configurations of the Hardware ID synchronization.
clear localdb hardwareid sync

This command is used to clear the configurations of the Hardware ID synchronization.

157
Chapter 5 User Policy
Role Configuration
role name <role_name> [description] [priority]
This command is used to add a role. When the setting of “role_name” is an existing one, this
command is also used to update role information.
role_name This parameter specifies the name of the role. Its value must be a
description Optional. This parameter specifies the description of a role. Its

empty.
priority Optional. This parameter specifies the priority of the role. Its
value must be an integer ranging from 1 to 2000. The smaller the
value, the higher the priority.
Note:
 When matching more than 16 roles, the user obtains only

the roles with the highest 16 priorities.
 When matching more than one role with available VPN

Netpool resources, the user obtains only the VPN Netpool
resources belonging to the role with the highest priority.
no role name <role_name>

This command is used to delete a specified role.
show role name [role_name]

This command is used to display specified roles. If the “role_name” parameter is not specified, all
roles will be displayed.
clear role name

This command is used to clear all the roles.
role qualification <role_name> <qual_name> [description]

This command is used to add a qualification rule to a specified role.

158
role_name This parameter specifies the name of an existing role.
qual_name This parameter specifies the name of the qualification rule. Its
description Optional. This parameter specifies the description of the

qualification rule. Its value must be a string of 1 to 255
no role qualification <role_name> <qual_name>

This command is used to delete a qualification rule from a specified role.
show role qualification [role_name] [qual_name]

This command is used to display the qualification rules for a specified role.
role_name Optional. This parameter specifies the name of an existing role.
 If this parameter is specified, the qualification rules of this

role will be displayed.
 If this parameter is not specified, the qualification rules of

all roles will be displayed.
qual_name Optional. This parameter specifies the name of an existing

qualification rule.
 If this parameter is specified, the qualification rules

containing this qualification name will be displayed.
 If this parameter is not specified, the qualification rules

containing any qualification name will be displayed.
clear role qualification [role_name]

This command is used to clear all the qualification rules for a specified role. If the “role_name”
parameter is not specified, qualification rules of all roles will be cleared.
role condition <role_name> <qual_name> <condi_string>

This command is used to add a condition to the associated role and qualification rule. If multiple
conditions are configured for a qualification rule, users can obtain the role only when meeting all
the conditions in the associated qualification rule.

159
qual_name This parameter specifies the name of an existing qualification

rule.
condi_string This parameter specifies a condition string defining the user

characteristics. Its value must be a string of 1 to 511 uppercase
characters enclosed by double quotes. Its format must be
“condition string [IS|NOT] [value]”. For how to specify the
“condition string” and “value”, please refer to the following
table.
For example, suppose the administrator wants to assign a “stuff” role to all users who log in on the
1st day of every month. If this “stuff” role already has an associated “work” qualification rule, the
administrator can add the necessary condition rule to the “work” qualification with the following
command:
VS(config)$role condition stuff work “LOGINDAY IS 1”
The following table displays the supported condition strings:
Table 5-1 Supported Condition String
Condition String Meaning Value

LOGINYEAR The year when the end user logs in. 1970 to 2999.
LOGINMONTH The month when the end user logs in. 1 to 12.
LOGINDAY The day of month when the end user logs in. 1 to 31.
LOGINWEEK The weekday when the end user logs in. 1 to 7.
The date when the end user logs in, including
LOGINDATE yyyyMMddhhmm
the year, month, day, hour and minute.
LOGINTIME The time when the end user logs in. 00:00 to 23:59
Alphanumeric, special
USERNAME The user name. printable ASCII characters
and multi-byte characters.
GROUPNAME The group which the user name belongs to. printable ASCII characters
AUTHMETHOD The authentication method. printable ASCII characters
IPv4 or IPv6 address. For
example:
SRCIP The source IP address of the user. 10.10.10.0/24
10.10.10.0/255.255.255.0
10.10.10.1

160
Condition String Meaning Value

2012:1030::1
2012:1030::1/64
no role condition <role_name> <qual_name> <condi_string>

This command is used to delete the condition associated with a specified role and qualification
rule.
show role condition [role_name] [qual_name]

This command is used to display the condition associated with a specified role and qualification
rule.
role_name Optional. This parameter specifies an existing role.
 If this parameter is specified, the conditions of this role will

be displayed.
 If this parameter is not specified, the conditions of all roles

will be displayed.

qualification rule.
 If this parameter is specified, the conditions associated with

this qualification rule will be displayed.
 If this parameter is not specified, the conditions associated

with all qualification rules will be displayed.
clear role condition [role_name] [qual_name]

This command is used to clear the condition associated with a specified role and qualification rule.
role_name Optional. This parameter specifies an existing role.
 If this parameter is specified, the conditions of this role will

be cleared.
 If this parameter is not specified, the conditions of all roles

will be cleared.
 The default value is empty.

qualification rule.

161
 If this parameter is specified, the conditions associated with

this qualification rule will be cleared.
 If this parameter is not specified, the conditions associated

with all qualification rules will be cleared.
 The default value is empty.
role resource quicklink <role_name> <resource_id> <display_name> <path>

[position] [auto-permit] [FrontendSSO] [device_id]
This command is used to assign a QuickLink resource to a specified role.
resource_id This parameter specifies the name of an existing QuickLink

resource configured via the command “virtual site quicklink
hostname” or “virtual site quicklink port”.
display_name This parameter specifies the name of the QuickLink resource

displayed on the portal page. Its value must be a string of 1 to
900 characters.
This parameter supports HTML tags that can be used between

<a> and </a>, such as “…”, “…”, and “…”.
path Optional. This parameter specifies the path of the QuickLink

resource. Its value must be a string of 1 to 512 characters. The
default value is “/”.
position Optional. This parameter specifies the position of the link on the
portal page. Its value must be an integer ranging from 1 to 1000.
The QuickLink resources will be displayed in ascending order of
the parameter value.
auto-permit Optional. This parameter specifies whether to enable

auto-generation of the ACL “permit” configurations for this
QuickLink resource.
 0: indicates that auto-generation of the ACL “permit”

configurations is disabled.

162
configurations is enabled.
FrontendSSO Optional. This parameter specifies whether to enable Frontend

SSO Post for this QuickLink resource.
 0: Disabled and AG-end SSO is used. The AG appliance

will construct SSO Post requests and send them to the
backend application server on behalf of users.
 1: Enabled. User clients’ browsers will construct SSO Post

requests and send them to the AG appliance, and then the
AG appliance forwards them to the backend application
server.
device_id Optional. This parameter specifies the machine ID field used to

log into the backend server. Its value must be a string of 1 to 63
characters. The default value is empty, indicating the machine ID
field is not required to log into the backend server.
For example:
vs(config)$role resource quicklink "rn2" "p1" "Test" "/resource/test" 1000 1 0

vs(config)$role resource quicklink "rn2" "p1" "Test" "/resource/test" 1000 0 0
vs(config)$role resource quicklink "rn2" "p1" "Test"
"/resource/test" 1000 0 0
vs(config)$role resource quicklink "rn2" "p1" "Test"
"/resource/test" 1000 0 0
Note:
 If “auto-permit” is set to 1, the system automatically executes the command “acl

resourcegroup web <resource_group> [description]” to add a Web-type resource
group named “auto_web_resgroup_for_<role_name>”, executes the command “acl
resource <resource_group> <resource>” to add this QuickLink resource to this
resource group, and executes the command “acl rule” to add an ACL permit rule
with the priority 200 for this resource group.
 The Web-type resource group named “auto_web_resgroup_for_<role_name>”can

only be generated by the system. If it has been added for the role earlier, then the
system will reuse it to add ACL “permit” configurations later.
 For SSO methods other than SSO Post, only the AG appliance can perform the SSO
operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0.

163
 Frontend SSO Post requires the “sso post” configuration, but not the “sso on”
configuration.
 Frontend SSO Post requires that the value of the “post_host” and “hostname”
parameters in the “sso post” configuration should be exactly the same.
 Frontend SSO Post requires that the value of the “path” parameter should be the same
as that of the “login_url” parameter in the “sso post” configuration.
 Frontend SSO Post does not support the “bookmark” and “other_header_field”
parameters of the “sso post” configuration.
 Frontend SSO Post cannot generate the cookie required by some backend servers for
authentication.
 Frontend SSO Post cannot work for the Web resources which are accessed by using
the portal URL input bar or the Web navigation tool.
no role resource quicklink <role_name> <resource_id> <url>

This command is used to delete a QuickLink resource from a specified role.
Note: The auto-generated ACL “permit” configurations will be deleted when the
QuickLink resource is deleted from a specified role.
role resource web <role_name> <url> <display_name> [position] [auto-permit]

[DirectLink] [FrontendSSO] [device_id]
This command is used to assign a WRM resource to a specified role.
url This parameter specifies the URL link of the WRM resource. Its
display_name This parameter specifies the name of the WRM resource

displayed on the portal page. Its value must be a string of 1 to
900 characters.
This parameter supports HTML tages that can be used between

position Optional. This parameter specifies the position of the link on the
portal page. Its value must be an integer ranging from 1 to 1000.
The WRM resources will be displayed in ascending order of the
parameter value.

164
The default value is 1,000.

auto-generation of the ACL “permit” configurations for this Web
resource.


DirectLink Optional. This parameter specifies whether this Web resource is

a direct link.
 0: indicates that this Web resource is not a direct link. The

AG appliances will rewrite the URL of this Web resource
before allowing the user to access this Web resource.
 1: indicates that this Web resource is a direct link. The AG

appliance allows the user to directly access this Web
resource without rewriting.
FrontendSSO Optional. This parameter specifies whether to enable Frontend

SSO Post for this Web resource.
 0: Disabled and AG-end SSO Post is used. The AG

appliance will construct the SSO Post requests and send
them to the backend application server on behalf of users.
 1: Enabled. If “DirectLink” is set to “0”, user clients’

browsers will construct the SSO Post requests and send
them to the AG appliance, and then the AG appliance
forwards them to the backend application server. If
“DirectLink” is set to “1”, user clients’ browsers will
construct the SSO Post requests and send them to the
backend application server directly.
device_id Optional. This parameter specifies the machine ID field used to

log into the backend server. Its value must be a string of 1 to 63
characters. The default value is empty, indicating the machine ID

165
field is not required to log into the backend server.
For example:
vs(config)$role resource web "rn2" "http://10.3.0.67" "Test" 1000 1 0 1 ""

vs(config)$role resource web "rn2" "http://10.3.0.67" "Test" 1000 0 0 0 ""
vs(config)$role resource web "rn2" "http://10.3.0.67" "Test" 1000 0
0 1 ""
vs(config)$role resource web "rn2" "http://10.3.0.67" "Test" 1000 0 0 0 ""
Note:

resourcegroup web <resource_group> [description]” to add a Web-type resource
group named “auto_web_resgroup_for_<role_name>”, executes the command “acl
resource <resource_group> <resource>” to add this WRM resource to this
resource group, and executes the command “acl rule” to add an ACL permit rule for
this resource group with priority 200.
 The web type resource group named “auto_web_resgroup_for_<role_name>”can

 For SSO methods other than SSO Post, only the AG appliance can perfrom the SSO
operations. In this case, please use AG-end SSO and set the “FrontendSSO” to 0.
 Frontend SSO Post requires the “sso post” configuration, but not the “sso on”
configuration.
 Frontend SSO Post requires that the value of the “post_host” and “hostname”
parameters in the “sso post” configuration should be exactly the same.
 Frontend SSO Post requires that the value of the parameter “url” equals to that of the
“hostname + login_url” in the “sso post” configuration.
 Frontend SSO Post does not support the “bookmark” and “other_header_field”
parameters of the “sso post” configuration.
 Frontend SSO Post cannot generate the cookie required by some backend servers for
authentication.
 Frontend SSO Post cannot work for the Web resources which are accessed by using
the portal URL input bar or the Web navigation tool.
no role resource web <role_name> <url>

This command is used to delete a WRM resource from a specified role.

166
Note: The auto-generated ACL “permit” configurations will be deleted only when the
WRM resource is deleted from a specified role.
role resource aproxy <role_name> <url> <display_name> [position]

[auto_permit]
This command is used to assign an IPv6 Web (Aproxy) resource to a specified role.
url This parameter specifies the URL of the Aproxy resource. Its
value must be a string of 1 to 512 characters. The host part of the
URL must be an IPv6 address enclosed by square brackets, for
example “http://[2012:1082::6]/test/index.html/”.
display_name This parameter specifies the name displayed on the portal page.

position Optional. This parameter specifies the position of the link

displayed on the portal page. Its value must be an integer ranging
from 1 to 1000. The Aproxy resources will be displayed in
ascending order of the parameter value.
auto_permit Optional. This parameter specifies whether to enable

auto-generation of the ACL “permit” configurations for the
Aproxy resource.


Note:

resourcegroup web <resource_group> [description]” to add an Aproxy-type
resource group named “auto_gen_resgroup_for_<role_name>”, executes the

167
command “acl resource <resource_group> <resource>” to add this Aproxy

resource to this resource group, and executes the command “acl rule” to add an ACL
permit rule for this resource group with priority 200.
 The Aproxy-type resource group named “auto_gen_resgroup_for_<role_name>”can

For example:
vs(config)$role resource aproxy "r1" "http://[2012:1082::1]" "test1" 1000 1

vs(config)$role resource aproxy "r1" "http://[2012:1082::6]/test/index.html/" "test6" 1000 1
no role resource aproxy <role_name> <url>

This command is used to delete an Aproxy resource from a specified role.
Note: The auto-generated ACL “permit” configurations will be deleted only when the
Aproxy resource is deleted from a specified role.
role resource netpool <role_name> <pool_name>

This command is used to add a Netpool resource to a specified role.
This command must be configured if users need to access backend resources through the L3VPN
tunnel or Site2Site VPN tunnel.
pool_name This parameter specifies the name of an existing Netpool

resource.
no role resource netpool <role_name> <pool_name>

This command is used to delete a Netpool resource from a specified role.
role resource vpnresourcegroup <role_name> <resource_group>

This command is used to add a VPN resource group to a specified role.
This command must be configured if users need to access backend resources through the L3VPN
tunnel or Site2Site VPN tunnel.
resource_group This parameter specifies the name of an existing resource group

defined via the “vpn resource group” command.
no role resource vpnresourcegroup <role_name> <resource_group>

168
This command is used to delete a VPN resource group from a specified role.
role resource cifs <role_name> <cifs_url> <display_name> [position]

[auto-permit]
This command is used to add a Common Internet File Share (CIFS) resource to a specified role.
cifs_url
This parameter specifies the URL address of the CIFS resource
provided by the CIFS server. Its value must be a string of 1 to
512 characters. The format of the URL address can be “//<host
IP>/<folder name>”, “//<host IP>/<folder name>/username” or
“//<host IP>/<folder name>/<path>”, for example,
“//10.3.0.233/test”, “//10.3.0.233/test/username” or
“//10.3.0.233/test/test”. Please note that the URL address cannot
contain the chracters “\”, “:”, “*”, “<”, “>”, “?”, “|” and “"” and
end with “/”.
When the administrator wants to allow the login users to access

only the next-level subfolder named using their usernames of the
shared folder, the format “//<host IP>/<folder name>/username”
should be used.
If both “//<host IP>/<folder name>/username” and “//<host

IP>/<folder name>/<path>” are configured, the “//<host
IP>/<folder name>/username” will take effect first.
Note: If the URL address ends with “$”, the file share function
might not work. For example, “//10.10.1.21/hirai$”.
display_name This parameter specifies the name displayed for this CIFS
resource on the portal page. Its value must be a string of 1 to 900
characters.
This parameter supports HTML tages that c9an be used between

position Optional. This parameter specifies the position of the CIFS

resource displayed on the portal. Its value must be an integer
ranging from 1 to 1000. The CIFS resources will be displayed in
ascending order of the parameter value.

169

auto-generation of the ACL “permit” configurations for the CIFS
resource.


For example:
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "Test" 1000 1

vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "Test" 1000 0
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "Test" 1000 0
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x" "Test"
1000 0
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x/username" "Test" 1000 1
vs(config)$role resource cifs "rn2" "//10.3.75.1/3x/test" "Test" 1000 1
Note:

resourcegroup fileshare <resource_group> [description]” to add a fileshare-type
resource group named “auto_fileshare_resgroup_for_<role_name>”, executes the
command “acl resource <resource_group> <resource>” to add this CIFS resource
to this resource group, and executes the command “acl rule” to add an ACL permit
rule with priority 200 for this resource group.
 The fileshare-type resource group named

“auto_fileshare_resgroup_for_<role_name>”can only be generated by the system. If
it has been added for the role earlier, then the system will reuse it to add ACL
“permit” configurations later.
no role resource cifs <role_name> <cifs_url>

This command is used to delete a CIFS resource from a specified role.
Note: The auto-generated ACL “permit” configurations will be deleted when the CIFS
resource is deleted from a specified role.
show role resource [role_name] [resource_type]

This command is used to display resources of a specified role.

The default value is empty, indicating resources of all roles will

170
be displayed.
resource_type Optional. This parameter specifies the resource type. Its value
must be “all”, “quicklink”, “netpool”, “vpnresourcegroup”,
“web” and “aproxy”. The default value is “all”.
clear role resource [role_name] [resource_type]

This command is used to delete resources of a specified role.

The default value is empty, indicating resources of all roles will
be deleted.
resource_type Optional. This parameter specifies the resource type. Its value
must be are “all”, “quicklink”, “cifs”,“netpool”,
“vpnresourcegroup”, “web” and “aproxy”. The default value is
“all”.
role sessionpolicy <role_name> <policy_name>

This command is used to associate a custom session lifecycle policy (configured using the
“session lifecyclepolicy” command) with a role. The administrator can associate only one custom
session lifecycle policy with a role. If no custom session lifecycle policy is associated with a role,
the session timeout settings of the virtual site (if configured using the commands “session timeout
idle”, “session timeout lifetime”, “session timeout warning {on|off}” “session timeout warning
threshold” and “session timeout warning extension_lifetime”) will take effect for the role.
If the user has been assigned several roles:
 When the role with the highest priority is associated with a custom session lifecycle policy,
this custom session lifecycle policy will take effect for the user.
 When the role with the highest priority is not associated with a custom session lifecycle
policy, the session timeout settings of the virtual site will take effect for the user.
role_name This parameter specifies the name of an existing role
policy_name This parameter specifies the name of an existing custom session

lifecycle policy.
no role sessionpolicy <role_name>

This command is used to disassociate the custom session lifecycle policy from a specified role.
show role sessionpolicy [role_name]

171
This command is used to display the custom session lifecycle policy associated with a specified
role. If the “role_name” parameter is not specified, the custom session lifecycle policy associated
with every role will be displayed.
clear role sessionpolicy

This command is used disassociate the custom session lifecycle policy from every role.
show role config

This command is used to display the current role configurations.
ACL Configuration
acl resourcegroup web <resource_group> [description]
This command is used to add a “web” type resource group.
resource_group This parameter specifies the name of the “web” type resource
group. Its value must be a string of 1 to 64 characters.
description Optional. This parameter specifies the description of the “web”

type resource group. Its value must be a string of 1 to 512
acl resourcegroup network <resource_group> [description]

This command is used to add a “network” type resource group.
resource_group This parameter specifies the name of the “network” type

resource group. Its value must be a string of 1 to 64 characters.

“network” type resource group. Its value must be a string of 1 to
512 characters. The default value is empty.
acl resourcegroup fileshare <resource_group> [description]

This command is used to add a “fileshare” type resource group.
resource_group This parameter specifies the name of the “fileshare” type

resource group. Its value must be a string of 1 to 64 characters.

“fileshare” type resource group. Its value must a string of 1 to
512 characters. The default value is empty.
no acl resourcegroup <resource_group>

172
This command is used to delete a specified resource group.
show acl resourcegroup

This command is used to display all the ACL resource groups.
clear acl resourcegroup

This command is used to clear all the ACL resource groups.
acl resource <resource_group> <resource>

This command is used to add a resource to an ACL resource group.
For Site2Site VPN, to make the subnets on the spokes and hubs accessible, you should configure
them as network resources and add them to the ACL resource group. If NAT rules are configured
for Site2Site VPN using the “vpn site2site forward” command, you should configure the virtual
subnet specified by the parameters “virtual_subnet_IP” and “virtual_subnet_netmask” as the
network resource instead of the real subnet on the spoke/hub.
resource_group This parameter specifies the name of an existing resource group.
resource This parameter specifies the resource to be added. Its value must
be a string of 1 to 512 characters. The type of the entered
resource must be the same as that of the resource group. Please
note that both IPv4 and IPv6 resources are supported.
For Site2Site VPN with NAT configured, the parameter value

should set to the subnet specified by the parameters
“virtual_subnet_IP” and “virtual_subnet_netmask”.
For example:
vs(config)$acl resource "web" "https://www.domain.com:443/*"

vs(config)$acl resource "web" "10.10.10.1/32:*/public/*"
vs(config)$acl resource "rg1" "10.10.10.0/24"
vs(config)$acl resource "rg2" "2012:1810::10:8:10:12/128"
vs(config)$acl resource "file" "\\10.10.10.1\directory"
no acl resource <resource_group> <resource>

This command is used to delete a resource from a specified resource group.
show acl resource [resource_group]

This command is used to display the resources of a specified resource group. If the
“resource_group” parameter is not specified, resources of all resource groups will be displayed.
clear acl resource [resource_group]

173
This command is used to clear the resources of a specified resource group. If the “resource_group”
parameter is not specified, resources of all resource groups will be cleared.
acl rule <target_name> <resource_group> <action> [priority] [target_type]

This command is used to add an ACL rule to permit or deny the access to a specified resource
group for a specified target, which can be a role, user, or group.
target_name This parameter specifies the name of an existing target. Its value
must be the name of an existing role, user, or group.
resource_group This parameter specifies the name of an existing resource group.
action This parameter specifies the action (“permit” or “deny”) of the

ACL rule. Its value must be “permit” or “deny”.
priority Optional. This parameter specifies the priority of the ACL rule.
Its value must be an integer ranging from 0 to 1000. The default
value is 1000. The smaller the value, the higher the priority.
target_type Optional. This parameter specifies the type of a specified target.

Its value must be:
 R: indicates the role.
 U: indicates the user.
 G: indicates the group.
The default value is R.
no acl rule <target_name> <resource_group> [target_type]

This command is used to delete the ACL rule associated with a specified resource group and a
specified target. If multiple types of targets have the same name, you need to specify the
“target_type” parameter to distinguish them. If it is not specified, the ACL rule associated with the
role-type target will be deleted.
show acl rule [target_name] [resource_group] [target_type]

This command is used to display the ACL rule associated with a specified resource group and a
specified target type.
target_name Optional. This parameter specifies the name of an existing target.
 If this parameter is specified, the ACL rules associated with

a specified target will be displayed.
 If this parameter is not specified, the ACL rules associated

174
with all targets will be displayed.
resource_group Optional. This parameter specifies the name of an existing

resource group.

a specified resource group will be displayed.

with all resource groups will be displayed.
target_type Optional. This parameter specifies the type of the target. Its
value must be:
 A: indicates all types.
 R: indicates the role.
 U: indicates the user.
 G: indicates the group.
The default value is A.
clear acl rule [target_name] [resource_group]

This command is used to clear the ACL rules associated with a specified resource group and a
specified target.
target_name Optional. This parameter specifies the name of the target.

a specified target will be cleared.

with all targets will be cleared.
resource_group Optional. This parameter specifies the name of an existing

resource group.

a specified resource group will be cleared.

175
with all resource groups will be cleared.
acl dynamic {on|off}

This command is used to enable or disable the Dynamic ACL function. By default, this function is
disabled.
When this function is enabled, the system will accept dynamic ACLs generated by the clients.
Dynamic ACLs will be used for matching requests only when requests matching no external
ACLs or configured ACL rules.
acl denylog {on|off}

This commad is used to enable or disable logging for access denied by ACL rules. By default, this
show acl config

This command is used to display the ACL configurations.
clear acl config

This command is used to reset the ACL configurations to default.
Session Management
Global Settings
virtual site session limit <virtual_site> <limit_number>

This global command is used to set the maximum concurrent session number for a specified
virtual site.
limit_number This parameter specifies the maximum concurrent session number.

Its value must be an integer ranging from 0 to 4,294,967,295. 0
indicates the AG appliance will not limit the maximum concurrent
session number for a specified virtual site.
no virtual site session limit <virtual_site>

This global command is used to delete the setting of the maximum concurrent session number for
a specified virtual site.
show virtual site session limit [virtual_site]

176
This global command is used to display the setting of the maximum concurrent session number for
a specified virtual site. If the “virtual_site” parameter is not specified, the settings of the maximum
concurrent session number for all virtual sites will be displayed.
virtual site session group name <group_name>

This global command is used to configure a session group. The session group function allows
multiple virtual sites to share the concurrent sessions permitted for the session group. To use this
function, the administrator should follow these steps:
 Define the session group first using “virtual site session group name” command
 Set the maximum number of concurrent sessions permitted for the session group using the
“virtual site session group limit” command
 Associate virtual sites with the session group using the “virtual site session group member”
command.
group_name This parameter specifies the name of a session group. Its value must
no virtual site session group name <group_name>

This global command is used to delete a specified session group.
show virtual site session group name

This global command is used to display session groups.
clear virtual site session group

This global command is used to clear all session groups.
virtual site session group limit <group_name> <limit_number>

This global command is used to set the maximum concurrent session number for a specified
session group.
group_name This parameter specifies the name of an existing session group.
limit_number This parameter specifies the maximum concurrent session number.

Its value must be an integer ranging from 0 to 4,294,967,295. 0
indicates the AG appliance will not limit the maximum concurrent
session number.
no virtual site session group limit <group_name>

This global command is used to delete the setting of the maximum concurrent session number for
a specified session group.
show virtual site session group limit [group_name]

177
This global command is used to display the setting of the maximum concurrent session number for
a specified session group. If the “group_name” parameter is not specified, the settings of the
maximum concurrent session number for all session groups will be displayed.
virtual site session group member <group_name> <virtual_site>

This global command is used to associate a virtual site with a session group.
group_name This parameter specifies the name of an existing session group.
no virtual site session group member <group_name> <virtual_site>

This global command is used to disassociate a virtual site from a specified session group.
show virtual site session group member [group_name]

This global command is used to display virtual sites associated with a specified session group. If
the “group_name” parameter is not specified, virtual sites associated with all session groups will
be displayed.
virtual site session reuse {on|off} <virtual_site>

This global command is used to enable or disable the session reuse function for a specified virtual
site. This function can be enabled for a specified virtual site only when the AAA function is
enabled for that virtual site. By default, this function is disabled.
Note: When the session reuse function becomes enabled or disabled, all current sessions
will be killed.
show virtual site session reuse [virtual_site]

This global command is used to display the status of the session reuse function for a specified
virtual site. If the “virtual_site” parameter is not specified, the status of the session reuse function
of all virtual sites will be displayed.
show virtual site session config

This global command is used to display session configurations of all virtual sites.
show maxsession
This global command is used to display the maximum number of concurrent user sessions in every
of the past 12 months.
show session usage [start_date] [end_date]

178
This global command is used to display the daily maximum session usage records under the global
scope and each virtual site scope during a specified period in descending order.
start_date Optional. This parameter specifies the start date of the daily
maximum session usage records to be displayed. Its value must be a
string in the format of “yyyymmdd”.
 “yyyy” indicates the year. It must be an integer ranging from

2000 to 2037.
 “mm” indicates the month. It must be an integer ranging from

01 to 12.
 “dd” indicates the date. It must be an integer ranging from 01

to 31.
If this parameter is not specified, the default start date will be the
date in which the device is put to use.
end_date Optional. This parameter specifies the end date of the daily
maximum session usage records to be displayed. Its value must be a
string in the format of “yyyymmdd”. The parameter value must be
equal to or larger than that of “start_date”.
If this parameter is not specified, the default end date is the current
date.
For example:
AN(config)#show session usage 20130903 20130903

2013-9-3: Global Maximum Sessions of the Day: 3( 0 from SSF)
0( 0 from SSF) : vs
0( 0 from SSF) : xn
1( 0 from SSF) : vs_smx
0( 0 from SSF) : shared
0( 0 from SSF) : alias
2( 0 from SSF) : mp1
show hourlysession [month_number]

This global command is used to display the hourly concurrent user session report for a specified
month of the current year.
month_number Optional. This parameter specifies the month for which the hourly
concurrent user session report will be displayed. Its value must be
an integer ranging from 0 to 12. The default value is 0, indicating
the last month.

179
Per-VS Settings
session maxperuser <maximum_session>

This command is used to set the maximum sessions per user.
maximum_session This parameter specifies the maximum number of concurrent

sessions per user. Its value must be an integer ranging from 0 to
4,294,967,295. 0 indicates that the AG appliance will not limit the
session.
no session maxperuser
This command is used to delete the configuration of maximum sessions per user.
show session maxperuser

This command is used to display the configuration of maximum sessions per user.
session kill legacy [on|off]

This command is used to enable or disable the function of terminating a legacy session when the
session number of the end user has reached the maximum limit (configured using the “session
maxperuser” command). This function is disabled by default.
on|off Optional. This parameter enables or disables the function of

terminating a legacy session when the session number of the end
user has reached the maximum limit. Its value must be:
 on: enables the function of terminating a legacy session. AG

will terminate a legacy session when the session number of the
end user has reached the maximum limit.
 off: disables the function of terminating a legacy session. The

end user will be directly denied login when the session number
of the end user has reached the maximum limit.
The default value is “off”.
session cookie expire

This command is used to enable the cookie expire function, which inserts an “Expires” HTTP
header field into the HTTP response to set the expiration time of the session cookie. By default,
this function is disabled.
no session cookie expire

This command is used to disable the cookie expire function.
show session cookie expire

180
This command is used to display the configuration of the cookie expire function.
session cookie passthrough

This command is used to enable the session cookie passthrough function, which allows session
cookies to be passed from the requests to backend servers. By default, this function is disabled.
no session cookie passthrough

This command is used to disable the session cookie passthrough function.
show session cookie passthrough

This command is used to display the session cookie passthrough function.
session kill id <session_id>

This command is used to kill the active session with a specified session ID.
sessison_id This parameter specifies the session ID of the active sessions to

be killed. Its value must be a string of 1 to 8 characters.
session kill user <username> [type]

This command is used to kill active sessions initiated by a specified user.
username This parameter specifies an existing username of the user

whose active sessions will be killed.
type Optional. This parameter specifies the type of the active

sessions to be killed. Its value must be “mobilel2tp”,
“mobileipsec”, “ssl” or “all”. The default value is “all”.
session kill deviceid <device_id>

This command is used to kill active sessions initiated by a specified device.
device_id This parameter specifies the DeviceID of a specified device whose

active sessions will be killed.
session kill status <auth_type>

This command is used to kill the active sessions in the specified status.
auth_type This parameter specifies the status of the active sessions to be

killed. Its value must be:
 Auth: indicates authenticated active sessions.
 Unauth: indicates unauthenticated active sessions.

181
session kill all [type]

This command is used to kill active sessions of a specified type.
type Optional. This parameter specifies the type of the active

sessions to be killed. Its value must be “mobilel2tp”,
“mobileipsec”, “ssl” or “all. The default value is “all”,
indicating active sessions of all types will be killed.
session timeout idle <time>

This command is used to set session idle timeout (the amount of time that a session can remain
idle before it expires). The default session idle timeout value is 3600 seconds.
time This parameter specifies the maximum idle time in seconds. Its
value must be an integer ranging from 1 to 86,400.
no session timeout idle

This command is used to reset the session idle timeout value to default.
show session timeout idle

This command is used to display the setting of the session idle timeout value.
session timeout lifetime <time>

This command is used to set the session lifetime timeout value (the amount of time that a session
can exist before it expires). The default session lifetime timeout value is 86,400 seconds.
time This parameter specifies the maximum session lifetime in seconds.

Its value must be an integer ranging from 1 to 94,608,000.
Note: If the Site2Site VPN function is used, the session lifetime timeout value should be
set to the maximum value (94,608,000).
no session timeout lifetime

This command is used to reset the session lifetime timeout value to default.
show session timeout lifetime

This command is used to display the setting of the session lifetime timeout value.
session timeout unauth <time>

This command is used to set the session lifetime timeout value for unauthenticated sessions (the
amount of time that an unauthenticated session can exist before it expires or gets authenticated).
The session lifetime timeout value for unauthenticated sessions is 300 seconds.

182
time This parameter specifies the maximum unauthenticated session

lifetime in seconds. Its value must be an integer ranging from 1 to
86,400.
Note: Unauthenticated sessions here include challenge and change-password sessions.
no session timeout unauth

This command is used to reset the session lifetime timeout value for unauthenticated sessions to
default.
show session timeout unauth

This command is used to display the setting of session lifetime timeout value for unauthenticated
sessions.
session timeout warning {on|off}

This command is used to enable or disable the Session Timeout Warning function for the virtual
site. By default, this function is disabled.
session timeout warning threshold [idle_warning] [lifetime_warning]

This command is used to set the amount of time that users will be warned prior to session timeout.
 When being warned of the session idle timeout, the user is provided with the option to reset
the session idle timeout timer. The default time that users will be warned prior to session idle
timeout is 300 seconds.
 When being warned of the session lifetime timeout, the user is provided with the option to
extend the session lifetime. The amount of time by which the user can extend the session
lifetime manually each time can be configured using the “session timeout warning
extension_lifetime” command. The default time that users will be warned prior to session
lifetime timeout is 300 seconds.
idle_warning Optional. This parameter specifies the amount of time that users
will be warned prior to session idle timeout in seconds. Its value
must be an integer ranging from 1 to 86,400. The default value is
300.
lifetime_warning Optional. This parameter specifies the amount of time that users
will be warned prior to session lifetime timeout in seconds. Its
value must be an integer ranging from 1 to 94,608,000. The default
value is 300.
session timeout warning extension_lifetime [extension_lifetime]

183
This command is used to set the amount of time by which the user can extend the session lifetime
manually each time. The default time to be extended is 300 seconds.
extension_lifetime Optional. This parameter specifies the amount of time to be

extended in seconds. Its value must be an integer ranging from 1 to
94,608,000. The default value is 300.
show session timeout warning

This command is used to display the settings of Session Timeout Warning function.
session lifecyclepolicy <policy_name> [idle_timeout] [life_timeout] [warning]

[idle_warning] [lifetime_warning] [extension_time]
This command is used to configure a custom session lifecycle policy. The custom session lifecycle
policy needs to be associated with the role using the “role sessionpolicy” command to take effect.
The custom session lifecycle policy has a higher priority than the session timeout settings of the
virtual site (configured using the commands “session timeout idle”, “session timeout lifetime”,
“session timeout warning {on|off}” “session timeout warning threshold” and “session timeout
warning extension_lifetime”). A maximum of 200 custom session lifecycle policies can be
configured.
policy_name This parameter specifies the name of the custom session lifecycle
policy. Its value must be a string of 1 to 63 characters.
idle_timeout Optional. This parameter specifies the time that a session can
remain idle before it expires, in seconds. Its value must be an
integer ranging from 1 to 86,400. The default value is 3600.
life_timeout Optional. This parameter specifies the time that a session can exist
before it expires, in seconds. Its value must be an integer ranging
from 1 to 94,608,000. The default value is 86,400.
warning Optional. This parameter specifies whether to enable the session

timeout warning function. Its value must be “on” or “off”. The
default value is “off”.
idle_warning Optional. This parameter specifies the time in seconds that users
will be warned prior to the session idle timeout. Its value must be
an integer ranging from 1 to 86,400. The default value is 300. If the
“warning” parameter is set to “on”, when being warned of the
session idle timeout, the user is provided with the option to reset the
session idle timeout timer.
lifetime_warning Optional. This parameter specifies the time in seconds that users
will be warned prior to the session lifetime timeout. Its value must

184
be an integer ranging from 1 to 94,608,000. The default value is

300. If the “warning” parameter is set to “on”, when being warned
of the session lifetime timeout, the user is provided with the option
to extend the session lifetime by the amount of time specified by
the “extention_time” parameter.
extention_time Optional. This parameter specifies the amount of time by which the
user can extend the session lifetime manually each time, in seconds.
Its value must be an integer ranging from 1 to 94,608,000. The
no session lifecyclepolicy <policy_name>

This command is used to delete a specified custom session lifecycle policy.
show session lifecyclepolicy [policy_name]

This command is used to display a specified custom session lifecycle policy. If the “policy_name”
parameter is not specified, all configured custom session lifecycle policies will be displayed.
clear session lifecyclepolicy

This command is used to clear all configured custom session lifecycle policies.
show session settings

This command is used to display all the session settings.
clear session settings

This command is used to clear all the session settings.
show session count [username]

This command is used to display the number of active sessions for the specified user.
username Optional. This parameter specifies the username of the user for
whom the number of active sessions will be displayed. Its value
must be a string of 1 to 64 characters. The default value is empty,
indicating the number of active sessions for every user will be
displayed.
show session active [type] [username] [device_id] [start] [count]

This command is used to display the active sessions matching specified filter condition.
type Optional. This parameter specifies the type of active sessions to be

displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or
“all”. The default value is “all”, indicating all types of sessions.

185
username Optional. This parameter specifies the name of the user for whom
active sessions will be displayed. Its value must be a string of 1 to
64 characters. The default value is empty, indicating active sessions
for all users will be displayed.
device_id Optional. This parameter specifies the DeviceID of the device for
which active sessions will be displayed. Its value must be a string of
1 to 64 characters. The default value is empty, indicating active
sessions for all devices will be displayed.
start Optional. This parameter specifies the sequence number of the

active session from which active sessions to be displayed. Its value
must be an integer ranging from 1 to 4,294,967,295. The default
value is 1.
count Optional. This parameter specifies the number of active sessions to

be displayed. Its value must be an integer ranging from 1 to
show session external acl [type] [username] [start] [number]

This command is used to display the sessions that match external ACLs.
type Optional. This parameter specifies the type of sessions to be

displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl” or
“all”. The default value is “all”, indicating all types of sessions.
sessions will be displayed. Its value must be a string of 1 to 64
characters. The default value is empty, indicating the matching
sessions of all users will be displayed.

session from which matching sessions will be displayed. Its value
must be an integer ranging from 1 to 4,294,967,295. The default
value is 1.
number Optional. This parameter specifies the number of sessions to be

displayed. Its value must be an integer ranging from 1 to
For example:
vs(config)$show session external acl

User Name Session Type Session ID ACL

186
test012 ssl A1E6A606 0 http:172.16.12.212/ AND ALL PERMIT

0 file:172.16.12.212/ AND ALL PERMIT
2 ip tcp:0.0.0.0:80 AND ALL PERMIT
2 ip tcp:172.16.12.0/255.255.255.0 AND ALL
PERMIT
1 ip udp:10.3.0.0/255.255.255.0 AND ALL PERMIT
0 ip icmp:172.16.12.0/255.255.255.0 AND ALL
PERMIT
1 ip icmp:10.3.0.0/255.255.255.0 AND ALL PERMIT
show session policy [type] [username] [start] [count]

This command is used to display targets (roles, users or groups) and ACL resources associated
with the active session of a specified type and username.
type Optional. This parameter specifies the type of the active sessions to
be displayed. Its value must be “mobilel2tp”, “mobileipsec”, “ssl”
or “all”. The default value is “all”.
the active sessions will be displayed. Its value must be a string of 1
to 64 characters. The default value is “ ”, indicating all usernames.

session from which sessions will be displayed. Its value must be an
integer ranging from 1 to 4,294,967,295. The default value is 1.
count Optional. This parameter specifies the number of sessions to be

displayed. Its value must be an integer ranging from 1 to

187
Chapter 6 Access Method
Web Access
Web Access provides a clientless way to access internal Web resources with the standard web
browser. This section covers the commands for configuring this module.
QuickLink
virtual site quicklink hostname <hostname> <resource_id> <virtual_site>

This global command is used to configure a QuickLink resource in hostname mode for the
specified virtual site.
hostname This parameter specifies the public hostname used for mapping to
the internal Web resource. Its value must be a string of 5 to 64
characters.
resource_id This parameter specifies the name of the QuickLink resource. Its
value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and
virtual_site This parameter specifies the name of the existing virtual site for
which the QuickLink rule is configured.
no virtual site quicklink hostname <hostname> <resource_id>

This global command is used to delete a specified QuickLink resource in hostname mode
configured for the specified virtual site.
show virtual site quicklink hostname [virtual_site]

This global command is used to display the QuickLink resources in hostname mode configured for
the specified virtual site. If the “virtual_site” parameter is not specified, the QuickLink resources
in hostname mode configured for all the virtual sites will be displayed.
clear virtual site quicklink hostname <virtual_site>

This global command is used to clear all the QuickLink resources in hostname mode configured
for the specified virtual site.
virtual site quicklink port <port> <resource_id> <virtual_site>

This global command is used to configure a QuickLink resource in port mode for the specified
virtual site.
port This parameter specifies the port used for mapping to the internal
Web resource. Its value must be an integer ranging from 1 to

188
65,535. To avoid port conflict, it is recommended to set this

parameter to the value above 10,000.
resource_id This parameter specifies the name of the QuickLink resource. Its
value must be a string of 1 to 20 characters. Only 0-9, a-z, A-Z and
virtual_site This parameter specifies the name of the existing virtual site of with
the QuickLink rule configured.
no virtual site quicklink port <port> <resource_id>

This global command is used to delete a specified QuickLink resource in port mode for the
specified virtual site.
show virtual site quicklink port [virtual_site]

This global command is used to display the QuickLink resources in port mode of the specified
virtual site. If the “virtual_site” parameter is not specified, the QuickLink resources in port mode
of all the virtual sites will be displayed.
clear virtual site quicklink port <virtual_site>

This global command is used to clear all QuickLink resources in port mode of the specified virtual
site.
portal quicklink rule <backend_url> <resource_id> [rewrite_option1]

[rewrite_option2] [rewrite_option3] [rewrite_option4] [rewrite_option5]
This command is used to configure a QuickLink rule to map an internal Web resource to the
specified QuickLink resource.
backend_url This parameter specifies the URL of the internal Web resource. Its
resource_id This parameter specifies the name of an existing QuickLink

resource. The parameter value must be the name predefined by the
command “virtual site quicklink hostname” or “virtual site
quicklink port”.
rewrite_option1 Optional. This parameter specifies the rewrite option. Its value must
only be:
 “norewrite”: indicates that the web content will not be

rewritten. By default, the web content will be rewritten.
 “rewriteexternal”: indicates that external URLs contained in

the web content but not matching any QuickLink rules will be

189
rewritten into the WRM format. By default, external URLs

will not be rewritten.
 “rewritexml”: indicates that the XML formatted web content

will be rewritten. By default, the XML formatted web content
will not be rewritten.
 “blockcookie”: indicates that cookies from backend servers

will be blocked. By default, cookies from backend servers will
not be blocked.
 “forwardheader”: indicates the HTTP header will be replaced

by the new HTTP header of the QuickLink rule in hostname
mode. By default, the HTTP header will not be replaced.
Note:
1. For OWA, “rewritexml” is a mandatory option while other

options (including “norewrite”, “rewriteexternal” “forwardheader”,
and “blockcookie”) cannot be configured.
2. The “norewrite” option and other options are mutually exclusive.
only be “norewrite”, “rewriteexternal” “rewritexml”, “blockcookie”
or “forwardheader”.
no portal quicklink rule <resource_id>

This command is used to delete a specified QuickLink rule.
show portal quicklink rule

This command is used to display all QuickLink rules under the virtual site scope.
clear portal quicklink rule

This command is used to clear all QuickLink rules under the virtual site scope.

190
show portal quicklink global

This command is used to display all QuickLink resources configured in the global scope.
portal quicklink alias <backend_url> <resource_id>

This command is used to configure a QuickLink alias rule for the specified QuickLink resource.
This allows administrators to define additional URLs that can be mapped to the same QuickLink
resource identified by the “resource_id” parameter.
backend_url This parameter specifies the additional URL of the internal Web
resource. Its value must be a string of 1 to 900 characters.
resource_id This parameter specifies the name of the QuickLink resource. The
parameter value must be the name predefined by the command
“virtual site quicklink hostname” or “virtual site quicklink port”.
no portal quicklink alias <backend_url>

This command is used to delete a specified QuickLink alias rule.
show portal quicklink alias

This command is used to display all QuickLink alias rules.
clear portal quicklink alias

This command is used to delete all QuickLink alias rules.
WRM
 General Settings
rewrite {on|off}
This command is used to enable or disable the Web Resource Mapping (WRM) function. By
show rewrite status

This command is used to display the status (enabled or disabled) of the WRM function.
show rewrite config

This command is used to display all configurations of the WRM function.
clear rewrite config

This command is used to delete all configurations of the WRM function.
 WRM Rule
rewrite param <rule_id> <parameter_name> {url|host} [separator] [index]

191
This command is used to configure a WRM rewrite rule.
rule_id This parameter specifies the ID of WRM rewrite rule. Its value
parameter_name This parameter specifies the name obtained from the value of the
HTML “name” attribute in the HTML “param” tag.
url|host This parameter specifies the value type obtained from the HTML
“value” attribute of the HTML “param” tag. Its value must only be
“url” or “host”.
separator Optional. This parameter specifies the separator between multiple

URLs or hosts. The default value is empty.
index Optional. This parameter specifies the index of the URL or host to
be rewritten. Its value must be an integer ranging from 1 to
4,294,967,295. The default value is empty.
For example, if the HTML file of the backend Web server contains the HTML “param” tag
<param name = “param” value = “http://test.com”/>, the WRM rule should be:
vs(config)$ rewrite param 1 "param" "url"
no rewrite param <rule_id>

This command is used to delete a specified WRM rewrite rule.
show rewrite param

This command is used to display the configured WRM rewrite rules.
rewrite matchparam substring

This command is used to set the parameter matching mode to “substring”. In “substring” mode,
the WRM rewrite rule will be hit when the value of “parameter_name” parameter in the “rewrite
param” command matches a part of the value of the HTML “name” attribute in the HTML
“param” tag. By default, the “substring” mode is used for HTML parameter matching.
rewrite matchparam exact

This command is used to set the parameter matching mode to “exact”. In “exact” mode, the WRM
rewrite rule will be hit when the value of the “parameter_name” parameter in the “rewrite param”
command match exactly the value of the HTML “name” attribute in the HTML “param” tag.
show rewrite matchparam

This command is used to display the parameter matching mode.
rewrite relative

192
This command is used to enable the rewrite of the relative URLs. By default, this function is
disabled.
no rewrite relative
This command is used to disable the rewrite of the relative URLs.
show rewrite relative

This command is used to display the status (enabled or disabled) of the rewrite of the relative
URLs.
 URL Masking
rewrite urlmask [file_name]

This command is used to enable the URL masking function. To mask the internal URLs, the
“rewrite relative” command must be configured first. If the URL masking function is enabled, the
system will rewrite the URL with a pre-set algorithm to hide the backend server and path. By
file_name Optional. This parameter specifies the file name. Its value must
only be “filename” or its prefix. If this parameter is specified, the
name of file of the internal resource will also be masked. The
default value is empty.
no rewrite urlmask
This command is used to disable the URL masking function.
show rewrite urlmask

This command is used to display the status (enabled or disabled) of the URL masking function.
 URL Property
urlproperty mask wrm <url>

This command is used to add a URL to the list of URLs that will not be rewritten by the WRM
rewrite rule.
url This parameter specifies the URL that will not be rewritten by the
WRM rewrite rule. Its value must be a string of 9 to 1000
characters.
no urlproperty mask wrm <url>

This command is used to delete a URL from the list of URLs that will not be rewritten by the
WRM rewrite rule.
clear urlproperty mask wrm

193
This command is used to clear the list of URLs that will not be rewritten by the WRM rewrite
rule.
urlproperty mask acceptencoding <url>

This command is used to disable the insertion of the “Accept Encoding” header for the specified
URL. This is used primarily for Web servers that are non-compliant with the HTTP RFC
standards.
url This parameter specifies the URL for which “Accept Encoding”
headers will be masked. Its value must be a string of 9 to 990
characters.
no urlproperty mask acceptencoding <url>

This command is used to enable the insertion of the “Accept Encoding” header for the specified
URL.
clear urlproperty mask acceptencoding

This command is used to enable the insertion of the “Accept Encoding” header for all URLs.
show urlproperty mask

This command is used to display all URL property mask configurations.
Custom Rewrite
rewrite custom {on|off}

This command is used to enable or disable the custom rewrite function. By default, this function is
enabled. To use this function, the administrator also needs to configure custom rewrite rules using
the “rewrite custom rules” command.
show rewrite custom status

This command is used to display the status (enabled or disabled) of the custom rewrite function.
rewrite custom rules <rule_id> <rewrite_position> <url_pattern> <script>

[flag]
This command is used to configure a custom rewrite rule.
rule_id This parameter specifies the ID of the custom rewrite rule. Its value
must be an integer ranging from 1 to 4,294,967,295.
rewrite_position This parameter specifies when to execute the custom rewrite rule.
Its value must only be
 pre: indicates the custom rewrite rule will be first executed

194
before the execution of the WRM rewrite rule.
 post: indicates the WRM rewrite rule will be first executed

before the execution of custom rewrite rule.
url_pattern This parameter specifies the URL string used to match with the
URL. Its value must be a string of 1 to 900 characters.
This parameter also supports the prefix match. For example, if the
parameter value is set to xxx.yyy.zzz, all sub-URLs and files under
this path will be rewritten.
Besides, this parameter supports the wildcard “*”. For example, the
URL can be http://*.arraynetworks.com/.
script This parameter specifies the regular expression script used to

rewrite the URL. Its value must be a string of 1 to 512 characters.
flag Optional. This parameter specifies the flag of the custom rewrite
rule. Its value must be:
 “i”: indicates that the system will ignore the case sensitivity
during URL matching.
 “n”: indicates that the URL will not be rewritten. This

parameter value can be used only when the “rewrite_position”
parameter is set to “pre”.
The default value is empty, indicating the system rewrites the URL
according to the configuration of this custom rewrite rule.
no rewrite custom rules <rule_id>

This command is used to delete a custom rewrite rule.
show rewrite custom rules

This command is used to display all custom rewrite rules.
URL Policy
AG provides the URL policies to allow the administrator to control end users’ access to the Web
resources through the virtual site according to the requested URL.
AG supports four types of URL policies:
 Internal
 External

195
 Public
 Block
Note: The public URL policy cannot be set as default URL policy.
urlpolicy external <priority> <url>

This command is used to configure an external URL policy. If the requested URL matches the
external URL policy, the external URL policy directly redirects the HTTP request to the external
URL. It neither requires end users to log into the virtual site, nor lets AG to rewrite the requests.
priority This parameter specifies the priority of the external URL policy. Its
value must be an integer ranging from 0 to 65,535. The smaller the
url This parameter specifies the URL keyword. Its value must be a
no urlpolicy external <priority>

This command is used to delete a specified external URL policy.
clear urlpolicy external

This command is used to clear all external URL policies.
urlpolicy internal <priority> <url>

This command is used to configure an internal URL policy. If the requested URL matches the
internal URL policy, the internal URL policy forces the end users to log into the virtual site first
and lets AG to rewrite the HTTP requests.
priority This parameter specifies the priority of the internal URL policy. Its
value must be an integer ranging from 0 to 65,535. The lower the
no urlpolicy internal <priority>

This command is used to delete a specified internal URL policy.
clear urlpolicy internal

This command is used to clear all internal URL policies.
urlpolicy block <priority> <url>

196
This command is used to configure a block URL policy. If the requested URL matches the block
URL policy, the block URL policy blocks the end users’ access.
priority This parameter specifies the priority of the block URL policy. Its
For example:
vs(config)$urlpolicy block 2 a.b.com
After this command is executed, the AG appliance will block all accesses to the “a.b.com”.
vs(config)$urlpolicy block 0 a.b.com/test/index.html/
After this command is executed, the AG appliance will block the access to the
“a.b.com/test/index.html/”.
no urlpolicy block <priority>

This command is used to delete a specified block URL policy.
clear urlpolicy block

This command is used to clear all block URL policies.
urlpolicy public <priority> <url>

This command is used to configure a public URL policy. If a requested URL matches the public
URL policy, the public URL policy authorizes end users to access to these resources without
virtual site login and lets AG to rewrite the requests. Public URL policies authorize end users with
unrestricted access to internal resources. Therefore, it is recommended to use public URL policies
only to provide authorized access to internal resources embedded in custom login pages, logout
pages, and error pages.
priority This parameter specifies the priority of the public URL policy. Its
no urlpolicy public <priority>

This command is used to delete a specified public URL policy.
clear urlpolicy public

197
This command is used to clear all public URL policies.
show urlpolicy
This command is used to display all URL policies.
clear urlpolicy config

This command is used to clear all URL policies.
urlpolicy default external

This command is used to set the default URL policy as “external”. After this command is
configured, requested URLs not matching any URL policies will be treated as external URLs.
urlpolicy default internal

This command is used to set the default URL policy as “internal”, After this command is
configured, requested URLs not matching any URL policies will be treated as internal URLs.
urlpolicy default block

This command is used to set the default URL policy as “block”. After this command is configured,
requested URLs not matching any URL policies will be blocked.
no urlpolicy default
This command is used to reset the default URL policy to the default setting “internal”.
SSO
sso {on|off}
This command is used to enable or disable the SSO (Single Sign On) function for Web Access. By
default, this function is disabled. This function takes effect only when the portal login credential is
the same as the login credential of the Web application server.
sso kerberos realm name <realm_name>

This command is used to configure a Kerberos realm.
realm_name This parameter specifies the name of an existing Kerberos realm. Its
value must be an uppercase string of 1 to 128 characters.
For example:
vs(config)$sso kerberos realm name EXAMPLE.COM
no sso kerberos realm name <realm_name>

This command is used to delete a Kerberos realm.
sso kerberos realm kdc <realm_name> <kdc_host_name> [kdc_port]

198
This command is used to add a Key distribution center (KDC) to the specified Kerberos realm.
After KDCs are configured, the system sends the request to the KDC with the highest priority to
obtain the service ticket. The earlier the KDC is configured for the virtual site, the higher the
priority of the KDC will be. A maximum of three KDCs can be added to a Kerberos realm.
realm_name This parameter specifies the name of an existing Kerberos realm.
kdc_host_name This parameter specifies the hostname or IP address of the KDC. Its
value must be a string of 1 to128 characters. If its value is IP
address, it must be an IPv4 address enclosed by double quotes.
kdc_port Optional. This parameter specifies the port number that the KDC
listens to. Its value must be an integer ranging from 1 to 65535. The
Note: If the local DNS server under the global scope supports the service location SRV
resource record, the system can find the KDC by itself, so this command and the “sso
kerberos realm name” command do not need to be configured.
no sso kerberos realm kdc <realm_name> <kdc_host_name>

This command is used to delete a KDC from a specified Kerberos realm.
show sso kerberos realm [realm_name]

This command is used to display the settings of a specified Kerberos realm. If the “realm_name”
parameter is not specified, the settings of all Kerberos realms will be displayed.
clear sso kerberos realm

This command is used to clear the settings of all the Kerberos realms.
sso kerberos rule <service_host> <realm_name>

This command is used to configure a Kerberos SSO rule for the backend Web server.
service_host This parameter specifies the hostname or IP address of the backend

Web server in the realm specified by the “realm” parameter. Its
value must be a string of 1 to128 characters.
If its value is a hostname, it must be in any of the following format:
 .abc.com: indicates that all servers in the “.abc.com” domain

are included.
 xxx.abc.com: indicates the server of which the hostname is

“xxx.abc.com” or all servers in the “.xxx.abc.com” domain are
included.

199
If its value is an IP address, it must be an IPv4 address enclosed by

double quotes.
Note: This backend Web server must be registered on the KDC

(usually on the Active Directory) in advance.
realm_name This parameter specifies the name of an existing Kerberos realm.
For example:
vs(config)$sso kerberos rule arraynetworks.com EXAMPLE.COM

vs(config)$sso kerberos rule www.arraynetworks.net EXAMPLE.COM
vs(config)$sso kerberos rule "10.8.6.160" EXAMPLE.COM
no sso kerberos rule <service_host>

This command is used to delete a specified Kerberos SSO rule.
show sso kerberos rule

This command is used to display all the configured Kerberos SSO rules.
clear sso kerberos rule

This command is used to clear all the configured Kerberos SSO rules.
sso post <hostname> <login_url> <username_field> <password_field>

[post_host] [post_url] [post_fields] [bookmark] [other_header_field]
This command is used to add an HTTP POST SSO rule. With this command, the administrator
specifies an application’s login URL used to post a user’s credentials. This function allows a user
to access multiple backend applications without re-entering their credentials.
hostname This parameter specifies the host name of the backend server. Its
login_url This parameter specifies the URL of the login page. Its value must
username_field This parameter specifies the field used to post the username for
authentication. Its value must be a string of 1 to 64 characters.
password_field This parameter specifies the field used to post the password for
authentication. Its value must be a string of 1 to 32 characters.
post_host Optional. This parameter specifies the POST target that includes the
port if needed. Its value must be a string of 1 to 128 characters. By
default, the value of the “hostname” parameter is used.

200
post_url Optional. This parameter specifies the URL to which the POST
request is directed. Its value must be a string of 1 to 900 characters.
By default, the value of the “login_url” parameter is used.
post_fields Optional. This parameter specifies a set of fields that are required
by the backend service in addition to the username and password.
Its value must be a string of 1 to 1024 characters. It can be a string
of only characters or a string containing multiple “field=value”
pairs. In addition, it supports tokens, which will be dynamically
replaced by actual values.
Meanings of supported tokens are as follows:
 <IP_ADDR_UINT>: Client IP address in the unsigned integer

format, such as 1677920266
 <IP_ADDR_DOTDEC>: Client IP address in the dotted

decimal format, such as 10.8.3.100
 <MAC_ADDR_NOSEP>: Client MAC address without any

separator, such as F0DEF1E4FDD8
 <MAC_ADDR_DASH>: Client MAC address with “-” as the

separator, such as F0-DE-F1-E4-FD-D8
 <MAC_ADDR_COLON>: Client MAC address with “:” as

the separator, such as F0:DE:F1:E4:FD:D8
For example:
“domain=abc&deptname=xyz&ipaddress=<IP_ADDR_DOTDEC>
&macaddress=<MAC_ADDR_DASH>”
bookmark Optional. Its value must only be:
 “enable”: indicates that the end user can access the same
backend application without re-entering their credentials when
accessing the same Web resource again.
 “disable”: indicates that the end user needs to re-enter their

credentials when accessing the same Web resource again.
The default value is “disable”.
other_header_field Optional. This parameter specifies a set of HTTP header fields that
are required by the backend service for user authentication.
Multiple HTTP header fields must be separated by “\r\n”. Its value

201
For example: “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;

Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)\r\nCookie: PBack=0;\r\n”
no sso post <hostname> <login_url>

This command is used to delete an HTTP POST SSO rule.
show sso post

This command is used to display all HTTP POST SSO rules.
clear sso post

This command is used to delete all HTTP POST SSO rules.
show sso config

This command is used to display the configurations of the SSO function.
clear sso config

This command is used to clear all configurations of the SSO function.
Proxy
server proxy manual http <ip > <port> <username> <password> <domain>
This command is used to add an HTTP-type backend proxy server.
ip This parameter specifies the IP address of the backend proxy server.

Its value must be given in dotted decimal notation.
port This parameter specifies the port number of the backend proxy
username Optional. This parameter specifies the username used for passing
the backend proxy server’s authentication. This parameter needs to
be specified when the backend proxy server requires authentication.
Its value must be a string of 1 to 64 characters. The default value is
empty.
password Optional. This parameter specifies the password used for passing
the backend proxy server’s authentication. This parameter needs to
be specified when the backend proxy server requires authentication.
Its value must be a string of 1 to 32 characters. The default value is
empty.

202
domain Optional. This parameter specifies the domain of the backend proxy
server. This parameter needs to be specified when the backend
proxy server requires authentication. Its value must be a string of 1
to 64 characters. The default value is empty.
no server proxy manual http

This command is used to delete an HTTP-type backend proxy server.
server proxy manual https <ip> <port>

This command is used to add an HTTPS-type backend proxy server.
ip This parameter specifies the IP address of the backend proxy server.

Its value must be an IPv4 address.
port This parameter specifies the port number of the backend proxy
no server proxy manual https

This command is used to delete an HTTPS-type backend proxy server.
server proxy script <script_url> <username> <password> <domain>

This command is used to enable the use of an auto-configuration proxy script.
script_url This parameter specifies the URL from which the AG appliance
downloads a proxy auto-configuration script. Its value must be a
string of 1 to 1024 characters. A script in the required format must
be stored at this URL and this script should include the proxy server
information, such as IP address.
username Optional. This parameter specifies the username used for passing
the authentication of the backend proxy server determined by the
auto-configuration proxy script. Its value must be a string of 1 to 64
password Optional. This parameter specifies the password used for passing
the authentication of the backend proxy server determined by the
auto-configuration proxy script. Its value must be a string of 1 to 32
domain Optional. This parameter specifies the domain of the backend proxy
server determined by the auto-configuration proxy script. Its value
must be a string of 1 to 64 characters. The default value is empty.

203
no server proxy script

This command is used to disable the use of a proxy auto-configuration script.
show server proxy

This command is used to display the configurations of backend server proxies.
URL Filter
filter {on|off}
This command is used to enable or disable the URL filter function for Web access. This function
is used to prevent Cross Site Scripting (XSS) attacks. By default, this function is disabled.
filter url keyword deny <keyword>

This command is used to configure a URL-filter rule used to deny a URL with a specified
keyword.
keyword This parameter specifies a regular expression to match the request

URL. If the request URL matches the regular expression, the access
will be regarded as malicious and denied. Its value must be a string
For example:
vs(config)$ filter url keyword deny "cmd.exe"
no filter url keyword deny <keyword>

This command is used to delete a URL-filter rule used to deny a URL with a specified keyword.
show filter url keyword deny

This command is used to display all URL-filter rules used to deny URLs with specified keywords.
show filter config

This command is used to display the configurations of the URL-filter function.
clear filter config

This command is used to clear the configurations of the URL-filter function.
Statistics
show statistics web

This command is used to display Web traffic statistics.
clear statistics web

204
This command is used to clear Web traffic statistics.
Network Access and Array Client
General Settings
vpn clientupgrade {on|off}

This global command is used to enable or disable the auto upgrade function for the Array Client.
show vpn clientupgrade

This global command is used to display the status of the auto upgrade function for the Array
Client.
show statistics vpn

This global command is used to display VPN statistics of all virtual sites.
clear statistics vpn

This global command is used to clear the VPN statistics of all virtual sites.
vpn {on|off}
This command is used to enable or disable the VPN function. By default, this function is disabled.
vpn clientisolate {on|off}

This command is used to enable or disable the client traffic isolation function. With this function
enabled, all the traffic between clients using SSL L3VPN will be blocked. By default, this
function is enabled.
Note: For the Site2Site VPN function, the client traffic isolation function should be
disabled.
vpn backend keepalive {on|off}

This command is used to enable or disable the L4VPN backend connection keepalive function.
With this function enabled, the backend TCP connection to the backend server will be kept alive
after TCP idle timeout. By default, this function is disabled.
vpn clientinfocollect {on|off}

This command is used to enable or disable L3VPN client information collection. This function is
used for the Array SDK. By default, this function is disabled. For details on Array SDK, please
contact Array Networks Customer Support.
show vpn active

This command is display the active VPN tunnel information.

205
show vpn config

This command is used to display the VPN configurations for the virtual site.
clear vpn config

This command is used to clear the VPN configurations for the virtual site.
show statistics vpn

This command is used to display VPN statistics for the virtual site.
clear statistics vpn

This command is used to clear the VPN statistics for the virtual site.
Netpool
 Basic Settings
vpn netpool name <netpool>

This command is used to define a Netpool for assigning VPN resources.
The administrator should configure this command whether accessing backend resources through
the L3VPN tunnel or Site2Site VPN tunnel.
netpool This parameter specifies the name of the Netpool. Its value must be
no vpn netpool name <netpool>

This command is used to delete a specified Netpool.
show vpn netpool name

This command is used to display all Netpools.
clear vpn netpool name

This command is used to clear all Netpools.
 Dynamic IP Assignment
The system can dynamically assign the IP address to the SSL VPN Client in either of the
following ways:
 Dynamic IP range: When an end user is assigned the Netpool with the dynamic IP range
configured, the system will pick up an IP address from the dynamic IP range.
 DHCP server: When an end user is assigned the Netpool with the DHCP server configured,
the system will communicate with the DHCP server to obtain the IP address.
For a Netpool, the dynamic IP range and the DHCP server are mutually exclusive.

206
vpn netpool iprange dynamic <netpool> <start_ip> <end_ip> [unit_name]

This command is used to configure a dynamic IPv4 range for the specified Netpool. When an end
user is assigned this Netpool, the VPN server will dynamically assigns an IPv4 address from the
dynamic IPv4 range to the SSL VPN Client of the end user.
netpool This parameter specifies the name of the existing Netpool.
start_ip This parameter specifies the first IPv4 address in the dynamic IPv4
range.
end_ip This parameter specifies the last IPv4 address in the dynamic IPv4
range.
unit_name Optional. This parameter specifies the name of an existing HA unit

to which this dynamic IPv4 range belongs.
This parameter needs to be specified only when the HA function is

enabled.
Note: In the Active/Active scenario, the dynamic IPv4 range of the local unit should not
overlap with that of the peer unit.
In HA environment, different configurations should be made in different scenarios:
 Active/Active scenario (each AG appliance is active for one or some VIPs of the virtual
site)
In this scenario, you need to configure dynamic IP ranges specific to each unit on one AG
appliance and enable the HA runtime synconfig function on all AG appliances. The HA runtime
synconfig function can automatically synchronize the dynamic IP range configurations specific to
certain units to peer units.
For example:
On AG1:
vs(config)$:vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.25 "unit1"
After the configurations are finished, 25 IP addresses are available on each AG appliance and all
50 IP addresses can be used for the virtual site in total.
 Active/Standby scenario (only one AG appliance is active for the virtual site)
In this scenario, you need have two choices:
 Configure dynamic IP ranges not specific to any unit on all AG appliances.

207
For example:
On AG1:
vs(config)$vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.50
On AG2:
vs(config)$vpn netpool iprange dynamic "test" 192.168.0.1 192.168.0.50
After the configurations are finished, 50 IP addresses will be available for the virtual site on the
active AG appliance.
 Configure dynamic IP ranges specific to each unit on one AG appliance and enable HA
runtime synconfig.
For example:
On AG1:
After the configurations are finished, each AG appliance uses its separate IP range of 25 IP
addresses when becoming active for the virtual site.
Choice Advantage Disadvange

Configure dynamic IP ranges IP addresses of all the
IP conflicts may occur during
not specific to any unit on all configured IP ranges can be
HA failover.
AG appliances. used.
Configure dynamic IP ranges Only IP addresses of the IP
There is no IP conflict during
specifc to each unit on one AG ranges specific to the active
HA failover.
appliance unit can be used.
no vpn netpool iprange dynamic <netpool> < start_ip> <end_ip>

[unit_name]
This command is used to delete a dynamic IPv4 range configured for the specified Netpool.
vpn netpool iprange dynamic6 <netpool> <start_ip> <end_ip> [unit_name]

This command is used to configure a dynamic IPv6 range for the specified Netpool. When an end
user is assigned this Netpool, the VPN server will dynamically assigns an IPv6 address from the
dynamic IPv6 range to the SSL VPN Client of the end user.
start_ip This parameter specifies the first IPv6 address in the dynamic IPv6
range.
end_ip This parameter specifies the last IPv6 address in the dynamic IPv6
range.

208

to which this dynamic IPv6 range belongs.

enabled.
Note:
 The prefixes of IPv6 addresses in the dynamic IPv6 range must be the same. Besides,
the prefix length should be equal or larger than 96 bits, indicating that the “start_ip”
and “end_ip” can only be different in the last 32 bits.
 In the Active/Active scenario, the dynamic IPv6 range of the local unit should not
overlap with that of the peer unit.
In HA environment, different configurations should be made for Active/Active and

Active/Standby scenario. For details, please refer to the command “vpn netpool iprange
dynamic”.
no vpn netpool iprange dynamic6 <netpool> < start_ip> <end_ip>

[unit_name]
This command is used to delete a dynamic IPv6 range configured for the specified Netpool.
show vpn netpool iprange dynamic <netpool>

This command is used to display all dynamic IPv4 and IPv6 ranges configured for the specified
Netpool.
clear vpn netpool iprange dynamic <netpool>

This command is used to clear all dynamic IPv4 and IPv6 ranges configured for the specified
Netpool.
vpn netpool iprange dhcp server <netpool> <server_ip>

This command is used to configure a DHCP server for the specified Netpool. A maximum of three
DHCP servers can be configured.
server_ip This parameter specifies the IP address of the DHCP server. Its
no vpn netpool iprange dhcp server <netpool> <server_ip>

This command is used to delete a DHCP server configured for the specified Netpool.

209
show vpn netpool iprange dhcp server [netpool]

This command is used to display all DHCP servers configured for the specified Netpool. If the
“netpool” parameter is not specified, the DHCP servers configured for all Netpools will be
displayed.
clear vpn netpool iprange dhcp server [netpool]

This command is used to clear all DHCP servers configured for the specified Netpool. If the
“netpool” parameter is not specified, the DHCP servers configured for all Netpools will be
cleared.
vpn netpool iprange dhcp leasetime <netpool> <lease_time>

This command is used to set the lease time of the client IP address to be requested in the DHCP
request for the specified Netpool. After the lease time expires, the client IP address assigned by
the DHCP server cannot be used by the Netpool anymore.
lease_time This parameter specifies the desired lease time in minutes. Its value
must an integer ranging from 5 to 43,200.
no vpn netpool iprange dhcp leasetime <netpool>

This command is used to delete the lease time settings of the client IP address in the DHCP
request for the specified Netpool.
vpn netpool iprange dhcp subnet <netpool> <subnet> <netmask>

This command is used to set the subnet distributed by the DHCP server for the specified Netpool.
When an end user is assigned this Netpool, the DHCP server will dynamically assigns an IP
address to the SSL VPN Client of the end user.
subnet This parameter specifies the IP address of the subnet. Its value must
be an IPv4 address.
netmask This parameter specifies the netmask of the subnet.
no vpn netpool iprange dhcp subnet <netpool>

This command is used to delete the subnet to which the client IP address belongs in the DHCP
request for the specified Netpool.
vpn netpool iprange dhcp useclientmac <netpool>

210
This command is used to enable the AG appliance to send the client PC’s MAC address as the
unique client ID to request the IP address from the DHCP server, when the end user is assigned
the specified Netpool.
no vpn netpool iprange dhcp useclientmac <netpool>

This command is used to enable the AG appliance to send an automatically generated unique
client ID to request the IP address from the DHCP server, when the end user is assigned the
specified Netpool.
show vpn netpool iprange dhcp config [netpool]

This command is used to display the DHCP configurations of the specified Netpool. If the
“netpool” parameter is not specified, the DHCP configurations of all Netpools will be displayed.
 Windows SSL VPN Client Options
vpn netpool initmode activex <netpool>

This command is used to set the initiation mode of the Web-launched Array Client to “activex” for
the specified Netpool. In this mode, the Web-launched Array Client is set up with ActiveX
components. After a Netpool is configured, the “activex” VPN initiation mode is set for this
Netpool by default.
vpn netpool initmode java <netpool>

This command is used to set the initiation mode of the Web-launched Array Client to “java” for
the specified Netpool. In this mode, the Web-launched Array Client is set up with Java
components.
vpn netpool initmode autoswitch <netpool>

This command is used to enable auto switch between the “activex” and “java “initiation mode of
the Web-launched Array Client for the specified Netpool. With this function enabled, the
Web-launched Array Client is set up with ActiveX or Java depending on which works best with
the user’s PC environment. After a Netpool is configured, this function is enabled by default.
Note: For IE and IE-core browsers, both the “activex” and “java” initiation modes can be
used. However, for non-IE-core browsers, only the “java” initiation mode can be used.
Therefore, this command only works for IE and IE-core browsers.

211
no vpn netpool initmode autoswitch <netpool>

This command is used to disable auto switch between the “activex” and “java “initiation mode of
the Web-launched Array Client for the specified Netpool.
vpn netpool stayconnected <netpool>

This command is used to instruct the Web-launched Array Client to keep the VPN tunnel
connected for the specified Netpool after the browser windows closed.
no vpn netpool stayconnected <netpool>

This command is used to instruct the Web-launched Array Client to terminate the VPN tunnel for
the specified Netpool after the browser windows closed.
vpn netpool trayindicate <netpool>

This command is used to enable the display of the “red A” icon in the system task tray for the
specified Netpool when the Standalone Array VPN Client establishes the VPN tunnel with the AG
appliance. After a Netpool is configured, this function is enabled for this Netpool by default.
no vpn netpool trayindicate <netpool>

This command is used to disable the display of the red “A” icon in the system task tray for the
specified Netpool when the Standalone Array VPN Client establishes the VPN tunnel with the AG
appliance.
vpn netpool webindicate <netpool>

This command is used to enable the display of the red “A” icon in the system task tray for the
specified Netpool when the Web-lauched Array VPN Client establishes the VPN tunnel with the
AG appliance.
no vpn netpool webindicate <netpool>

This command is used to disable the display of the red “A” icon in the system task tray for the
specified Netpool when the Web-lauched Array VPN Client establishes the VPN tunnel with the
AG appliance.
 Automatic VPN Launch
vpn netpool autolaunch <netpool> [mode]

This command is used to instruct the SSL VPN Client to automatically launch the VPN for the
specified Netpool.

212
mode Optional. This parameter specifies whether to skip the Welcome

page when VPN auto launch fails. Its value must only be:
 “stoponerr”: indicates that the Welcome page will be skipped

when VPN auto launch fails.
 empty: indicates that the Welcome page will not be skipped

when VPN auto launch fails.
no vpn netpool autolaunch <netpool>

This command is used to instruct the VPN client to not start automatically for the specified
Netpool.
 NAT
vpn netpool nat <netpool> [mode]

This command is used to enable the VPN Netpool NAT function for the specified Netpool. By
mode Optional. This parameter specifies whether the NAT configurations

under the global scope or under the virtual site scope are used for
VPN NAT.
 “useglobal”: indicates that the NAT configurations under the

global scope are used.
 empty: indicates that the NAT configurations under the site

scope are used.
Note:
 When the VPN Netpool NAT function is enabled and the administrator accesses the
AG appliance through L3VPN, the AG appliance cannot initiatively communicate
with the L3VPN client.
 To use the Site2Site VPN function, the VPN NAT function should be disabled.
The following commands cannot be executed if the SCP/TFTP server is installed on the
L3VPN client:

213
 write net scp
 write net tftp
 write net all scp
 write net all tftp
 configure net scp
 configure net tftp
 configure net http
 configure net all scp
 configure net all tftp
 configure net all http
The following commands cannot be executed to ping or traceroute the L3 VPN client:
 ping
 ping6
 traceroute
 traceroute6
no vpn netpool nat <netpool>

This command is used to disable the VPN Netpool NAT function for the specified Netpool.
 IPSec over SSL
vpn netpool tunnelipsec <netpool>

This command is used to enable the IPSec over SSL function for the specified Netpool. By default,
this function is disabled.
no vpn netpool tunnelipsec <netpool>

This command is used to disable the IPSec over SSL function for the specified Netpool.
 Keep-alive Interval
vpn netpool keepalive <netpool> [interval]

This command is used to set the client keep-alive interval for the specified Netpool. During the
specified interval of VPN being inactive, the SSL VPN Client will send the VPN server a
“keepalive” packet to keep the VPN tunnel alive. After a Netpool is configured, the default
interval for this Netpool is 30.

214
interval This parameter specifies the interval that the VPN tunnel will be
kept alive while being inactive. Its value must be an integer ranging
from 1 to 60, in seconds.
no vpn netpool keepalive <netpool>

This command is used to reset the client keep-alive interval to its default value for the specified
Netpool.
 Routing
vpn netpool route gateway <netpool> <gateway_ip> [unit_name]

This command is used to configure a route gateway for the specified Netpool.
gateway_ip This parameter specifies the IP address of the route gateway. Its

for which this route gateway works.

enabled. If the HA function is disabled, this parameter setting will
be ignored.
Note: This command works both for SSL VPN and Mobile VPN.
no vpn netpool route gateway <netpool> <gateway_ip> [unit_name]

This command is used to delete a route gateway of the specified Netpool.
vpn netpool route default <netpool>

This command is used to configure the default route using the route gateway (configured using the
“vpn netpool route gateway <netpool> <gateway_ip > [unit_name]” command) for the
specified Netpool. The default route for the Netpool will be used only when the received packet
sent by the SSL VPN Client does not match any route in the global routing table.
If this command is not configured for a Netpool, received packets will always be sent through the
route gateway configured for the Netpool using the “vpn netpool route gateway <netpool>
<gateway_ip> [unit_name]” command.

215
If neither the route gateway nor the default route is configured for the Netpool, the received packet
will be sent based on the global routing table.
Note: This command works both for SSL VPN and Mobile VPN.
no vpn netpool route default <netpool>

This command is used to delete the default route gateway for the specified Netpool.
 Client Subnet
vpn netpool clientsubnet <netpool>

This command is used to add a client subnet resource item to a specified Netpool. After this
command is configured, the traffic destined for the local subnet will not be sent through the SSL
VPN tunel. This function is useful when the SSL VPN tunnel contains the local subnet.
no vpn netpool clientsubnet <netpool>

This command is used to delete a client subnet resource item from a specified Netpool.
 VPN Traffic Logging
vpn netpool trafficlog <netpool>

This command is used to enable VPN traffic logging for the specified Netpool.
Note: To use the Site2Site VPN function, the VPN traffic logging function should be
disabled.
no vpn netpool trafficlog <netpool>

This command is used to disable VPN traffic logging for the specified Netpool.
 Windows Administrator Account
vpn netpool winadmin <netpool> <username> <password> [account_id]

This command is used to configure a Windows administrator account for the specified Netpool. If
the Netpool is authorized to a Windows user without administrator privileges, the Windows user
can use this Windows administrator account to install the Array Client. Otherwise, the Windows
user without administrator privileges cannot install the Array Client on Windows PCs. A
maximum of 255 Windows administrator accounts can be configured for a Netpool.

216
username This parameter specifies the username of the Windows

administrator account. Its value must be a case-insensitive string of
password This parameter specifies the password of the Windows

administrator account. Its value must be a case-insensitive string of
account_id Optional. This parameter specifies the ID that the Netpool assigns
to the Windows administrator account. Its value must be a string of
1 to 255 characters. When the administrator does not specify this
parameter for the first time, its value will be “1”; its value will be
increased by 1 each time this parameter is not specified.
The IDs of Windows administrator accounts for a Netpool must be

unique.
The default value is “1”.
no vpn netpool winadmin <netpool> <account_id>

This command is used to delete a Windows administrator account for the specified Netpool.
show vpn netpool winadmin [netpool]

This command is used to display the Windows administrator accounts for the specified Netpool. If
the “netpool” parameter is not specified, the Windows administrator accounts of all Netpools will
be displayed.
 Proxy
vpn netpool proxy <netpool> <type> <server_url>

This command is used to set the inside proxy server for the specified Netpool. This function works
for SSL VPN only. This function should be used when AG cannot connect to the backend server.
type This parameter specifies the type of the proxy server. Its value must
only be “manual” or “script”.
server_url
This parameter specifies the URL of the proxy server. Its value
must be a string of 1 to 256 characters. Its value must be:
 “proxy_server”: specifies the inside proxy server and is

217
available only when “type” is set to “manual”. Its value must

be in the format of “host: port” in which the “host” part can be
either an IP address or a hostname.
 “script_url”: indicates the URL of the automatic configuration

script used to determine the inside proxy server and is
available only when “type” is set to “script”.
no vpn netpool proxy <netpool>

This command is used to delete the inside proxy server for the specified Netpool.
vpn netpool proxyrewrite on <netpool>

This command is used to enable the rewriting of the client proxy script for the specified Netpool.
By default, the rewriting of the client proxy script is enabled for every Netpool.
vpn netpool proxyrewrite off <netpool>

This command is used to disable the rewriting of the client proxy script for the specified Netpool.
 NetBIOS over TCP/IP
vpn netpool netbios {on|off} <netpool>

This command is used to enable or disable the Network Basic Input Output System (NetBIOS)
over TCP/IP function for the SSL VPN Client that is assigned the specified Netpool. By default,
this function is enabled for the SSL VPN Client. This function works for the SSL VPN Client on
the Windows OS for now.
netpool This parameter specifies the name of an existing Netpool.
 Command Execution on VPN Connection or Disconnection
vpn netpool launch command <netpool> <path>

This command is used to add a path of the application or file to be executed upon successful
launch of a VPN tunnel for the specified Netpool. After this command is configured, the specified
application or file will be automatically opened when the VPN tunnel is established.
path This parameter specifies the path of the application or file to be

launched. If the file path is specified, the filename should be

218
specified. Its value must be a string of 1 to 256 characters.
For example:
vs(config)$vpn netpool launch command netpool1 c:\test\a.txt
After this command is executed, the file a.txt will be automatically opened when a VPN tunnel is
established.
no vpn netpool launch command <netpool> <path>

This command is used to delete a path of the application or file to be executed upon successful
launch of a VPN tunnel for the specified Netpool.
show vpn netpool launch command <netpool>

This command is used to display the list of applications or files to be executed upon successful
clear vpn netpool launch command <netpool>

This command is used to clear the list of applications or files to be executed upon successful
vpn netpool launch stoponerr <netpool>

This command is used to instruct the Array Client to terminate the VPN tunnel if the execution of
applications or files configured using the “vpn netpool launch command” command encounters
any error, when the end user is assigned the specified Netpool.
no vpn netpool launch stoponerr <netpool>

This command is used to instruct the Array Client to maintain a connection even if the execution
of applications or files configured using the “vpn netpool launch command” command
encounters any error, when the end user is assigned the specified Netpool.
vpn netpool disconnect command <netpool> <path>

This command is used to add a path of the application or file to be executed upon successful
disconnection of a VPN tunnel for the specified Netpool. After this command is configured, the
specified application or file will be automatically opened when the VPN tunnel is disconnected.
path This parameter specifies the path of the command to be launched.

For example:

219
vs(config)$vpn netpool disconnect command netpool1 c:\test\a.txt
After this command is executed, the file a.txt will be opened when a VPN tunnel is disconnected.
no vpn netpool disconnect command <netpool> <path>

This command is used to delete a path of the application or file to be executed upon successful
disconnection of VPN tunnel for the specified Netpool.
show vpn netpool disconnect command <netpool>

This command is used to display the list of applications or files to be executed upon successful
disconnection of a VPN tunnel for the specified Netpool.
clear vpn netpool disconnect command <netpool>

This command is used to clear the list of applications or files to be executed upon successful
disconnection of a VPN tunnel for the specified Netpool.
vpn netpool disconnect stoponerr <netpool>

This command is used to instruct the Array Client to maintain a connection if the execution of
applications or files configured using the “vpn netpool disconnect command” command
no vpn netpool disconnect stoponerr <netpool>

This command is used to instruct the Array Client to drop a connection even if the execution of
applications or files configured using the “vpn netpool disconnect command” command
 DNS Settings
vpn netpool dns hostmap <netpool> <hostname> [hostip]

This command is used to add a static IPv4 DNS record for the specified host name in the specified
Netpool. This function works for SSL VPN only.
hostname This parameter specifies the hostname of the DNS server. Its value
hostip Optional. This parameter specifies the IPv4 address of the DNS
server. The default value is “127.0.0.1”.
no vpn netpool dns hostmap <netpool> <hostname> [hostip]

This command is used to delete an IPv4 DNS host for the specified Netpool.

220
vpn netpool dns hostmap6 <netpool> <hostname> <hostip>

This command is used to add a static IPv6 DNS record for the specified host name in the specified
Netpool. This function works for SSL VPN only.
hostname This parameter specifies the hostname of the DNS server. Its value
hostip This parameter specifies the IPv6 address of the DNS server.
no vpn netpool dns hostmap6 <netpool> <hostname> [hostip]

This command is used to delete an IPv6 DNS host record for the specified Netpool.
show vpn netpool dns hostmap <netpool>

This command is used to display all IPv4 and IPv6 DNS hosts for the specified Netpool.
clear vpn netpool dns hostmap <netpool>

This command is used to clear all IPv4 and IPv6 DNS hosts for the specified Netpool.
vpn netpool dns timeout local <netpool> <timeout>

This command is used to set the timeout of the local DNS server for the specified Netpool. After a
Netpool is configured, the default timeout of the local DNS server for this Netpool is 1000
milliseconds.
netpool This parameter specifies the name of the Netpool.
timeout This parameter specifies the timeout value in milliseconds. Its value
Note: This command works for the SSL VPN Client on Windows only.
no vpn netpool dns timeout local <netpool>

This command is used to reset the timeout of the local DNS server to its default value for the
specified Netpool.
vpn netpool dns timeout virtual <netpool> <timeout>

This command is used to set the timeout of the virtual DNS server (including global DNS servers
and site DNS servers) for the specified Netpool. After a Netpool is configured, the default timeout
of the virtual DNS server for this Netpool is 1000 milliseconds.

221
must be an integer ranging from 5 to 3,000. Some network
environment, such as 3G/WIFI, has a very large round-trip time
(RTT). Administrators should increase the Netpool’s DNS timeout
value, if SSL VPN Client users’ network RTT is larger than virtual
site’s default DNS timeout.
Note: This command works for the SSL VPN Client on Windows only.
no vpn netpool dns timeout virtual <netpool>

This command is used to reset the timeout of the virtual DNS server to its default value for the
specified Netpool.
vpn netpool dns timeout windows <netpool> <timeout>

This command is used to set the timeout of the Windows DNS server for the specified Netpool.
After a Netpool is configured, the default timeout of the Windows DNS server for this Netpool is
5000 milliseconds.
must be between 1,000 and 15,000.
no vpn netpool dns timeout windows <netpool>

This command is used to reset the timeout of the Windows DNS server to its default value for the
specified Netpool.
vpn netpool dns filter virtual <netpool> <host> <flag>

This command is used to configure a virtual DNS filter rule for the specified Netpool. After this
command is configured, when the hostname to be resolved by the SSL VPN Client matches the
“host” parameter specified by the virtual DNS filter rule, the SSL VPN Client will use only the
virtual DNS server (DNS server assigned by the virtual site) to perform the DNS resolution. When
the hostname does not match the virtual DNS filter rule, the Array SSL VPN Client will perform
DNS resolution according to the setting of the “flag” parameter.
Besides, if the hostname matches multiple virtual DNS filter rules, the SSL VPN Client will select
the longest matching virtual DNS filter rule.

222
host This parameter specifies the hostname to be resolved. Its value must
be a string of 1 to 31 characters and in the format of xxx.yyy.zzz. If
the parameter value is set to “all”, indicating all hostnames.
Besides, the wildcard “*” is supported.
flag This parameter specifies the policy that the system will implement
for DNS queries that do not match the virtual DNS filter rule. Its
value must be:
 0: indicates that the SSL VPN Client will perform the normal
DNS resolution process. Please refer to the ArrayOS AG User
Guide for details.
 1: indicates that the SSL VPN Client will use only the local
DNS server to perform the DNS resolution.
If the “host” parameter is set to “all”, the SSL VPN Client will use
only the virtual DNS server to perform the DNS resolution,
regardless of what the “flag” parameter is set to.
For example:
vs(config)#vpn netpool dns filter virtual pool "a.b.com" 0

vs(config)#vpn netpool dns filter virtual pool "*.a.com" 1
vs(config)#vpn netpool dns filter virtual pool "*.c.*" 1
no vpn netpool dns filter virtual <netpool> <host>

This command is used to delete the specified virtual DNS filter rule configured for the specified
Netpool.
vpn netpool dns filter local <netpool> <host> <flag>

This command is used to configure a local DNS filter rule for the specified Netpool. After this
command is configured, when the hostname to be resolved by the SSL VPN Client matches the
“host” parameter specified by the local DNS filter rule, the SSL VPN Client will use only the local
DNS server to perform the DNS resolution. When the hostname does not match the local DNS
filter rule, the SSL VPN Client will perform DNS resolution according to the setting of the “flag”
parameter.
Besides, if the hostname matches multiple local DNS filter rules, the SSL VPN Client will use the
longest matching local DNS filter rule.
host This parameter specifies the hostname to be resolved. Its value must
be a string of 1 to 31 characters and in the format of xxx.yyy.zzz. If
the parameter value is set to “all”, indicating all hostnames.

223
Besides, the wildcard “*” is supported.
flag This parameter specifies the policy that the system will implement
for DNS queries that do not match the local DNS filter rule. Its
value must be:
 0: indicates that the SSL VPN Client will perform the normal
DNS resolution process. Please refer to the ArrayOS AG User
Guide for details.
 1: indicates that the SSL VPN Client will use only the virtual
DNS server to perform the DNS resolution.
If the “host” parameter is set to “all”, the SSL VPN Client will use
only the local DNS server to perform the DNS resolution,
regardless of what the “flag” parameter is set to.
For example:
vs(config)#vpn netpool dns filter local pool "a.b.com" 0

vs(config)#vpn netpool dns filter local pool "*.a.com" 1
vs(config)#vpn netpool dns filter local pool "*.c.*" 1
Note:
 If no virtual or local DNS filter rule is configured, the SSL VPN Client will perform
the normal DNS resolution process.
 If both the virtual and local DNS filter rules are configured:
 If the hostname matches one virtual DNS filter rule, the virtual DNS filter rule will
take effect.
 If the hostname does not match any virtual DNS filter rule but match one local DNS
filter rule, the local DNS filter rule will take effect.
 If the hostname does not match any virtual or local DNS filter rule, but one virtual
DNS filter rule with flag=1 exists, this virtual DNS filter rule will take effect.
 If the hostname does not match any virtual or local DNS filter rule, but one virtual
DNS filter rule with flag=0 exists, the Array SSL VPN Client will perform the normal
DNS resolution process.
no vpn netpool dns filter local <netpool> <host>

This command is used to delete the specified local DNS filter rule configured for the specified
Netpool.
clear vpn netpool dns filter <netpool>

224
This command is used to clear all virtual and local DNS filter rules configured for the specified
Netpool.
vpn netpool dns clientproxy {on|off} <netpool>

This command is used to enable or disable the client DNS proxy function for a specified Netpool.
This function works only for the SSL VPN Clients installed on Windows PC.
 With this function enabled, the SSL VPN Client will resolves all DNS queries by following a
fixed DNS resolution process in which the DNS settings configured for the specified Netpool
will be used first.
 With this function disabled, the SSL VPN Client resolves the DNS queries based on the DNS
resolution process of the Windows TCP/IP protocol on the PC with the SSL VPN Client
installed.
netpool This parameter specifies the name of an existing Netpool.
Note: The IPv6 DNS queries except those match IPv6 DNS hostmap (configured using the
“vpn netpool dns hostmap6” command) cannot be processed by the client DNS proxy
function.
show vpn netpool dns config [netpool]

This command is used to display the DNS configurations of the specified Netpool. If the “netpool”
parameter is not specified, the DNS server configurations of all DNS servers will be displayed.
 Multicast Forwarding
vpn netpool multicast <netpool>

This command is used to enable the multicast forwarding function for the specified Netpool.
no vpn netpool multicast <netpool>

This command is used to disable the multicast forwarding function for the specified Netpool.
show vpn netpool config [netpool]

This virtual command is used to display the configurations of a specified Netpool or all Netpools.
VPN Resourse/VPN Resource Group
vpn resource group <resource_group>

This command is used to define a VPN resource group.

225
The administrator should configure this command whether accessing backend resources through
the L3VPN tunnel or Site2Site VPN tunnel.
resource_group This parameter specifies the name of the VPN resource group. Its
no vpn resource group <resource_group>

This command is used to delete a VPN resource group.
show vpn resource group [resource_group]

This command is used to display the specified VPN resource group. If the “resource_group”
parameter is not specified, all VPN resource groups will be displayed.
clear vpn resource group [resource_group]

This command is used to delete the specified VPN resource group and clear all related
configurations. If the “resource_group” parameter is not specified, all VPN resource groups and
related configurations will be cleared.
vpn resource groupitem network <resource_group> <net_resource> [type]

This command is used to add a network resource item to the specified VPN resource group. When
the L3VPN or Site2Site VPN tunnel is established, the traffic to the network resources specified
by the “net_resource” parameter will pass through the L3VPN tunnel or Site2Site VPN tunnel.
For Site2Site VPN, to make the subnets on the spokes and hubs accessible, you should configure
them as network resources. If NAT rules are configured for Site2Site VPN using the “vpn
site2site forward” command, you should configure the virtual subnet specified by the parameters
“virtual_subnet_IP” and “virtual_subnet_netmask” as the network resource instead of the real
subnet on the spoke/hub.
resource_group This parameter specifies the name of the existing VPN resource
group.
net_resource This parameter specifies the name of the network resource. Its value
must be a string of 7 to 127 characters in the format of
“[IP]/[Mask]:[Start Port]-[End Port]” or “[Start IP]-[End IP]:[Start
Port]-[End Port]”. For the “[Start IP]-[End IP]:[Start Port]-[End
Port]” format, a standard IP range should be used; otherwise the
configuration will fail to take effect. Please note that both IPv4 and
IPv6 network resources are supported. The [IP]/[Mask] or [Start
IP]-[End IP] part is mandatory while the “[Start Port]-[End Port]”
part is optional. When the “[Start Port]-[End Port]” part is not
contained, all the ports are included.
For Site2Site VPN with NAT configured, the parameter value

should set to the subnet specified by the parameters

226
“virtual_subnet_IP” and “virtual_subnet_netmask”.
type Optional. This parameter specifies the type of the services that can
use the network resource. Its value must be:
 “0”: indicates that this network resource is used for both L3

and L4 services.
 “1”: indicates that this network resource is used for L3 or

Site2Site services.
 “2”: indicates that this network resource is used for only L4

services.
Note: This parameter must be set to “1” for the Site2Site VPN
function.
For example:
vs(config)$vpn resource groupitem network "g1" "10.10.10.0/24"

vs(config)$vpn resource groupitem network "g2" "fe80:1001::/64:0-65535" 1
vs(config)$vpn resource groupitem network "g1" "172.16.2.1-172.16.2.127" 1
vs(config)$vpn resource groupitem network "g2" "172.16.0.1-172.16.3.255: 0-65535" 1
no vpn resource groupitem network <resource_group> <net_resource>

This command is used to delete a network resource item from the specified VPN resource group.
show vpn resource groupitem network [resource_group]

This command is used to display the network resource items for the specified VPN resource group.
If the “resource_group” parameter is not specified, all the network resource items of all VPN
resource groups will be displayed.
clear vpn resource groupitem network [resource_group]

This command is used to clear the network resource items for the specified VPN resource group.
If the “resource_group” parameter is not specified, all the network resource items of all VPN
resource groups will be cleared.
vpn resource groupexcludeditem network<resource_group>

<net_resource> [type]
This command is used to add a network resource item to the exclude list for the specified VPN
resource group. For L3VPN, when the L3VPN tunnel is established, clients cannot access the
network resources specified by the “net_resource” parameter through the L3VPN tunnel.

227
resource_group This parameter specifies the name of the existing VPN resource
group.
net_resource This parameter specifies the name of the network resource. Its value
must be a string of 7 to 127 characters in the format of the
“[IP]/[Mask]: [Start Port]-[End Port]” or “[Start IP]-[End IP]:[Start
Port]-[End Port]”. For the “[Start IP]-[End IP]:[Start Port]-[End
Port]” format, a standard IP range should be used; otherwise the
configuration will fail to take effect. Please note that both IPv4 and
IPv6 network resources are supported. The [IP]/[Mask] or [Start
IP]-[End IP] part is mandatory while the “[Start Port]-[End Port]”
part is optional. When the “[Start Port]-[End Port]” part is not
contained, all the ports are included.
type Optional. This parameter specifies the type of the services that can
use the network resource. Its value must be:
 “0”: indicates that this network resource is excluded for both

L3 and L4 services.
 “1”: indicates that this network resource is excluded for L3

services.
 “2”: indicates that this network resource is excluded for only

L4 services.
Note: If the default gateway is not configured for a client PC, the excluded list configured
for the VPN network resource group will fail to take effect for the client PC.
For example:
vs(config)$vpn resource groupexcludeditem network "g1" "10.10.10.0/24"

vs(config)$vpn resource groupexcludeditem network "g2" "fe80:1001::/64:0-65535" 1
vs(config)$vpn resource groupexcludeditem network "g1" "172.16.2.1-172.16.2.127" 1
vs(config)$vpn resource groupexcludeditem network "g2" "172.16.0.1-172.16.3.255:
0-65535" 1
no vpn resource groupexcludeditem network<resource_group>

<net_resource>
This command is used to delete a network resource item from the excluded list for the specified
VPN resource group.
show vpn resource groupexcludeditem network [resource_group]

228
This command is used to display the list of excluded network resource items for the specified
VPN resource group. If the “resource_group” parameter is not specified, the lists of excluded
network resource items for all VPN resource groups will be displayed.
clear vpn resource groupexcludeditem network [resource_group]

This command is used to clear the entire list of excluded network resource items for the specified
network resource items for all VPN resource groups will be cleared.
vpn resource groupitem appname <resource_group> <application_name>

<executable_name> [hash]
This command is used to add an application resource item to the specified VPN resource group.
resource_group This parameter specifies the name of the VPN resource group. Its
application_name This parameter specifies the application name. Its value must be a
executable_name This parameter specifies the image name of the application. Its
value must be a case-sensitive string of 1 to 256 characters.
hash Optional. This parameter specifies the MD5 hash value. Its value
If this parameter is specified, the SSL VPN client will verify the
MD5 hash value of the application. The packets can be sent through
the VPN tunnel only when the verification is successful.
The default value is “0”, indicating any MD5 value of the

application is acceptable.
no vpn resource groupitem appname <resource_group>

<application_name>
This command is used to delete an application resource item from the specified VPN resource
group.
show vpn resource groupitem appname [resource_group]

This command is used to display the application resource items for the specified VPN resource
group. If the “resource_group” parameter is not specified, application resource items of all VPN
resource groups will be displayed.
clear vpn resource groupitem appname [resource_group]

229
This command is used to clear application resource items for the specified VPN resource group. If
the “resource_group” parameter is not specified, application resource items of all VPN resource
groups will be cleared.
vpn resource groupexcludeditem appname <resource_group>

<application_name> <executable_name>
This command is used to add an application resource item to the exclude list for the specified
VPN resource group.
resource_group This parameter specifies the name of a VPN resource group. Its
application_name This parameter specifies the application name. Its value must be a
executable_name This parameter specifies the executable name. Its value must be a
string of 1 to 256 characters. This parameter is case-sensitive.
no vpn resource groupexcludeditem appname <resource_group>

<application_name>
This command is used to delete an application resource item from the exclude list of the specified
VPN resource group.
show vpn resource groupexcludeditem appname [resource_group]

This command is used to display the list of excluded application resource items for the specified
application resource items for all VPN resource groups will be displayed.
clear vpn resource groupexcludeditem appname [resource_group]

This command is used to clear the list of excluded application resource items for the specified
application resource items for all VPN resource groups will be cleared.
Speed Tunnel
The system supports three types of VPN Tunnels: TCP tunnel, UDP tunnel and DTLS tunnel. By
default, the TCP tunnel will be established after the VPN is connected.
vpn speedtunnel port <port> [type]

This command is used to enable or disable the UDP or DTLS Speed Tunnel. If this command is
not configured, both the UDP and DTLS Speed Tunnels are disabled.
port This parameter specifies the listening port for the UDP or DTLS
Speed Tunnel. Its value must be an integer ranging from 0 to

230
65,535. 0 indicates that the UDP or DTLS Speed Tunnel is disabled.

1 to 65,535 indicates that the UDP or DTLS Speed Tunnel is
enabled and listens on the specified port.
type Optional. This parameter specifies the type of the Speed Tunnel. Its
value must be:
 0: indicates the DTLS Speed Tunnel.
 1: indicates the UDP Speed Tunnel.
vpn speedtunnel dispatch <mode>

This command is used to configure a default dispatch rule for the VPN data, including TCP data
and UDP data. If this command is not configured, all VPN data goes through the TCP Tunnel.
This command is useful only after both the TCP tunnel and Speed Tunnel (UDP tunnel or DTLS
tunnel) is enabled.
mode This parameter specifies how the VPN data is dispatched. Its value
must be:
 0: indicates that all VPN data goes through the TCP Tunnel.
 1: indicates that TCP data goes through the TCP Tunnel and
UDP data goes through the Speed Tunnel.
 2: indicates that TCP data goes through the Speed Tunnel and
UDP data goes through the TCP Tunnel.
 3: indicates that all VPN data goes through the Speed Tunnel.
vpn speedtunnel encryption {on|off}

This command is used to enable or disable the encryption function for the UDP Speed Tunnel.
When the encryption function is enabled, the traffic sent through the UDP Speed Tunnel will be
encrypted; otherwise, the traffic sent through the UDP Speed Tunnel will be in plain text. By
dtls settings protocol <protocol>

This command is used to set the Datagram Transport Layer Security (DTLS) protocol version
used to encrypt the DTLS Speed Tunnel. If this command is not configured, DTLS version 1.0 is
used to encrypt the DTLS Speed Tunnel.
protocol This parameter specifies the DTLS protocol version used to encrypt
the DTLS Speed Tunnel. Its value must only be “DTLSv1”,
indicating DTLS version 1.0.

231
dtls settings ciphersuite <cipher_suite>

This command is used to set the cipher suite(s) for the DTLS Speed Tunnel.
If this command is already configured, this command can also be used to update the existing
cipher suite(s) set for the DTLS Speed Tunnel.
cipher_suite This parameter specifies the cipher suite(s) for the DTLS Speed
Tunnel. Its value must be “DES-CBC3-SHA”, “AES128-SHA” or
“AES256-SHA”. If multiple cipher suites are configured, they must
be separated by colons.
show dtls settings

This command is used to display the DTLS settings for the virtual site.
For example:
vs(config)$show dtls settings

Vhost name: "vs"
Public Key Length: 2048 bit
DTLS version: DTLSv1
Ciphersuite: DES-CBC3-SHA:AES128-SHA:AES256-SHA
show statistics dtls

This command is used to display the DTLS connection and session statistics.
For example:
vs(config)$show statistics dtls

DTLS Connection Statistics for "vs"
Open DTLS connections :0
Accepted DTLS connections : 0
Requested DTLS connections : 0
5 minutes requested rate : 0 connections/sec
clear statistics dtls

This command is used to clear the DTLS connection and session statistics.
VPN Valid Code
vpn validcode <validcode>

This command is used to enable the valid code function and set the valid code for the virtual site.
When this function is enabled, only the standalone VPN client can be used to access the virtual
site and the valid code passed from the standalone VPN client during authentication must be
identical to the valid code configured for the virtual site. If the two valid codes are not identical,
the user will fail the authentication and be rejected.

232
validcode This parameter specifies the valid code. Its value must be a string of
8 to 32 characters.
no vpn validcode
This command is used to disable the valid code function and clear the valid code.
Mobile VPN
virtual site ipsec <virtual_site> <ip> [type]

This global command is used to create an IPSec service for the specified virtual site.
virtual_site This parameter specifies the existing virtual site name.
ip This parameter specifies the IP address of the virtual site.
type Optional. This parameter specifies the type of the IPSec service. Its
value must only be:
 “transport”: indicates that an L2TP over IPSec tunnel will be

established between the mobile client and AG.
 “tunnel”: indicates that an IPSec tunnel will be established

between the mobile client and AG. This type of tunnel is only
used by MotionPro virtual sites.
The default value is “tunnel”.
no virtual site ipsec <virtual_site> <ip>

This global command is used to delete the IPSec service of the specified virtual site.
show virtual site ipsec [virtual_site]

This global command is used to display the IPSec service of the specified virtual site. If the
“virtual_site” parameter is not specified, the IPSec services of all virtual sites will be displayed.
ipsec turbo {on|off}

This global command is used to enable or disable IPSec hardware acceleration. The system must
be restarted for this command to take effect. Please save configurations by executing the “write
memory” command before restarting. By default, IPSec hardware acceleration is disabled.
For Mobile VPN, IPSec (transport-mode) is in charge of providing security protection for the
tunnel packets. As data encryption is a high CPU-load task, the hardware acceleration card for
IPSec encryption is required.

233
Note: If IPSec hardware acceleration is enabled, half of the acceleration card’s

computing resources are devoted to IPSec. Therefore the performance of Mobile VPN
will be improved, while that of the SSL VPN may be affected.
show ipsec turbo

This global command is used to display the status of IPSec hardware acceleration.
clear virtual site ipsec [virtual_site]

This global command is used to delete the IPSec service of the specified virtual site. If the
“virtual_site” parameter is not specified, IPSec services of all virtual sites will be cleared.
show ipsec config

This global command is used to display global IPSec configurations.
clear ipsec config

This global command is used to clear global IPSec configurations.
show statistics ipsec [type]

This global command is used to display the IPSec statistics.
type Optional. This parameter specifies the type of the IPSec statistics to
be displayed. Its value must only be:
 “ipsec”: indicates that only the IPsec statistics will be

displayed.
 “esp”: indicates that only the Encapsulating Security Payload

statistics will be displayed.
 “sa”: indicates that only the Security Association statistics will

be displayed.
 “sp”: indicates that only the Security Policy statistics will be

displayed.
 “all”: indicates that all IPSec statistics will be displayed.
clear statistics ipsec

This global command is used to clear all IPSec statistics.
Please note that the following commands can be executed only under the virtual site scope.
ipsec ikephase1 proposal <proposal_id>

234
This command is used to create an IPSec Phase1 proposal. To start the IPsec service, at least one
IPSec Phase1 proposal must be configured.
proposal_id This parameter specifies the ID of the IPSec Phase1 proposal. Its
value must only be 1, 2, 3, or 4.
no ipsec ikephase1 proposal <proposal_id>

This command is used to delete the specified IPSec Phase1 proposal and associated
configurations.
show ipsec ikephase1 proposal

This command is used to display all IPSec Phase1 proposals and associated configurations.
ipsec ikephase1 psk [psk]

This command is used to set the IPSec pre-shared key in IPSec Phase1 negotiation. If this
command is not configured, the default IPSec pre-shared key in IPSec Phase1 negotiation is
“presharedkey”.
psk Optional. This parameter specifies the IPSec pre-shared key. Its
“presharedkey”.
show ipsec ikephase1 psk

This command is used to display the IPSec pre-shared key in IPSec Phase1 negotiation.
ipsec ikephase1 encryption <proposal_id> <algorithm>

This command is used to set the IPSec Phase1 encryption algorithm for the specified IPSec
Phase1 proposal. After an IPSec Phase1 proposal is created, the default encryption algorithm
“aes” will be set for this IPSec Phase1 proposal.
proposal_id This parameter specifies the ID of the pre-defined IPSec Phase1

proposal.
algorithm This parameter specifies the algorithm used for IPSec Phase1
encryption. Its value must only be “3des” or “aes”.
ipsec ikephase1 hash <proposal_id> <algorithm>

This command is used to set the IPSec Phase1 Hash algorithm for the specified IPSec Phase1
proposal. After an IPSec Phase1 proposal is created, the default Hash algorithm “sha1” will be set
for this IPSec Phase1 proposal.

235
proposal.
algorithm This parameter specifies the algorithm used for IPSec Phase1 Hash.
Its value must only be “md5” or “sha1”.
ipsec ikephase1 dhgroup <proposal_id> [group_number]

This command is used to define the group used for Diffie–Hellman exponentiations for the
specified IPSec Phase1 proposal. After an IPSec Phase1 proposal is created, the default group
“modp1024” used for Diffie–Hellman exponentiations will be set for this IPSec Phase1 proposal.

proposal.
group_number Optional. This parameter specifies the group used for

Diffie–Hellman exponentiations. Its value must only be
“modp768”, “modp1024”, “modp1536”, “modp2048”,
“modp3072”, “modp4096”, “modp6144”, or “modp8192”. The
default value is “modp1024”.
ipsec expiretime phase1 [time]

This global command is used to set the maximum time allowed for completing the IPSec Phase1
negotiation.
time Optional. This parameter specifies the maximum time allowed for
completing the IPSec Phase1 negotiation. Its value must be an
integer ranging from 1 to 3600, in seconds. The default value is 15.
show ipsec expiretime phase1

This global command is used to display the maximum time allowed for completing the IPSec
Phase1 negotiation.
ipsec ikephase2 pfsgroup [group_number]

This command is used to define the group used for the Diffie–Hellman exponentiations in the
IPSec Phase2 negotiation. If this command is not configured, the default group used for the
Diffie–Hellman exponentiations in IPSec Phase2 negotiation is “modp1024”.
group_number Optional. This parameter specifies the group used for

Diffie–Hellman exponentiations. Its value can only be “modp768”,
“modp1024”, “modp1536”, “modp2048”, “modp3072”,
“modp4096”, “modp6144”, or “modp8192”. The default value is
“modp1024”.

236
ipsec ikephase2 encryption <algorithm>

This command is used to set the IPSec Phase2 encryption algorithm in the IPSec Phase2
negotiation. If this command is not configured, the default IPSec Phase2 encryption algorithm in
IPSec Phase2 negotiation is “all”, which includes both algorithms “3des” and “aes”.
encryption. Its value must only be “3des”, “aes” or “all”.
ipsec ikephase2 authentication <algorithm>

This command is used to set the IPSec Phase2 authentication algorithm in the IPSec Phase2
negotiation. If this command is not configured, “hmac_sha1” will be used.
authentication. Its value must only be “hmac_md5”, “hmac_sha1”
or “all”.
show ipsec ikephase2 config

This command is used to display IPSec Phase2 configurations.
ipsec expiretime phase2 [time]

This global command is used to set the maximum time allowed for completing the IPSec Phase2
negotiation.
time Optional. This parameter specifies the maximum time allowed for
completing the IPSec Phase2 negotiation. Its value must be an
integer ranging from 1 to 3600, in seconds. The default value is 10.
show ipsec expiretime phase2

This global command is used to display the maximum time allowed for completing the IPSec
Phase2 negotiation.
ipsec certificate activate server [cert_index]

This command is used to activate an imported IPSec certificate on the server side.
cert_index Optional. This parameter specifies the index of the certificate to be

activated. Its value must be 1, 2 or 3.
The certificate to be activated is generated by the “ssl csr”

command or imported using the “ssl import certificate” command.
The index can be obtained using the “show ssl certificate”

command.

237
no ipsec certificate activate server

This command is used to deactivate the activated IPSec certificate on the server side.
ipsec certificate activate rootca [cert_number]

This command is used to activate an imported IPSec trusted CA certificate.
cert_number Optional. This parameter specifies the serial number of the trusted
CA certificate to be activated. Its value must be an integer ranging
from 0 to 4,294,967,295.
The certificate to be activated is imported using the “ssl import

rootca” command.
The index can be obtained using the “show ssl rootca” command.
The default value is 0, indicating the default root CA certificate.
no ipsec certificate activate rootca

This command is used to deactivate the activated IPSec trusted CA certificate.
ipsec certificate activate interca <cert_index>

This command is used to activate one or more imported IPSec intermediate CA certificate.
cert_index This parameter specifies the index (es) of the intermediate CA

certificate to be activated. Its value must be a string of 1 to 128
characters. To activate more than one intermediate CA certificate,
use comma “,” to separate each other.
The certificate to be activated is imported using the “ssl import

interca” command.
The index can be obtained using the “show ssl interca” command.
no ipsec certificate activate interca

This command is used to deactivate the activated IPSec intermediate CA certificates.
show ipsec certificate

This command is used to display the IPSec certificate configurations.
ipsec natt {on|off}

238
This command is used to enable or disable NAT traversal (NAT-T) function if the NAT device is
available between the mobile client and AG. By default, this function is enabled.
ipsec natt force

This command is used to forcibly enable NAT-T function.
show ipsec natt status

This command is used to display the NAT-T status.
ipsec natt keepalive [interval]

This global command is used to set the interval of sending NAT-T keep-alive packets.
interval Optional. This parameter specifies the interval of sending NAT-T

keep-alive packets, in seconds. Its value must be an integer ranging
from 5 to 3600. The default value is 20.
show ipsec natt keepalive

This global command is used to display the interval of sending NAT-T keep-alive packets.
ipsec profilename <name>

This command is used to create the iOS configuration profile.
name This parameter specifies the name of the iOS configuration profile.
no ipsec profilename
This command is used to delete the iOS configuration profile.
show ipsec profilename

This command is used to display the iOS configuration profile.
ipsec tunnel vod <domain> <mode>

This command is used to add a VPN on Demand (VOD) domain. This command works only for
iOS Mobile Client.
domain This parameter specifies the domain name. Its value must be a
mode This parameter specifies the mode of the domain. Its value must
only be “always”, “never” or “onretry”.
 “always”: indicates that the IPSec VPN will be started by

accessing the domain.

239
 “never”: indicates that the IPSec VPN will not be started by

accessing the domain.
 “onretry”: indicates that the IPSec VPN will be started only

when the domain cannot be resolved via local DNS.
no ipsec tunnel vod <domain>

This command is used to delete the specified VOD domain.
show ipsec tunnel vod

This command is used to display the IPSec VOD domain configurations.
clear ipsec tunnel vod

This command is used to clear the IPSec VOD domain configurations.
ipsec tunnel splitdns <domain>

This command is used to add a DNS domain name that will be resolved by the DNS server for the
split IPSec tunnel. After this command is configured, only domains added to the split IPSec tunnel
will be resolved by the DNS server. If the “dns useglobal on” command is configured, the global
DNS servers will be used to resolve DNS domains added to the split IPSec tunnel; otherwise, the
site DNS servers will be used.
domain This parameter specifies the domain name. Its value must be a
no ipsec tunnel splitdns <domain>

This command is used to delete the specified DNS domain name for the split IPSec tunnel.
show ipsec tunnel splitdns

This command is used to display the DNS configurations for the split IPSec tunnel.
clear ipsec tunnel splitdns

This command is used to clear the DNS configurations for the split IPSec tunnel.
ipsec tunnel deviceauth <auth_method>

This command is used to set the device authentication method.
auth_method This parameter specifies the device authentication method. Its value
must only be “psk” or “certificate”.
ipsec lifetime [time]

240
This command is used to set the IPSec tunnel lifetime. The IPsec tunnel will be disconnected after
this IPSec tunnel lifetime expires. If this command is not configured, the default IPSec tunnel
lifetime is 3000 seconds.
time Optional. This parameter specifies the IPSec tunnel lifetime in

show ipsec lifetime

This command is used to display the configurations of the IPSec tunnel lifetime.
show ipsec tunnel config

This command is used to display the configurations of the IPSec tunnel.
ipsec {start|stop}
This command is used to start or stop IPSec services for the virtual site. Before starting the IPSec
services, please create an IPSec Phase1 proposal using the “ipsec ikephase1 proposal” first.
show ipsec status

This command is used to display the status (start or stop) of IPSec services for the virtual site.
aaa method l2tp <method_name>

This command is used to set a AAA method for clients using the “transport” IPSec service.
method_name This parameter specifies the name of an existing AAA method.
no aaa method l2tp

This command is used to delete the AAA method configured for clients using the “transport”
IPSec service.
show aaa method l2tp

This command is used to display the AAA method for clients using the “transport” IPSec service.
aaa method ipsec <method_name>

This command is used to set the AAA method for clients using the IPSec service.
If this command is already configured, it can also be used to modify the AAA method for clients
using the IPSec service.
method_name This parameter specifies the name of an existing AAA method.
no aaa method ipsec

This command is used to delete the AAA method for clients using the IPSec service.

241
show aaa method ipsec

This command is used to display the AAA method for clients using the IPSec service.
show ipsec config

This command is used to display site IPSec configurations.
clear ipsec config

This command is used to clear site IPSec configurations.
Site2Site VPN
The Site2Site VPN function is provided to establish the L3VPN tunnel between the spokes and
hub (AG). In the Site2Site function, the AG or vxAG appliance functions as the hub (VPN server)
and a physical or virtual CentOS 7 host with the Site2Site VPN client installed functions as the
spoke. A spoke uses a LocalDB account (configured using the “localdb account” command) to
establish the Site2Site VPN tunnel with the hub. The LocalDB account IP configured for the
LocalDB account using the “localdb ip account” command will be used as the tunnel IP for the
spoke.
The Site2Site VPN function shares certain concepts with the L3VPN, please refer to AG 9.3 User
Guide for usage guidelines of Site2Site VPN.
vpn site2site {on|off}

This command is used to enable or disable the Site2Site VPN function. With this function enabled,
the AG or vxAG appliance functions as the hub (VPN server) and the Site2Site VPN tunnel can be
established between the spoke and the hub. Clients on the subnets of this spoke can access the
subnets of the hub securely through the Site2Site VPN tunnel. By default, this function is disabled.
Note:
 The Site2Site VPN tunnel should be an always-on tunnel. Therefore, the session
lifetime timeout value (configured via the “session timeout lifetime” command)
should be set to the maximum value (94,608,000).
 For the same virtual site, the Site2Site VPN function cannot be used together with the
L3VPN function.
vpn site2site forward <subnet_ip> <netmask> <tunnel_ip> [virtual_subnet_ip]

[virtual_subnet_netmask]
This command is used to add a spoke or hub subnet to the Site2Site VPN. All these subnets will
constitute a virtual private network (VPN).
To avoid IP conflicts between spoke subnets and hub subnets, you can configure virtual subnets
for spoke subnets or hub subnets using the “virtual_subnet_ip” and “virtual_subnet_netmask”
parameters. In this way, the virtual subnets will be added to the Site2Site VPN in place of the real

242
spoke subnets or hub subnets. The mappings between the spoke subnets or hub subnets and virtual
subnets will also be used by spokes to translate the spoke subnet IPs or hub subnet IPs in the
packets to the virtual subnet IPs. Note that only the network portion of the IPs is translated and the
host portion is kept unchanged.
subnet_ip This parameter specifies the IPv4 address of the spoke subnet or
hub subnet.
netmask This parameter specifies the netmask of the spoke subnet or hub
subnet. Its value must be given in dotted decimal notation.
tunnel_ip This parameter specifies the IPv4 address assigned to the Site2Site
VPN tunnel.
 For the spoke subnet, the value of this parameter should be the
same as one of the LocalDB account IP configured using the
“localdb ip account” command.
 For the hub subnet, the value should be set to “0.0.0.0”.
virtual_subnet_ip Optional. This parameter specifies the IPv4 address of the virtual
subnet.
Note: The virtual subnet should not be the same as any spoke or
hub subnet.
virtual_subnet_netmask Optional. This parameter specifies the netmask of the virtual

subnet. Its value must be given in dotted decimal notation.
no vpn site2site forward <subnet_ip> <netmask> <tunnel_ip>

This command is used to delete a subnet from the Site2Site VPN.
show vpn site2site forward

This command is used to display all subnets in the Site2Site VPN.
clear vpn site2site forward

This command is used to clear all subnets from the Site2Site VPN.
HTTP Setting Commands

http buffer nomsglen {on|off}
This global command is used to enable or disable the function of caching non-RFC compliant
responses. After this function is enabled, the appliance will cache the responses that do not
possess an “end of response” HTTP message length indicator before forwarding the response to

243
the client. By default, this function is enabled. Please contact Array customer support before
disabling this function.
show http buffer nomsglen

This global command is used to display the status of the function of caching the responses that do
not possess an “end of response” HTTP message length indicator.
http serverconnreuse {on|off}

This global command is used to enable or disable the function of reusing server connections to the
backend servers for multiple transactions. By default, this function is enabled.
show http serverconnreuse

This global command is used to display the status of the function of reusing server connections to
the backend servers for multiple transactions.
clear http serverconnreuse

This global command is used to restore the function of reusing server connections to the backend
servers for multiple transactions.
http serverpersist {on|off}

This global command is used to enable or disable the function of keeping persistent connections to
the backend servers. By default, this function is enabled.
show http serverpersist

This global command is used to display the status of the function of keeping persistent
connections to the backend servers.
clear http serverpersist

This global command is used to restore the function of keeping persistent connections to the
backend servers.
http shuntreset {on|off}

This global command is used to enable or disable the function of terminating non-reusable server
connections by sending RST packets. After this function is enabled, the appliance will send RST
packets to terminate non-reusable server connections. When this function is disabled, the
appliance closes server connections only after receiving FIN packets. By default, this function is
disabled.
show http shuntreset

This global command is used to display the status of handling non-reusable server connections.
http mask via {on|off}

This global command is used to enable or disable the function of hiding proxy information from
clients. After this function is enabled, the appliance will remove the “Via” header from the

244
responses to clients, so that the clients are unaware of the proxy process on the appliance. By
http mask server {on|off}

This global command is used to enable or disable the function of hiding backend server
information from clients. After this function is enabled, the appliance will remove the “Server”
header from the responses to clients. By default, this function is disabled.
show http mask

This global command is used to display the status of the function of hiding backend server
information and proxy information from clients.
show http config

This global command is used to display all global HTTP Proxy configurations.
clear http config

This global command is used to reset all global HTTP Proxy configurations to the default values.
The following commands should be executed in the virtual site scope.
http redirect insecure

This command is used to enable redirecting of HTTP requests to HTTPS.
no http redirect insecure

This command is used to disable redirecting of HTTP requests to HTTPS.
show http redirect insecure

This command is used to display the status of redirecting of HTTP requests to HTTPS.
http redirect nocookie <url> [org_url_field]

This command is used to enable redirecting of HTTP requests without valid session cookies to the
specified URL.
url This parameter specifies the URL to which requests will be

redirected. Its value must be a string of 1 to 900 characters in the
format of “scheme://host/path”.
org_url_field Optional. This parameter specifies the field name of the URL to be
passed to the redirection URL. Its value must be a string of 1 to 16
no http redirect nocookie

This command is used to disable redirecting of HTTP requests without valid session cookies to the
specified URL.

245
show http redirect nocookie

This command is used to display the configuration for redirecting of HTTP requests without valid
session cookies to the specified URL.
http xforwardedfor off

This command is used to disable the function of inserting the “X-Forwarded-For” header into
HTTP requests.
http xforwardedfor on [mode] [custom_name]

This command is used to enable the function of inserting the “X-Forwarded-For” header into
HTTP requests. The “X-Forwarded-For” header contains the IP address of the client who
originated the request. After this function is enabled, the appliance will transfer client IP addresses
to backend servers. If an HTTP request already contains an “X-Forwarded-For” header, the AG
appliance will insert an additional one. By default, this function is disabled.
mode Optional. This parameter specifies the mode of transferring client IP

addresses. Its value must be:
 header: indicates that an HTTP header will be inserted to

transfer the client IP address.
 url: indicates that a URL query string will be inserted to

 cookie: indicates that an HTTP cookie will be inserted to

 all: indicates all of the methods above.
The default value is “header”.
custom_name Optional. This parameter specifies the customized name for the
client IP address in the inserted HTTP header, URL query string, or
HTTP cookie. Its value must be a string of 1 to 32 characters.
The default value is “X-Forwarded-For”.
show http xforwardedfor

This command is used to display the configurations of inserting the “X-Forwarded-For” header
into HTTP requests.
http xclientcert cert [header_name] [mode] [certificate_type]

This command is used to insert the client certificate into HTTP requests sent to the backend
server.

246
header_name Optional. This parameter specifies the customized name for the
HTTP header used to transfer the client certificate to the backend
server. Its value must be a string of 1 to 128 characters. The default
value is “X-Client-Cert:”.
mode Optional. This parameter specifies the mode of inserting the client
certificate into HTTP requests. Its value must be:
 “header”: indicates that an HTTP header will be inserted to

transfer the client certificate.
 “cookie”: indicates that an HTTP cookie will be inserted to

transfer the client certificate.
The default value is “header”.
certificate_type Optional. This parameter specifies the encoding format of the client
certificate content. Its value must be:
 PEM: indicates that the appliance encodes the certificate

content using OpenSSL, which has the “-----BEGIN
CERTIFICATE-----” and “-----END CERTIFICATE-----”
line. Every 64 bits of the encoded certificate content is
separated using “;”.
 body: indicates that the appliance encodes the certificate

content using Base64.
The default value is “body”.
Note: This function works for QuickLink only when the Client Authentication function is
enabled.
no http xclientcert cert

This command is used to delete the configuration of inserting the client certificate into HTTP
requests sent to the backend server.
show http xclientcert cert

This command is used to display the configuration of inserting the client certificate into HTTP
http xclientcert plaintext <mode> <field_name> [customized_name]

[format_opt]
This command is used to insert the specified certificate field into HTTP requests sent to the
backend server.

247
mode This parameter specifies the mode of transferring the certificate

field to the backend server. Its value must be:
 header: inserts an HTTP header to transfer the certificate field.
 url: inserts a URL query string to transfer the certificate field.
 cookie: inserts an HTTP cookie to transfer the certificate field.
 all: indicates all of the three modes above.
field_name This parameter specifies the standard name of the certificate field.
Its value must be:
 “Subject”: transfers the subject DN of a client certificate to the

backend server.
 “Issuer”: transfers the issuer DN of a client certificate to the

backend server.
 “Validity”: transfers the certificate’s period of validity to the

backend server. Its format is “From <NotBefore> To
<NotAfter>”. For example, “From Dec 19 5:54:42 2007 GMT
To Dec 19 5:54:42 2008 GMT”.
 “Serial”: transfers the certificate’s serial number to the

backend server.
 “NotBefore”: transfers the certificate’s start date to the

backend server.
 “NotAfter”: transfers the certificate’s expiry date to the

backend server.
 “CommonName”: transfers the certificate’s subject common

name to the backend server.
 “PublicKey”: transfers the public key of the certificate to the

backend server. The public key is transferred in HEX mode.
For example, the public key “0x00 0x43 0x78 0xed” is
transferred to the backend server in the form of “00 43 78 ed”.
When the filed name is specified as “PublicKey”, only the
public key modulus is sent to the backend server.
 RDN: transfers the content specified by RDN to the backend

server. RDN must be defined in the format of
“<scope>.<symbol or OID>” or “<OID expression>”. For
information about the value of “scope” and “symbol”, see the
following tables.

248
The parameter value is case-insensitive.
For “scope”:
Scope Description
The value of the symbol or specific OID will be searched in the client certificate’s
Subject
subject DN.
Issuer
issuer DN.
Ext
external field. The client certificate must be in the SSL v2.0 or SSL v3.0 version.
The value of the specific OID will be searched in the client certificate’s TBS (To
OID or <null>
Be Signed).
For “symbol”:
Symbol OID Standard Name

C 2.5.4.6 Country Name
ST 2.5.4.8 State or Province Name
L 2.5.4.7 Locality Name
O 2.5.4.10 Organization Name
OU 2.5.4.11 Organizational Unit
CN 2.5.4.3 Common Name
SN 2.5.4.5 Serial Number
dnQualifier 2.5.4.46 DN Qualifier
Pseudonym 2.5.4.65 Pseudonym
Title 2.5.4.12 Title
GQ 2.5.4.44 Generation Qualifier
Initials 2.5.4.43 Initials
Name 2.5.4.41 Name
givenName 2.5.4.42 Given Name
Surname 2.5.4.4 Surname
DC 0.9.2342.19200300.100.1.25 Domain Component
emailAddress 1.2.840.113549.1.9.1 Email Address
{OID expression} OID information, for example: 1.2.3.4
Note: When there is more than one value to the same symbol in a specific scope, the
appliance will transfer all of them to the backend server, and one digital number will be
appended to the customized name from the second symbol. The digital number is increased
from 1.
The following commands are an example:
AN(config)#http xclientcert plaintext cookie Subject.OU OU positive

249
AN(config)#http xclientcert plaintext header Subject.2.5.4.11 2.5.4.11 positive
If the client certificate has the following subject DN (“OU” in the scope of “subject” has two
values: “Dev” and “AG”):
C=CN, ST=Beijing, L=Beijing, O=ArrayNetworks Inc., OU=Dev, OU=AG, CN=abc,

[email protected]
Then the backend server will receive the following cookie and headers (the integer “1” is added
after the second customized name “OU”):
2.5.4.11: Dev
2.5.4.111: AG
Cookie: OU=Dev, OU1=AG
customized_name Optional. This parameter specifies a customized name for the
certificate field to be inserted into the HTTP header, URL query
string, or HTTP cookie. If this parameter is not specified, the value
of the “field_name” parameter will be used as the customized name.
format_opt Optional. This parameter specifies the format of the certificate field
forwarded to the backend server. Its value is case-insensitive.
When the “field_name” parameter is set to “Subject” or “Issuer”, the

“format_opt” parameter defines the order for transferring the
certificate field. Its value must be:
 positive: The transfer starts from the smallest to the largest

scope. (See the following example.)
 reverse: The transfer starts from the largest to the smallest

scope.
 original: The transfer follows the sequence as parsed from the

client certificate.

250
Surname
Given Name
Name
Initials
Generation Qualifier
Serial Number
Email Address
Common Name
Positive Title Reverse
Pseudonym
DN Qualifier
Organization Unit
Organization
Locality
State Or Province
Domain Component
Country
Assuming that the Subject DN field of a client certificate is

“C=CN,O=Array,OU=AG,ST=BJ,CN=abc,EmailAddress=abc@arra
ynetworks.com”. When the “field_name” parameter is set to
“subject”:
 If the “format_opt” parameter is set to “positive”, the Subject

DN field will be transferred in the following order:
[email protected],CN=abc,OU=AG,O=A
rray,ST=BJ,C=CN
 If the “format_opt” parameter is set to “reverse”, the Subject

C=CN,ST=BJ,O=Array,OU=AG,CN=abc,EmailAddress=abc@
arraynetworks.com
 If the “format_opt” parameter is set to “original”, the Subject

C=CN,O=Array,OU=AG,ST=BJ,CN=abc,EmailAddress=abc@
arraynetworks.com
When the “field_name” parameter is set to “Validity”, “NotBefore”,

or “NotAfter”, the “format_opt” parameter defines the date/time
format. Its value must be:
 digital: All date and time information is expressed using the

251
digital number, except the GMT expression.
 latin: Month will be expressed in English word. Other date and

time information is expressed using the digital number.
 W3C: Standard time format. The local time zone information

from the client certificate will be used.
The default value is “digital”.
The following are examples of the date and time when the
“field_name” parameter is set to “Validity”:
 When the “format_opt” parameter is set to “digital”, the date

and time format is “Valid from 2008-01-01 20:01:01 GMT to
2010-0101 20:01:00 GMT”.
 When the “format_opt” parameter is set to “latin”, the date and

time format is “From Jan 31 15:35:5 2008 GMT To Jan 30
15:35:5 2009 GMT”.
 When the “format_opt” parameter is set to “w3c”, the date and

time format is “From 2008-01-31T15:35:05Z To
2009-01-30T15:35:05Z”.
When the “field_name” parameter is set to “ext.<OID>”, the value of

the “format_opt” parameter must be “unparsed” or “parsed”.
Take the extension part of the X509 certificate as an example:
Extension::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValueOCTET STRING }
Among which, “extnID” indicates the extended OID; “critical”

indicates whether the extension is important; “extnValue” indicates
the extension value.
 unparsed: “extnValue” is encoded in DER, which is expressed

by three parts: type, length and value. In the “unparsed” mode,
the entire “extnValue” will be forwarded to the backend server.
 parsed: “extnValue” is also encoded in DER, which is expressed

by three parts: type, length and value. In the “parsed” mode,

252
only the value part of “extnValue” will be forwarded to the

backend server.
The default value is “unparsed”.
The following is an example of the transferred content when the

“field_name” parameter is set to “ext.<OID>”:
In this example, the extension OID is 0.1.2.3, and the value of

“extnValue” is “0x0c 0x06 0x36 0x35 0x34 0x33 0x32 0x31”. “0c”
represents the value type and “06” represents the value length.
 If “format_opt” is set to “unparsed”, “0x0c 0x06 0x36 0x35

0x34 0x33 0x32 0x31” will be forwarded.
 If “format_opt” is set to “parsed”, “0x36 0x35 0x34 0x33 0x32

0x31” will be forwarded.
The entire “extnValue” will be forwarded to the backend server when

the value of “extnValue” is one of the following types:
 SEQUENCE
 SET
 Untagged data
For example, the following is an extension of which the value type is

SEQUENCE:
404 30 31: SEQUENCE {

406 06 3: OBJECT IDENTIFIER issuerAltName (2 5 29 18)
411 04 24: OCTET STRING, encapsulates {
413 30 22: SEQUENCE {

415 86 20: [6] 'http://www.nist.gov/'
: }
: }
: }
After the “http xclientcert plaintext header "ext.2.5.29.18" vs1

"url1" "parsed"” or “http xclientcert plaintext header
"ext.2.5.29.18" vs1 "url1" "unparsed"” command is executed, the
same result “0x30 0x22 0x86 0x20…” will be sent to the backend
server.

253
When the value type of “extnValue” is a time string, the appliance

will transfer it using either of the following formats:
 Generalized Time
 UTC time
Note: Multiple transfer modes can be set for the same certificate field. However, only one
customized name is allowed for the same certificate field. That is, the newest customized
name of the certificate field will overwrite the customized name of the field in earlier “http
xclientcert plaintext” configurations.
no http xclientcert plaintext <mode> <field_name>

This command is used to delete the configuration of inserting the specified certificate field into
HTTP requests sent to the backend server.
show http xclientcert plaintext

This command is used to display all configurations of inserting the certificate field into HTTP
clear http xclientcert plaintext

This command is used to clear all configurations of inserting the certificate field into HTTP
http xclientcert rdnsep [separator] [pre|post]

This command is used to configure the separator used to distinguish the RDN fields in the header,
cookie or URL when the certificate DN field to be transferred to the backend server contains
multiple RDN fields. If this command is not configured, the default separator used to distinguish
the RDN fields in the header, cookie or URL is “,” and the separator is placed after every RDN
field.
separator Optional. This parameter specifies the separator used to distinguish

the DN fields. Its value must be a string of 1 character enclosed by
double quotes. Letters (A to Z and a to z), numbers (0 to 9), and the
“%” symbol are not supported. The default value is “,”.
pre|post Optional. This parameter specifies where to place the DN field

separator. Its value must be:
 pre: places the separator before the DN field.
 post: places the separator after the DN field.

254
The default value is “post”.
no http xclientcert rdnsep

This command is used to restore the configuration of the separator used to distinguish the RDN
fields in the header, cookie or URL when the certificate DN field to be transferred to the backend
server contains multiple RDN fields to default.
show http xclientcert rdnsep

This command is used to display the configuration of the separator used to distinguish the RDN
fields in the header, cookie or URL when the certificate DN field to be transferred to the backend
server contains multiple RDN fields.
http xclientcert dnencoding [encoding]

This command is used to set the encoding format for transferring the DN field in the client
certificate. If this command is not configured, the default encoding format for transferring the DN
field is “UTF-8”.
encoding Optional. This parameter specifies the encoding format for

transferring the DN field. Its value must be “UTF-8”, “GB2312”,
“GBK” or “GB18030”. The default value is “UTF-8”.
no http xclientcert dnencoding

This command is used to restore the configuration of the encoding format for transferring the DN
field in the client certificate to default.
show http xclientcert dnencoding

This command is used to display the configuration of the encoding format for transferring the DN
field in the client certificate.
http xclientcert oidname <oid> <customized_name>

This command is used to configure a customized name for the OID field in the client certificate.
oid This parameter specifies the OID field in the client certificate. Its
value must be enclosed by double quotes.
customized_name This parameter specifies the customized name for the OID field in
the client certificate. Its value must be a string of 1 to 32 characters.

255
no http xclientcert oidname <oid>

This command is used to delete the configuration of the customized OID name for the specifed
OID field in the client certificate.
show http xclientcert oidname

This command is used to display configurations of customized names for all the OID fields in the
client certificate.
clear http xclientcert oidname

This command is used to clear configurations of customized names for all the OID fields in the
client certificate.
http xclientcert backendurl [backend_url]

This command is used to configure the backend URL accessed by the user that triggers the system
to send the client certificate (configured using the “http xclientcert cert” command) or certificate
fields (configured using the “http xclientcert plaintext” command) to the backend server. After
this command is configured, the client certificate or certificate fields will be inserted into HTTP
requests only when the user accesses the specified backend URL.
backend_url Optional. This parameter specifies the backend URL to be accessed.

Its value must be a string of 1 to 128 characters excluding the prefix
“http” or “https”. For example, “www.example.org/login.html”.
The default value is empty, indicating the client certificate or

certificate fields will be sent to all URLs.
show http xclientcert backendurl

This command is used to display the configuration of backend URL accessed by the user that
triggers the system to send the client certificate or certificate fields to the backend server.
show http xclientcert config

This command is used to display all the configurations related to transferring the client certificate
and certain fields to the backend server.
clear http xclientcert config

This command is used to restore all the configurations related to transferring the client certificate
and certain fields to the backend server.
http xusername
This command is used to enable the function of inserting an “X-SSO-USER” HTTP header field
to set the username into HTTP requests sent to the backend server.
no http xusername

256
This command is used to disable the function of inserting the “X-SSO-USER” HTTP header to set
the username into HTTP requests sent to the backend server.
show http xusername

This command is used to display the configuration of inserting the “X-SSO-USER” HTTP header
to set the username into HTTP requests sent to the backend server.
http statefulredirect
This command is used to enable the HTTP stateful redirection function (or book marking
function). When enabled, end users who are required to re-login (for example, after session
timeout) will be redirected to their previous webpage after login.
no http statefulredirect
This command is used to disable the HTTP stateful redirection function.
show http statefulredirect

This command is used to display the configurations of the HTTP stateful redirection function.
http cookie expire passthrough

This command is used to enable transferring of the expire clause in the HTTP Set-Cookie header.
By default, this function is disabled.
no http cookie expire passthrough

This command is used to disable transferring of the expire clause in the HTTP Set-Cookie header.
show http cookie expire passthrough

This command is used to display the status (enabled or disabled) of transferring of the expire
clause in the HTTP Set-Cookie header.
http cookie httponly <on|off>

This command is used to enable or disable the HTTPOnly cookie attribute function. When this
function is enabled, the system will add the HTTPOnly cookie attribute to the Set-Cookie header
in the HTTP response. By default, this function is disabled.
on|off This parameter specifies whether to add the HTTPOnly cookie

attribute to the Set-Cookie header in the HTTP response. Its value
must be “on” or “off”.
show http cookie httponly

This command is used to display the status (enabled or disabled) of the HTTPOnly cookie
attribute function.
http nostore

257
This command is used to disable the browser caching function. After this command is executed,
the response from the backend server will not be cached. By default, the browser caching function
is disabled.
no http nostore
This command is used to enable the browser caching function.
show http nostore

This command is used to display the status (enabled or disabled) of the browser caching function.
http hostcheck <on|off>

This command is used to enable or disable the function of checking whether the domain name is
in the virtual site domain list. When the function is enabled, if the domain name to be accessed is
not in the virtual site domain list, the HTTP 400 response will be returned by the system. If this
command is not configured, this function is disabled.
on|off This parameter specifies whether to enable the function of checking

whether the domain name is in the virtual site domain list. Its value
must be “on” or “off”.
show http hostcheck

This command is used to display the status (enabled or disabled) of the function of checking
whether the domain name is in the virtual site domain list.
http postcheck <on|off>

This command is used to enable or disable the function of checking the content of HTTP Post
request for a possible SQL injection attack. If this command is not configured, this function is
enabled.
type This parameter specifies whether to enable the function of checking

the content of HTTP Post request for a possible SQL injection
attack. Its value must be “on” or “off”.
show http config

This command is used to display all HTTP Proxy configurations.
clear http config

This command is used to reset all HTTP Proxy configurations to the default values.
File Share
fileshare cifs {on|off}

258
This command is used to enable or disable the file share (CIFS) function for the current virtual site.
The file share function provides remote users with shared access to files shared by the CIFS server.
The files shared by the CIFS server are defined as CIFS resources for roles using the “role
resource cifs” command. By default, the CIFS function is disabled.
fileshare cifs workgroup default {domain_name|work_group}

This command is used to set the default domain name or work group of the CIFS server that
provides CIFS resources.
domain_name|work_group This parameter specifies the default domain name or work group.
no fileshare cifs workgroup default

This command is used to delete the setting of the default domain name or work group of the CIFS
server that provides CIFS resources.
show fileshare config

This command is used to display the configurations of the CIFS function, including status (on or
off) of this function and the setting of the default domain name or work group of the CIFS server
that provides CIFS resources.

259
Chapter 7 Web Portal

Web portal is the Web-based access point of the virtual site. It is consisted of the portal pages,
such as the login page and welcome page, and error pages that users will encounter when
accessing the virtual site.
By default, the default Web portal is provided for the virtual site. Also, the AG appliance allows
the administrator to customize the Web portal by any of the following ways:
 Portal custom: The portal custom function enables the administrator to customize portal
pages and errors pages using external pages. This function can be used to customize only
certain portal pages and all error pages.
 Portal theme: The portal theme function enables the administrator to create a custom portal
theme or import a custom portal theme and activate it for the custom portal theme to take
effect. This function can be used to customize all portal pages and all error pages.
The portal/error page customized using the portal custom function or the portal theme function has
a higher priority than the default portal/error page. In addition, the portal/error page customized
using the portal custom function has a higher priority than that customized by the portal theme
function.
Portal Configuration
This section covers the CLI commands for configuring the general settings for the Web portal or
other settings for certain portal pages.
portal language <language>

This command is used to set the language used by the Web portal. If this command is not
configured, the default language of the Web portal is “english”.
language This parameter specifies the language used by the Web portal. Its
value must be “english”, “chinese”, “chinese-Big5”,
“chinese-GB2312”, “chinese-traditional” and “japanese”. The
administrator can view the list of supported languages by executing
the “show portal languages” command.
no portal language
This command is used to reset the Web portal language to the default value.
show portal language

This command is used to display the language currently being used by the Web portal.
show portal languages

260
This command is used to display the available languages that the Web portal can use. Currently,
the following languages are supported:
VS(config)$show portal languages

english
chinese
chinese-Big5
chinese-GB2312
chinese-traditional
japanese
portal logo <url>

This command is used to import a custom logo image from a specific URL address. The logo
image format can be “gif”, “png”, “jpg”, or “bmp”. If this command is not configured, the default
logo image is the Array Networks’s logo.
url This parameter specifies the HTTP or FTP URL of the custom logo
image. Its value must be a string of 1 to 900 characters.
no portal logo
This command is used to reset the Web portal logo image to the default logo image.
show portal logo

This command is used to display the URL from which the custom logo image is imported.
portal charset <character_set>

This command is used to configure the character set for the Web portal.
If a character set has been configured, this command is used to modify the existing character set.
character_set This parameter specifies the character set. Its value must be a
no portal charset
This command is used to delete the configuration of the character set for the Web portal.
show portal charset

This command is used to display the configuration of the character set for the Web portal.
portal cookietest
This command is used to enable the check of whether the browser can support cookies. By default,
this function is enabled.
no portal cookietest

261
This command is used to disable the check of whether the browser can support cookies.
show portal cookietest

This command is used to display whether or not the check of whether the browser can support
cookies is enabled.
portal configuration encoding <encoding>

This command is used to enable the encoding conversion method of the configuration input for the
Web portal. By default, this function is disabled.
encoding This parameter specifies the type of encoding conversion

method. Its value must be a string of 1 to 64 characters. Its value
can only be “html-to-binary”.
no portal configuration encoding

This command is used to disable the encoding conversion method of the configuration input for
the Web portal.
show portal configuration encoding

This command is used to display whether the encoding conversion method of the configuration
input is enabled for the Web portal.
portal message login <login_message>

This command is used to set the message displayed on the login page. After this command is
configured, a login message is displayed on the login page.
If a message has been configured for the login page, this command is used to modify the existing
message.
login_message This parameter specifies the login message. Its value must be a

<div> and </div>, such as “…”, “welcome"
no portal message login

This command is used to delete the configuration of the message displayed on the login page.
show portal message login

This command is used to display the configuration of the message for the login page.

262
portal credentials autocomplete

This command is used to enable the username auto-completion function for the browser used to
access the login page. When this function is enabled, the browser can cache the input usernames.
When this browser is used to access the login page again, the browser will prompt the
remembered username(s) matches the part of the username entered by the user. By default, this
no portal credentials autocomplete

This command is used to disable the username auto-completion function for the browser used to
access the login page.
show portal credentials autocomplete

This command is used to display the status of the username auto-completion function for the
browser used to access the login page.
portal favorite {on|off}

This command is used to enable or disable the bookmark function for the login portal page. When
this function is enabled, the “Favorite” hyperlink is displayed on the login portal page. When the
user clicks this hyperlink, the browser can add the login portal page to bookmarks. By default, this
show portal favorite

This command is used to display the status of the bookmark function for the login portal page.
portal message choose_site <choose_site_message>

This command is used to set the “Choose a Virtual Site” message for a shared virtual site. After
this command is configured, a message will be displayed on the choose_site page.
If a message has been configured for a shared virtual site, this command is used to modify the
existing message.
choose_site_message This parameter specifies the content of the message. Its value must

For example:
vs(config)$portal message choose_site "Choose a virtual site"
no portal message choose_site

This command is used to delete the configuration of the message for a shared virtual site.

263
show portal message choose_site

This command is used to display the configuration of the current message for a shared virtual site.
portal otp message <message_string>

This command is used to set the message displayed on the OTP authentication portal page. After
this command is configured, an OTP message will be displayed on the OTP authentication page.
If the OTP authentication portal message has been configured, this command is used to modify the
existing OTP authentication message.
message_string This parameter specifies the message to be displayed on the OTP

authentication page. Its value must be a string of 1 to 1024
characters. It supports the regular expression “<PHONE>”,
indicating the mobile phone number.
For example:
vs(config)$portal otp message "The SMS message has been sent to <PHONE>"
no portal otp message

This command is used to delete the setting of the message displayed on the OTP authentication
page.
show portal otp message

This command is used to display the setting of the message displayed on the OTP authentication
page.
portal otp title <title_string>

This command is used to set the title of the OTP authentication page. After this command is
configured, a title will be displayed on the OTP authentication page.
If the title of the OTP authentication page has been configured, this command is used to modify
the existing title of the OTP authentication message.
title_string This parameter specifies the title of the OTP authentication page. Its
no portal otp title

This command is used to delete the title of the OTP authentication page.
show portal otp title

This command is used to display the title of the OTP authentication page.
portal title <title_string>

264
This command is used to set the welcome page title. If this command is not configured, the default
title is “welcome”.
If a welcome page title has been configured, this command is used to modify the existing welcome
page title.
title_string This parameter specifies the title of the welcome page. Its value
no portal title
This command is used to reset the welcome page title to the default value.
show portal title

This command is used to display the welcome page title.
portal message welcome <welcome_message>

This command is used to set the welcome message displayed on the welcome page. If this
command is not configured, the default welcome message is “Hello <user>, welcome to the Array
AG.”.
If a welcome message has been configured, this command is used to modify the existing welcome
message.
welcome_message This parameter specifies the welcome message on the welcome

page. Its value must be a string of 1 to 1024 characters.

For example:
vs(config)$portal message welcome "HELLO"
no portal message welcome

This command is used to reset the welcome message on the welcome page to the default value.
show portal message welcome

This command is used to display the configuration of the welcome message displayed on the
welcome page.
portal changeldbpassword
This command is used to enable the display of the “LocalDB password change” link on the
welcome page. When this function is enabled, the “Change Password” hyperlink is displayed on

265
the welcome portal page. When the user clicks this hyperlink, a “Change Password” portal page
will be displayed for the user to change the password. By default, this function is disabled.
no portal changeldbpassword
This command is used to disable the display of the “LocalDB password change” link on the
welcome page.
show portal changeldbpassword

This command is used to display whether or not to display the “LocalDB password change” link
on the welcome page.
portal changeldappassword [withwarning]

This command is used to enable the display of the “LDAP password change” link on the welcome
page. When this function is enabled, the “Change Password” hyperlink is displayed on the
welcome portal page. When the user clicks this hyperlink, a “Change Password” portal page will
be displayed for the user to change the password. By default, this function is disabled.
withwarning Optional. This parameter specifies when to display the “LDAP

password change” link. If this parameter is specified, the “LDAP
password change” link will be displayed on the welcome page only
when the password expiry warning message configured using the
“aaa server ldap pwdexpirewarning” command starts to display.
The default value is empty, indicating that the “LDAP password
change” link will always be displayed on the welcome page.
no portal changeldappassword
This command is used to disable the display of the “LDAP password change” link on the welcome
page.
show portal changeldappassword

This command is used to display whether or not to display the “LDAP password change” link on
the welcome page.
portal urlbar
This command is used to enable the URL input bar on the welcome portal page. When this
function is enabled, the URL input bar will be displayed on the welcome portal page after portal
login. With the URL input bar, the user can access Web resources that are not displayed as Web
links on the welcome portal page. By default, this function is disabled.
no portal urlbar
This command is used to disable the URL input bar on the welcome portal page.
show portal urlbar

266
This command is used to display whether or not the URL input bar is enabled on the welcome
page.
portal newwindows
This command is used to enable opening a new browser window when a portal link is accessed.
By default, this function is disabled.
no portal newwindows
This command is used to disable opening a new browser window when a portal link is accessed.
show portal newwindows

This command is used to display whether or not to open a new browser window when a portal link
is accessed.
portal navtool [nourlbar]

This command is used to enable the Web navigation panel for the pages of Web resources
accessed through the portal. If this command is configured, the Web navigation panel will appear
on the opened Web page after a portal link is clicked. By default, this function is disabled.
nourlbar Optional. This parameter specifies whether the navigation panel has
the URL input bar. Its value must be:
 “nourlbar”: indicates that the navigation panel does not have

the URL input bar.
 empty: indicates that the navigation panel has the URL input
bar. With the URL input bar, the user can access the desired
URL directly from the current Web page.
no portal navtool
This command is used to disable the Web navigation panel for the pages of Web resources
accessed through the portal.
show portal navtool

This command is used to display whether the Web navigation panel is enabled for the pages of
Web resources accessed through the portal.
portal bookmark on
This command is used to enable the bookmark function on the welcome page. With this function,
end users can add the frequently accessed resources on the virtual portal as bookmark links and
access these resources conveniently by clicking these bookmark links in future. AG now supports
adding bookmarks for three types of resources: Web, File Share and Desktops. By default, this

267
portal bookmark off

This command is used to disable the bookmark function on the welcome page.
show portal bookmark status

This command is used to display the status of the bookmark function.
portal bookmark role <role_name> <resource_type> <url> <display_name>

[parameter]
This command is used to add a resource bookmark (that is, a bookmark for a resource) to the
welcome page for a specified role.
resource_type This parameter specifies the type of the resource for which the
bookmark is added. Its value must be “web”, “fileshare” or
“desktop”.
url This parameter specifies the URL of the resource for which the
bookmark is added. Its value must be a string of 1 to 512 characters.
 If the resource type is “web”, the URL format should be

http://www.example.com/.
 If the resource type is “fileshare”, the URL format should be a

path, such as //10.8.2.88/ShareFolder.
 If the resource type is “desktop”, the URL format should be an

IP address or host name, such as 10.8.2.88.
display_name This parameter specifies the name of the resource bookmark

displayed on the portal page. Its value must be a string of 1 to 900
characters.
This parameter supports HTML tages that can be used between <a>
and </a>, such as “…”, “…”, and
“…”. When HTML tages are used, the parameter value
must be enclosed by double quotes.
parameter Optional. This parameter specifies the resource parameter. Its value
must be a string of 1 to 255 characters. The default value is empty.
For example:
vs(config)$portal bookmark role "r" "web" "http://10.3.6.57" "Test" ""
vs(config)$portal bookmark role "r" "fileshare" "//10.3.6.57/ShareFolder" "File"
""
vs(config)$portal bookmark role "r" "desktop" "http://10.3.6.57" "Test" ""

268
no portal bookmark role <role_name> <resource_type> <url>

This command is used to delete a resource bookmark from the welcome page for a specified role.
show portal bookmark role [role_name] [resource_type]

This command is used to display the bookmarks of a specific resource type added to the welcome
page for a specified role.
If this parameter is specified, the resource bookmarks of the

specified role are displayed. If this parameter is not specified, the
resource bookmarks of all roles are displayed.
resource_type This parameter specifies the resource type of the bookmarks to be

displayed. Its value must be “web”, “fileshare” or “desktop”.
If this parameter is specified, the bookmarks of the specified

resource type are displayed. If this parameter is not specified, the
bookmarks of all resource types are displayed.
clear portal bookmark role [role_name] [resource_type]

This command is used to clear the bookmarks of a specific resource type from the welcome page
for a specified role.
If this parameter is specified, the resource bookmarks of the

specified role are cleared. If this parameter is not specified, the
resource bookmarks of all roles are cleared.
resource_type This parameter specifies the resource type of the bookmarks to be

cleared. Its value must be “web”, “fileshare” or “desktop”.
If this parameter is specified, the bookmarks of the specified

resource type are cleared. If this parameter is not specified, the
bookmarks of all resource types are cleared.
portal message autolaunch <autolaunch_message> [escape]

This command is used to set the autolaunch message displayed on the autolaunch page. After this
command is configured, an autolaunch message will be displayed on the autolaunch page. To
allow users to see the autolaunch page, please specify the “mode” parameter using the “vpn
netpool autolaunch <netpool> [mode]” command.

269
If an autolaunch message has been configured, this command is used to modify the existing
autolaunch message.
autolaunch_message This parameter specifies the autolaunch message. Its value must be
escape Optional. “escape” means to escape the HTML characters

according to the HTML standard. The default value is empty, which
means not to escape the HTML characters.
no portal message autolaunch

This command is used to delete the configuration of the autolaunch message.
show portal message autolaunch

This command is used to display the configuration of the autolaunch message.
portal externalapp rdp proxy <url>

This command is used to configure an external RDP proxy server.
url This parameter specifies the HTTP or HTTPS URL of the external
RDP proxy server. Its value must be a string of 1 to 512 characters.
no portal externalapp rdp proxy

This command is used to delete the configured external RDP proxy server.
show portal externalapp rdp proxy

This command is used to display the configured external RDP proxy server.
portal externalapp rdp file <url>

This command is used to configure an external file proxy server.
url This parameter specifies the HTTP or HTTPS URL of the external
file proxy server. Its value must be a string of 1 to 512 characters.
no portal externalapp rdp file

This command is used to delete the configured external file proxy server.
show portal externalapp rdp file

This command is used to display the configured external file proxy server.
portal motionpro detect <prelogin|postlogin>

270
This command is used to configure the MotionPro client detection function on the portal page.
This function allows the AG appliance to detect whether the MotionPro client has been installed
on the client PC.
If this command is not configured, the system will detect whether the MotionPro client has been
installed on the client PC on the welcome page.
prelogin|postlogin This parameter specifies where the system detects whether the
MotionPro client has been installed on the client PC. Its value must
be:
 prelogin: indicates that the system detects whether the

MotionPro client has been installed on the client PC on the
login page.
 postlogin: indicates that the system detects whether the

MotionPro client has been installed on the client PC on the
welcome page.
show portal motionpro detect

This command is used to display the setting of the MotionPro client detection function on the
portal page.
portal motionpro hardwareid [type]

This command is used to set the ID type used by the MotionPro client when the Hardware ID
authorization is enabled.
type Optional. This parameter specifies the ID type used by the

MotionPro client when the Hardware ID authorization is enabled.
Its value must be:
 0: indicates the Hardware ID will be used.
 1: indicates the Device ID will be used.
show portal motionpro hardwareid

This command is used to display the setting of ID type used by the MotionPro client when the
Hardware ID authorization is enabled.
show portal config

This command is used to display the Web portal configurations, including the portal custom,
portal theme and DesktopDirect integration configurations.
clear portal config

271
This command is used to clear all Web portal configurations, including the portal custom, portal
theme and DesktopDirect integration configurations.
Portal Customization
Portal Custom
The portal custom settings enable the administrator to customize the following portal pages using
external pages:
 Login page:
 Welcome page
 Change password page
 Change password ok page
 Logout page
 All error pages
portal custom login <url> [username] [password1] [securID] [password2]

This command is used to set a custom login page.
url This parameter specifies the URL of the custom login page. Its
username Optional. This parameter specifies the name of POST field that will
contain the username value. Its value must be a string of 1 to 64
characters. The default value is “uname”.
password1 Optional. This parameter specifies the name of the POST field that
will contain the password value. Its value must be a string of 1 to
64 characters. The default value is “pwd”.
securID Optional. This parameter specifies the name of the POST field that
will contain the securID token code value. Its value must be a string
of 1 to 64 characters. The default value is “token”.
password2 Optional. This parameter specifies the name of the POST field that
will contain the second password value. Its value must be a string of
1 to 64 characters. The default value is “pwd2”.
no portal custom login

This command is used to delete the configuration of the custom login page.

272
show portal custom login

This command is used to display the configuration of the custom login page.
portal custom welcome <url>

This command is used to set a custom welcome page.
url This parameter defines the URL of the custom welcome page. Its
no portal custom welcome

This command is used to delete the configuration of the custom welcome page.
show portal custom welcome

This command is used to display the configuration of the custom welcome page.
portal custom changepassword <auth_method> <url>

This command is used to set a custom password change page for the specified AAA method.
If a custom password change page has been configured for the AAA method, this command is
used to modify the existing custom password change page.
auth_method This parameter specifies an existing AAA method. Its value must
be defined by the “aaa method name” command.
url This parameter specifies the URL of the custom password

change page. Its value must be a string of 1 to 900 characters.
no portal custom changepassword [auth_method]

This command is used to delete the custom password change page for the specified AAA method.
If the “auth_method” parameter is not specified, the custom password change pages configured for
all AAA methods will be deleted.
show portal custom changepassword [auth_method]

This command is used to display the configuration of the custom password change page for the
specified AAA method. If the “auth_method” parameter is not configured, the configurations of
all custom password change pages for all AAA methods will be displayed.
portal custom passchangeok <url>

This command is used to set a custom “password change ok” page.
url This parameter defines the URL of the confirmation page after
successfully changing the password. Its value must be a string of 1
to 900 characters.

273
no portal custom passchangeok

This command is used to delete the configuration of the custom “password change ok” page.
show portal custom passchangeok

This command is used to display the configuration of the custom “password change ok” page.
portal custom logout <url>

This command is used to set a custom logout page.
url This parameter specifies the URL of the custom logout page. Its
no portal custom logout

This command is used to delete the configuration of the custom logout page.
show portal custom logout

This command is used to display the configuration of the custom logout page.
portal custom variant name <var_name> [var_filter]

This command is used configure the customized user variable included in the HTTP
authentication login request and set a single-variable parsing rule.
var_name This parameter specifies the name of the customized user variable
in the HTTP authentication login request. Its value must be a string
of 1 to 32 characters in the format of <an_xx>, such as
<an_param1>.
var_filter Optional. This parameter specifies the filter condition used to parse
the single variable included in the HTTP authentication login
request. Its value must be a string of 1 to 255 characters. The
default value is empty.
For example:
vs(config) portal custom variant name "<an_token>" "token=<an_token>&"
no portal custom variant name <var_name>

This command is used to delete a specified customized user variable included in the HTTP
authentication login request and the associated single-variable parsing rule.
portal custom variant profile <var_filter> [priority]

This command is used to set a multi-variable parsing rule for the HTTP authentication login
request. This command should be used together with the command “portal custom variant
name”.

274
var_filter This parameter specifies the filter condition used to resolve the
multi-variable combination included in the HTTP authentication
login request. Its value must be a string of 1 to 255 characters.
priority Optional. This parameter specifies the priority of the rule. Its value
must be an integer ranging from 1 to 100. The lower the value, the
higher the priority. The default value is 50.
For example:
vs(config) portal custom variant name "<an_ip>"

vs(config) portal custom variant name "<an_type>"
vs(config) portal custom variant name "<an_phone>"
vs(config) portal custom variant profile
“deviceid=<an_ip>@@@<an_type>@@@<an_phone>&” 50
no portal custom variant profile <var_filter>

This command is used to delete a specified multi-variable parsing rule for the HTTP
authentication login request.
show portal custom variant

This command is used to display the configurations of customized user variables included in the
HTTP authentication login request and the associated variable parsing rules.
portal error <error_type> <url>

This command is used to set the custom error page of the specified type.
error_type This parameter specifies the type of the error page to be

customized. Please refer to the following table for the parameter
value.
url This parameter specifies the URL of the custom error page. Its
The following table displays the types of the custom error pages that can be customized:
Table 3-1 Types of the Error Pages
Error Page Type Meaning

passwordchangefail Change password failed
newpasscheckfail New password is not valid
dns Domain Name Service resolution failed
revdns Reverse Domain Name Service resolution failed
https HTTPS server is not configured
cookies Browser does not support cookies

275
Error Page Type Meaning

sessionexpired Login session has expired
request Generic request error
access Access denied
genlogin Generic login error
failedlogin Login attempt failed
internal Generic internal error
badacls Account has invalid ACLs
no portal error <error_type>

This command is used to delete the configuration of the custom error page of a specified type.
show portal error

This command is used to display the configurations of all custom error pages.
clear portal error

This command is used to clear the configurations of all the custom error pages.
Portal Theme
A portal theme can be consisted of theme objects and theme errors. Theme objects are used to
customize the portal pages while theme errors are used to customize the error pages.
portal theme create <theme_name>

This command is used to create a portal theme.
no portal theme create <theme_name>

This command is used to delete the specified portal theme.
show portal theme create

This command is used to display all the created portal themes.
portal theme object <page_type> <theme_name> <object_name> <url>

<file_type> [flag]
This command is used to add a theme object to the specified portal theme and assign it to a
specified portal page to customize it.
page_type This parameter specifies the type of the portal page. For the valid
names supported by this parameter, see Table 3-3.
theme_name This parameter specifies the name of an existing portal theme.
object_name This parameter specifies the name of the theme object. Its value

276
url This parameter specifies the URL from which the custom portal
page is imported. Its value must be a string of 1 to 900 characters.
file_type This parameter specifies the file type of the custom portal page. Its
value must be “html”, “css”, “js”, “xml”, “htc”, “text” and “binary”.
flag Optional. This parameter specifies whether or not to rewrite the

URLs in the custom portal page. Its value must be:
 0: not rewrite.
 1: rewrites.
The following table shows the types of portal pages that can be customized:
Table 3-2 Page Type
Page Type Content

autolaunch The page for auto-launching L3VPN
challenge The RADIUS challenge-response page
The page in which you can choose an alias virtual site, available for the
choose_site
shared virtual site only
info The template page for information and error pages.
login The login page.
logout The logout page.
The RADIUS challenge-response page, in which you should input the next
next_token
token code to login.
passchange The page for changing a user's LocalDB password.
ldappasschange The page for changing a user's LDAP password.
welcome The welcome portal page.
An arbitrary resource not associated with any default page. This custom
custom
page can be referenced by other custom portal pages.
sms The page for SMS authentication.
smx The page for SMX authentication.
client_security The page for Client Security.
no portal theme object <theme_name> <object_name>

This command is used to delete a theme object from a specified portal theme.
portal theme assign <page_type> <theme_name> <object_name>

This command is used to reassign a portal theme object to a specified portal page.

277
page_type This parameter specifies the type of the portal page. Please refer to
the “portal theme object” command for the parameter value.
object_name This parameter specifies the name of an existing portal theme

object. Its value must be a string of 1 to 20 characters.
portal theme rewrite <theme_name> <object_name> [flag]

This command is used to change the rewrite flag for the specified portal theme object.
object_name This parameter specifies the name of an existing portal theme

object.

URLs in the custom portal page for the portal theme object. For
details, please refer to the Chapter 6 Access Method. Its value must
be:
 0: indicates that the rewrite flag is disabled.
 1: indicates that the rewrite flag is enabled.
show portal theme object <theme_name> [object_name]

This command is used to display the portal page to which the specific theme object in the
specified portal theme is assigned. If the “object_name” parameter is not specified, the assignment
of all theme objects in the specified portal theme to all portal pages will be displayed.
portal theme error <theme_name> <error_type> <url>

This command is used to add a theme error page to the specified portal them to customize the
specified error page.
theme_name This parameter specifies the name of an existing portal theme..
error_type This parameter specifies the type of the error page to be

customized. Please refer to the “portal error” command for details.
url This parameter specifies the URL of the theme error page. Its value

278
no portal theme error <theme_name> <error_type>

This command is used to delete a theme error page from a specified portal theme.
show portal theme error <theme_name>

This command is used to display the configurations of the theme error pages in a specified portal
theme.
portal theme import <url> [theme_name] [flag]

This command is used to import a custom portal theme.
url This parameter specifies the HTTP or FTP URL of the portal theme
to be imported. Its value must be a string of 1 to 900 characters.
theme_name Optional. This parameter specifies the name of the portal theme to
be imported. Its value must be a string of 1 to 20 characters.

URLs in the custom portal page. Its value must be:
 0: indicates that the rewrite flag is disabled.
 1: indicates that the rewrite flag is enabled.
Note: This parameter only works for portal theme objects in the
imported portal theme but not for theme error pages in it.
portal theme active <theme_name>

This command is used to activate a created or imported custom portal theme. Only one custom
portal theme can be activated.
If a portal theme has been activated, this command is used to activate another portal theme.
theme_name This parameter specifies the name of the portal theme created or
imported.
no portal theme active

This command is used to deactivate the activated custom portal theme.
show portal theme active

This command is used to display the activated portal theme.

279
DesktopDirect Integration
portal desktop off
This command is used to disable the DesktopDirect Integration function. When this function is
disabled, the Web portal will not integrate DesktopDirect resources. By default, this function is
disabled.
portal desktop embed

This command is used to enable the “embed” mode of DesktopDirect Integration, which indicates
that DesktopDirect resources will be displayed on the welcome page like Web, CIFS, and VPN
resources.
portal desktop newwindow

This command is used to enable the “hyperlink” mode of DesktopDirect Integration, which
indicates that the welcome page provides a hyperlink and DesktopDirect resources will be
displayed in the opened new window by clicking the hyperlink.
Note: The “portal desktop off”, “portal desktop embed”, and “portal desktop
newwindow” configurations are mutually exclusive.
portal desktop initmode activex

This command is used to set the DesktopDirect initiation mode as “activex” so that the
DesktopDirect client is set up with ActiveX components.
portal desktop initmode java

This command is used to set the DesktopDirect initiation mode as “java” so that the
DesktopDirect client is set up with Java components.
portal desktop initmode autoswitch

This command is used to enable the DesktopDirect initiation mode from “activex” to “java” when
the DesktopDirect client cannot be set up with ActiveX components in the user’s PC environment.
no portal desktop initmode autoswitch

This command is used to disable autoswitch of the DesktopDirect initiation mode.
portal desktop register <on|off>

This command is used to enable or disable the portal desktop registration function. When this
function is enabled, end users can register PCs as their portal desktop resources on the welcome
page by clicking the Register Local PC button. The registered local PC will be displayed in the
DesktopDirect resource list. By default, this function is disabled.
on|off This parameter specifies whether to enable the portal desktop

registration function. Its value must be “on” or “off”.

280
show portal desktop config

This command is used to display the configurations related to the DesktopDirect Integration
function.
Application SSO
The Application SSO function enables application login credentials to be passed to the backend
application servers for the login users when the portal and application credentials are different.
This function works for Web, Fileshare and DesktopDirect applications. By default, this function
is disabled for Web, Fileshare and DesktopDirect applications.
To use this function, you also need to configure application login credentials for login users in the
LocalDB server using the “localdb sso account” command.
sso application web {on|off}

This command is used to enable or disable the Application SSO function for Web applications. By
default, this function is disabled for Web applications. For Web applications, the Application SSO
function supports the NT LAN Manager (NTLM), Basic HTTP authentication and Post methods.
sso application fileshare {on|off}

This command is used to enable or disable the Application SSO function for Fileshare applications.
By default, this function is disabled for Fileshare applications.
sso application desktopdirect {on|off}

This command is used to enable or disable the Application SSO function for DesktopDirect
applications. By default, this function is disabled for DesktopDirect applications.

281
Chapter 8 High Availablity
Cluster
cluster virtual ifname <interface_name> <virtual_cluster_id>
This command is used to add a virtual cluster to the specified interface.
interface_name This parameter specifies the name of the existing interface. Its value
must be a system interface, bond interface, MNET interface or
VLAN interface.
virtual_cluster_id This parameter specifies the virtual cluster ID.
clear cluster virtual ifname <interface_name> <virtual_cluster_id>

This command is used to clear a virtual cluster from the specified interface.
must be a system interface, bond interface, MNET interface, VLAN
interface or “all”. “all” indicates virtual clusters of all interfaces
will be cleared.
virtual_cluster_id This parameter specifies the virtual cluster ID.
cluster virtual vip <interface_name> <virtual_cluster_id> <virtual_ip>

This command is used to add a virtual IP address to the specified virtual cluster.
VLAN interface.
virtual_cluster_id This parameter specifies the existing virtual cluster ID.
virtual_ip This parameter specifies the virtual IP address of the virtual cluster.
no cluster virtual vip <interface_name> <virtual_cluster_id> <virtual_ip>

This command is used to delete the virtual IP address from the specified virtual cluster.
cluster virtual auth <interface_name> <virtual_cluster_id> <auth_flag>

<auth_password>
This command is used to configure the authentication method for the specified virtual cluster. By
default, authentication is not required for a virtual cluster.

282
VLAN interface.
auth_flag This parameter specifies whether or not the authentication is

required. Its value must be:
 0: indicates the authentication is not required.
 1: indicates the authentication is required.
auth_password Optional. This parameter specifies the authentication password. Its

Please note that this parameter is required only when the

“auth_flag” parameter is set to 1.
no cluster virtual auth <interface_name> <virtual_cluster_id>

This command is used to reset the configuration of an authentication method to default for the
specified virtual cluster.
cluster virtual priority <interface_name> <virtual_cluster_id> <priority>

[peer_host]
This command is used to set the priority of the specified virtual cluster. By default, the priority of
the virtual cluster is 100.
VLAN interface.
priority This parameter specifies the priority of the virtual cluster. Its value
must an integer ranging from 1 to 255. The larger the value, the
higher the priority.
peer_host Optional. This parameter specifies the name of the synchronization

local node or peer node. Its value must be
 “Primary”: indicates this command applies to the local node.
 peer node: indicates this command applies to the peer node

specified by the “synconfig peer” command.

283
The default value is “Primary”.
no cluster virtual priority <interface_name> <virtual_cluster_id> [peer_host]

This command is used to reset the configuration of the priority to default for the specified virtual
cluster.
cluster virtual preempt <interface_name> <virtual_cluster_id>

<preempt_value>
This command is used to enable or disable the preemption mode for the specified virtual cluster.
After the preemption mode is enabled, the status of the virtual cluster with a higher priority
becomes the master. By default, the preemption mode is disabled.
VLAN interface.
preempt_value This parameter specifies whether to enable the preemption mode.

Its value must be:
 0: indicates the preemption mode is enabled.
 1: indicates the preemption mode disabled.
no cluster virtual preempt <interface_name> <virtual_cluster_id>

This command is used to reset the preemption mode of the specified virtual cluster to default.
cluster virtual interval <interface_name> <virtual_cluster_id>

[advertisement_interval]
This command is used to set the advertisement interval for the specified virtual cluster. By default
the advertisement interval is 5 seconds.
VLAN interface.
advertisement_interval Optional. This parameter specifies the advertisement interval. Its

value must be an integer ranging from 3 to 60, in seconds. The
default value is 5.
no cluster virtual interval <interface_name> <virtual_cluster_id>

284
This command is used to reset the advertisement interval to default for the specified virtual
cluster.
cluster virtual arp interval <interval>

This command is used to set the interval of the gratuitous ARP.
interval This parameter specifies the broadcasting interval of the gratuitous

ARP advertisement. Its value must be 0 or an integer ranging from
30 to 65,535, in seconds. “0” indicates the gratuitous ARP
advertisement is sent only when a virtual cluster switches to
“master”.
show cluster virtual arp

This command is used to display the configuration of the interval of the gratuitous ARP.
cluster virtual {on|off} [virtual_cluster_id] [interface_name]

This command is used to enable or disable the virtual cluster on the specified interface.
virtual_cluster_id Optional. This parameter specifies the existing virtual cluster ID.
The default value is 0, indicates that all virtual clusters on the
specified interface will be enabled.
interface_name Optional. This parameter specifies the name of the existing

interface. Its value must be a system interface, bond interface,
MNET interface, VLAN interface or “all”.
The default value is “all”, indicating that the virtual clusters on all
interfaces will be enabled.
show cluster virtual interface

This command is used to display all interfaces with virtual clusters configured.
show cluster virtual status [interface_name]

This command is used to display the status of the virtual cluster on the specified interface.

The default value is “all”, indicating that the status for all interfaces
will be displayed.
show cluster virtual config [interface_name]

285
This command is used to display configurations of the virtual cluster on the specified interface.

The default value is “all”, indicating that the configurations for all
interfaces will be displayed.
show cluster virtual transition [interface_name]

This command is used to display the last 10 transition logs of the virtual cluster on the specified
interface.

The default value is “all”, indicating that the last 10 transition logs
for all interfaces will be displayed.
clear cluster virtual transition [interface_name] [virtual_cluster_id]

This command is used to clear the transition logs on the specified interface for the specified virtual
cluster.

 If this parameter is specified, the transition logs on the

specified interface will be cleared.
 If this parameter is not specified, the transition logs on all

interfaces will be cleared.
The default value is “all”, indicating that transition logs on all

 If this parameter is specified, the transition logs for the

specified virtual cluster will be cleared.
 If this parameter is not specified, the transition logs for all

virtual clusters will be cleared.
The default value is 0, indicates that the transition logs for all

286
virtual clusters will be cleared.
show statistics cluster virtual [interface_name]
This command is used to display the statistics of the virtual cluster on the specified interface.

The default value is “all”, indicating that the statistics of the virtual
cluster for all interfaces will be displayed.
clear statistics cluster virtual [interface_name] [virtual_cluster_id]

This command is used to clear the statistics on the specified interface for the specified virtual
cluster.

 If this parameter is specified, the statistics on the specified

interface will be cleared.
 If this parameter is not specified, the statistics on all interfaces

will be cleared.
The default value is “all”, indicating that the statistics on all

 If this parameter is specified, the statistics for the specified

virtual cluster will be cleared.
 If this parameter is not specified, the statistics for all virtual

clusters will be cleared.
The default value is 0, indicates that the statistics for all virtual
clusters will be cleared.
HA (High Availability)
The High Availability feature provides session synchronization and configuration synchronization
among HA units. All the HA CLI commands need to be executed under the global scope.

287
General Settings
ha unit <unit_id> <ip> [port]

This command is used to add an HA unit with a unique ID and IP address. An HA domain allows
at most 32 units.
unit_id This parameter specifies the unique ID of the HA unit. Its value
ranges from 1 to 32.
ip This parameter specifies the IP address of the HA unit, which is

used for primary link communication with other units. It can be an
IPv4 or IPv6 address. The “ip” parameter must be set to the IP
address of a system interface.
To use the HA bootup and runtime configuration synchronization,

the parameter value must be the same as the value of the parameter
“peer_ip” specified in the “synconfig peer” command.
port Optional. This parameter specifies the port used for primary link
communication with other units. Its value ranges from 1 to 65,535.
Note:
 Before configuring the local unit, you must have configured the local unit’s interface
IP address. Otherwise, the local unit cannot be identified by the HA domain.
 The IP addresses of the units in an HA domain must be all IPv4 or all IPv6.
 After adding multiple units for an HA domain by executing the command “ha unit”,
the system will establish primary link connections between each two units
automatically.
no ha unit <unit_id>
This command is used to delete an HA unit from the HA domain.
Note: If the local unit is deleted from the HA domain, all the “ha hc…” configurations on
the local unit will also be deleted, and the “ha hc peerunit” configuration will be reset to
the default value.
ha unitname <unit_id> <unit_name> [description]

This command is used to add the name and description to a specified HA unit.

288
unit_id This parameter specifies the unique ID of the HA unit.
unit_name This parameter specifies the name of the HA unit. Its value should
To use the HA bootup and runtime configuration synchronization,

the parameter value must be the same as the value of the parameter
“peer_name” specified in the “synconfig peer” command.
description Optional. This parameter describes the HA unit. Its value should be
no ha unitname <unit_id> <unit_name>

This command is used to delete the name and description of a specified HA unit.
ha on
This command is used to enable the HA feature. The HA feature can be enabled only when both
the local unit and any peer unit have been configured.
ha off [force]
This command is used to disable the HA feature. By default, the HA feature is disabled.
force Optional. This parameter disables the HA function once a hang

occurs when a unit is joining the HA domain.
ha link network secondary <unit_id> <link_id> <ip> [port]

This command is used to configure a secondary link on an HA unit. At most 31 secondary links
can be established between two HA units.
unit_id This parameter specifies the ID of the HA unit.
link_id This parameter specifies the ID of the secondary link. Its value
ranges from 1 to 31. The ID of each secondary link between two
units should be unique.
ip This parameter specifies the IP address of the HA unit, which is

used for secondary link communication with another unit. It can be
an IPv4 or IPv6 address.
port Optional. This parameter specifies the port used for secondary link
communication with another unit. The default value is 65,521.

289
Please be noted that to establish a secondary link between two units, you need to configure a
secondary link with the same ID on the two units respectively.
For example, the IP address of two HA units “1” and “2” are 192.168.1.1 and 192.168.10.1
respectively. To establish a secondary link “1” between the two units, the following two
commands must be executed on both units:
AN(config)#ha link network secondary 1 1 192.168.1.1 65521

AN(config)#ha link network secondary 2 1 192.168.10.1 65521
Note:
 The IP addresses of secondary links must not be on the same network segment as the
IP address of the primary link.
 The IP addresses of the two ends of a secondary link must be both IPv4 or both IPv6
addresses.
no ha link network secondary <unit_id> <link_id>

This command is used to delete a secondary link between two HA units.
unit_id This parameter specifies the unique ID for the HA unit.
link_id This parameter specifies the unique ID for the secondary link.
clear ha link network secondary

This command is used to delete the configurations about all secondary links on the local unit.
ha ssf on
This command is used to enable the Stateful Session Failover (SSF) fucntion. By default,this
fucntion is disabled.
ha ssf off
This command is used to disable the SSF function.
ha synconfig bootup on
This command is used to enable bootup configuration synchronization. By default, bootup
configuration synchronization is disabled.
Bootup configuration synchronization will synchronize all configurations from the peer HA unit
that first joins the HA domain, except those configurations specific only to an HA unit or to be
implemented only on the specified HA unit.
All the configurations will be synchronized except those matching the following blacklist:
[Bootup Synconfig Blacklist]:

ip address

290
ip route
bond
hostname
vlan
access
ssh ip
webui ip
webui port
webwall
ip redundant
cluster virtual priority
interface name
ha on
ha off
ha log on
ha log off
passwd enable
Note: Before using bootup configuration synchronization, the administrator needs to:
 Set the identical synconfig challenge code using the “synconfig challenge” command
on each HA unit.
 Configure all HA units as synconfig peers using the “synconfig peer” command on
each HA unit.
ha synconfig bootup off

This command is used to disable bootup configuration synchronization.
ha synconfig runtime on
This command is used to enable runtime configuration synchronization. By default, runtime
configuration synchronization is disabled.
When runtime configuration synchronization is enabled, all CLI commands executed on the local
unit will be synchronized to peer units for execution except the CLI commands that are specific to
the local unit and need to be executed only on the local unit.
The CLI commands matching the following blacklist but not matching the following whitelist will
not be synchronized. The CLI commands matching the following whitelist or not matching the
blacklist will be synchronized.
[Runtime Synconfig Whitelist]:

Global:
write memory ...
ip dns ...
no ip dns ...
clear ip dns ...

291
clear config timeout ...

Virtural Site:
write memory ...
[Runtime Synconfig Blacklist]:

Global:
ha on ...
ha off ...
ha synconfig runtime off ...
ha group enable ...
ha group disable ...
clear ha all ...
switch ...
enable ...
configure ...
engineering ...
exit ...
quit ...
show ...
write ...
debug ...
no debug ...
synconfig ...
no synconfig ...
clear synconfig ...
webui ip ...
webui port ...
webwall ...
accessgroup ...
accesslist ...
no accessgroup ...
no accesslist ...
clear webui ip ...
clear webui port ...
ip ...
no ip ...
clear ip ...
cluster virtual priority ...
no cluster virtual priority ...
ping ...
traceroute ...
nslookup ...
vlan ...
bond ...

292
hostname ...
no hostname ...
passwd enable ...
ssh ip ...
no ssh ip ...
admin reset configmode ...
system fallback ...
no system fallback ...
system component ...
system reboot ...
system shutdown ...
system console ...
system dump ...
system flexlicense ...
system license ...
no system license ...
system interactive ...
system serialnumber ...
system test ...
system update ...
clear config ...
art export ...
support ...
help ...
who ...
whoami ...
Virtural Site:
switch ...
enable ...
configure ...
exit ...
quit ...
show ...
write ...
client security export ...
For example, “write ...” is in the blacklist while “write memory ...” is in the whitelist.
 When “write file/write net scp/write net tftp/write net all scp/write net all tftp” or other
commands prefixed with “write” are executed, they will not be synchronized to peer units for
execution because they match the blacklist entry “write ...” but not match any whitelist entry.
When the “write memory all” command is executed, it will be synchronized to peer units for
execution because it matches the whitelist entry “write memory ...”.

293
Note: The runtime configuration synchronization cannot synchronize the configurations of

“art import users file” and “art import config file”.
ha synconfig runtime off

This command is used to disable runtime configuration synchronization.
ha synconfig module [module]

This command is used to set the module whose configurations will be synchronized by runtime
configuration synchronization.
module This parameter specifies the module whose configurations will be

synchronized by runtime configuration synchronization. Its value
must be:
 art: indicates that only ART module’s configurations will be

synchronized.
 all: indicates that all modules’ configurations except those in

the blacklist will be synchronized.
The default value is all.
ha arp interval <interval>

This command is used to set the interval at which the local unit sends ARP broadcast packets.
interval This parameter specifies the interval of sending ARP broadcast

packets, in seconds. Its value must be set to 0 or an integer ranging
from 30 to 65,535. 0 indicates that the ARP broadcast packets will
be sent only when the group status on local HA unit is switched to
“Active”.
ha rejoin on <time>
This command is used to enable the function of forcing HA units to rejoin the HA domain at
specified interval. This function works for the Active-Standby mode only and should be
configured on both active and standby units. After this function is enabled, the HA function will
be disabled and then enabled on the peer unit at the specified interval. By default, this function is
disabled.
time This parameter specifies the interval at which HA units will be

forced to rejoin the HA domain. Its value must be a string of 1 to
512 characters in the Crontab format, which consists of time
information items including “minute”, “hour”, “day”, “month” and

294
“year”. The time information items must be separated with a space.

“*” and “/” are supported for the time information item. If the time
information item contains multiple values, the values should be
separated with “,”.
Value ranges of time information items are as the following table:
Time Information Item Value Range

minute 0-59
hour 0-23
day 1-31
month 1-12
day-of-week 0 to 6: “0” to “6” indicates Sunday to Saturday.
Example:
AN(config)# ha rejoin on "5 10 * * *"
After this command is executed, the HA function will be disabled and then enabled at 10:05 every
day on the peer unit.
AN(config)# ha rejoin on "5 10 * * 1,2"
After this command is executed, the HA function will be disabled and then enabled at 10:05 every
Monday and Tuesday on the peer unit.
AN(config)# ha rejoin on "*/5 * * * *"
After this command is executed, the HA function will be disabled and then enabled every five
minutes on the peer unit.
ha rejoin off
This command is used to disable the function of forcing HA units to rejoin the HA domain.
show ha rejoin
This command is used to display the configuration of the function of forcing HA units to rejoin
the HA domain.
ha log on
This command is used to enable the HA logging function. By default, this fucntion is disabled.
ha log off
This command is used to disable the HA logging function.
ha log level <log_level>

This command is used to set the level of the HA logs that the system generates.

295
log_level This parameter specifies the level of HA logs. The valid values of
“level” are emerg, alert, crit, err, warning, notice, info, and debug.
The default value is info. Once the level of HA logs is specified, the
message lower than this level will be ignored.
show ha log [line]

This command is used to display the HA log file.
line Optional. This parameter specifies how many lines of HA logs will
be displayed. Its value ranges from 1 to 4,294,967,295. The default
value is 100, indicating that the latest 100 lines of HA logs
generated by the system will be displayed.
clear ha log
This command is used to clear all the HA logs.
show ha config
This command is used to display all HA configurations.
clear ha all
This command is used to clear all the HA configurations.
show ha status
This command is used to display the status of all units in the HA domain, including the domain
status, group status, synconfig status, whitelist and blacklist of runtime synconfig, link status and
so on.
HA Groups
ha group id <group_id>
This command is used to add a floating IP group for the local unit. A maximum of 256 groups can
be added for each unit.
group_id This parameter specifies the ID of the floating IP group, which

no ha group id <group_id>
This command is used to delete the specified floating IP group from the local unit.
clear ha group id
This command is used to delete all the floating IP groups from the local unit.

296
ha group fip <group_id> <fip> [interface]

This command is used to configure a floating IP address for the specified floating IP group. The
total number of floating IP addresses and floating IP ranges configured for a floating IP group
cannot exceed 16.

fip This parameter specifies the floating IP address, which can be an

interface Optional. This parameter specifies the interface to which the

floating IP address is bound. Its value should be a string of 1 to 32
characters.
no ha group fip <group_id> <fip>

This command is used to delete a floating IP address from the specified floating IP group.
clear ha group fip <group_id>

This command is used to delete all floating IP addressesfrom the specified floating IP group.
ha group fiprange <group_id> <start_fip> <end_fip> [interface]

This command is used to configure a floating IP range for the specified floating IP group, and bind
it to a specific system interface. Each floating IP range contains utmost 256 IP addresses. The total
number of floating IP addresses and floating IP ranges configured for a floating IP group cannot
exceed 16.

start_fip This parameter specifies the start IP address of the floating IP

range, which can be an IPv4 or IPv6 address.
end_fip This parameter specifies the end IP address of the floating IP range,
which can be an IPv4 or IPv6 address.
interface Optional. This parameter specifies the interface to which the

floating IP address is bound. Its value should be a string of 1 to 32
characters.
Note:
 All the IP addresses in the floating IP range, including the start IP and the end IP,

297
cannot be those assigned to specific interfaces by the command “ip address”.
 The scope of the floating IP range must be greater than or equal to that of any existing
IP address pool.
no ha group fiprange <group_id> <start_fip> <end_fip>

This command is used to delete a floating IP range from the specified floating IP group.
clear ha group fiprange <group_id>

This command is used to delete all floating IP ranges from the specified floating IP group.
ha group priority <unit_id> <group_id> <priority>

This command is used to configure the priority of a specified floating IP group on the specified
HA unit.
unit_id This paramaeter specifies the name of the HA unit. It can be a local
unit or a peer unit.
group_id This parameter specifies the ID of the floating IP group.
priority This parameter specifies the priority of the specified floating IP

group on the specified unit. Its value ranges from 0 to 255. The
larger the value, the higher the priority.
Note: The administrator can also modify the priority of the floating IP group on the unit by
executing this command. If the priority of a floating IP group is not specified on a unit, the
group will not take effect on the unit, and the status of the group will always be “Init”.
no ha group priority <unit_id> <group_id>

This command is used to delete an HA group priority in an HA unit.
ha group preempt on <group_id>

This command is used to enable the preempt mode for a specified floating IP group or all floating
IP groups. With the preempt mode enabled, the status of a floating IP group on the available unit
with the highest group priority will be always kept as “Active”. By default, the preempt mode is
disabled for the floating IP group.

ranges from 0 to 256. “256” means enabling the preempt mode for
all floating IP groups.
ha group preempt off <group_id>

298
This command is used to disable the preempt mode for a specified floating IP group or all floating
IP groups.

ranges from 0 to 256. “256” means disabling the preempt mode for
all floating IP groups.
ha group enable <group_id>

This command is used to enable a specified floating IP group or all gloating IP groups on the local
unit.

ranges from 0 to 256. “256” means enabling all the floating IP
groups on the local unit.
ha group disable <group_id>

This command is used to disable a specified floating IP group or all gloating IP groups on the
local unit.

ranges from 0 to 256. “256” means disabling all the floating IP
groups on the local unit.
Health Check
ha hc peerunit [interval] [down_check_times]

This command is used to set the interval of sending heartbeat packets of the local unit to the peer
units through the primary link and secondary link(s). If no heartbeat response has been received
from the peer unit on any of the links for consecutive times (specified by “down_check_times”),
the status of the peer unit will be marked as “Down”. Otherwise, the status of the peer unit will be
marked as “Up”.
interval Optional. This parameter specifies the interval of sending the

heartbeat packets, in milliseconds (ms). The value of this parameter
ranges from 1000 to 10,000. The default value is 1000.
down_check_times Optional. This parameter specifies the number of consecutive times

(that have not received heartbeat response from the peer unit) for
marking a peer unit as “Down”. Its value ranges from 3 to 1000.

299
ha hc gateway <unit_id> <ip> <condition_name> [interval] [up_check_times]

[down_check_times]
This command is used to configure a gateway health check condition for a specified HA unit.
unit_id This parameter specifies the ID of an HA unit, which can be the

local unit or a peer unit.
ip This parameter specifies the gateway IP address of the specified HA

unit. It can be an IPv4 or IPv6 address.
condition_name This parameter specifies the condition name for this gateway health
check. The value of this parameter ranges from GATEWAY_1 to
GATEWAY_32.
interval Optional. This parameter specifies the interval, in ms, at which the
health check is performed. The value of this parameter ranges from
1000 to 10,000. The default value is 1000.
up_check_times Optional. This parameter specifies the number of consecutive times

(that the health check result is “Up”) for marking the gateway is
“Up”. The value of this parameter ranges from 3 to 10. The default
value is 3.

(that the health check result is “Down”) for marking the gateway is
“Down”. The value of this parameter ranges from 3 to 10. The
default value is 3.
no ha hc gateway <unit_id> <ip>

This command is used to delete a gateway health check condition configured for a specified HA
unit.
clear ha hc gateway
This command is used to delete all configured gateway health check conditions.
ha hc cpu overheat <temperature> [interval] [up_check_times]

[down_check_times]
This command is used to configure the CPU overheat health check condition for the local HA
unit.
temperature This parameter specifies the temperature threshold for CPU

overheat, in ℃. The value of this parameter ranges from 1 to 100.

300
5000 to 1,000,000. The default value is 5000.

(that the CPU temperature exceeds the threshold) for marking the
condition status as “Up”. The value of this parameter ranges from 3
to 10. The default value is 3.

(that the CPU temperature does not exceed the threshold) for
marking the condition status as “Down”. The value of this
parameter ranges from 3 to 10. The default value is 3.
no ha hc cpu overheat
This command is used to delete the CPU overheat health check condition configured for the local
HA unit.
ha hc cpu utilization <fatal_percent> [interval] [up_check_times]

[down_check_times]
This command is used to add the CPU utilization health check condition for the local HA unit.
fatal_percent This parameter specifies the threshold for the CPU utilization. The
value of this parameter ranges from 1 to 100, in %.
5000 to 1,000,000. The default value is 5000.

(that the CPU utilization does not exceed the threshold) for marking
the condition status as “Up”. The value of this parameter ranges

(that the CPU utilization exceeds the threshold) for marking the
condition status as “Down”. The value of this parameter ranges
no ha hc cpu utilization
This command is used to delete the CPU utilization health check condition configured for the
local HA unit.

301
clear ha hc cpu all

This command is used to delete all the CPU health check conditions configured for the local HA
unit, including the CPU overheat health check conditions and CPU utilization health check
conditions.
ha hc memory atcpzone <zone_name> <fatal_percent> <condition_name>

[up_check_times] [down_check_times]
This command is used to configure a memory utilization health check condition for a specified
ATCP zone on the local HA unit.
zone_name This parameter specifies the name of an ATCP zone. The entered
ATCP zone name is case-sensitive and must be enclosed in double
quotes. It only supports the following predefined names:
 SSL record
 SSL poll items
 SSL HW
 SSL connection
 Proxy client
 Proxy cookie
 Proxy connection
 Proxy
 uProxy event
 TCP hash node
 TCP small pcb
 TCP pcb
fatal_percent This parameter specifies the threshold for the memory utilization of
the specified ATCP zone. The value of this parameter ranges from 1
to 100, in %.
condition_name This parameter specifies the name of the health check condition.
The value of this parameter ranges from ATCPZONE_1 to
ATCPZONE_64.

(that the memory utilization of the specified ATCP zone does not
exceed the threshold) for marking the condition status as “Up”. The

302
value of this parameter ranges from 3 to 10. The default value is 3.

(that the memory utilization of the specified ATCP zone exceeds the
threshold) for marking the condition status as “Down”. The value of
this parameter ranges from 3 to 10. The default value is 3.
no ha hc memory atcpzone <zone_name> <condition_name>

This command is used to delete a memory utilization health check condition configured for a
specified ATCP zone on the local HA unit.
clear ha hc memory atcpzone

This command is used to delete all the memory utilization health check conditions configured for
ATCP zones on the local HA unit.
ha hc memory mbuf <fatal_percent> [up_check_times] [down_check_times]

This command is used to configure an Mbuf utilization health check condition for the local HA
unit.
fatal_percent This parameter specifies the threshold for the Mbuf utilization. The
value of this parameter ranges from 1 to 100, in %.

(that the Mbuf utilization does not exceed the threshold) for
marking the condition status as “Up”. The value of this parameter
ranges from 3 to 10. The default value is 3.

(that the Mbuf utilization exceeds the threshold) for marking the
condition status as “Down”. The value of this parameter ranges
no ha hc memory mbuf
This command is used to delete the Mbuf utilization health check condition configured for the
local HA unit.
ha hc memory mpool <mpool_name> <fatal_percent> <condition_name>

This command is used to configure a memory utilization health check condition for a specified
memory pool (mpool) on the local HA unit.
mpool_name This parameter specifies the name of an mpool. The entered mpool
name is case-sensitive and must be enclosed in double quotes. It

303
only supports the following predefined names:
 userland events
 incomplete conns
 Cache Transactions
 IPC Transactions
 vpn_session
 vpn_tunnel
 vpn_conn
 proxy_t
 proxy_conn_data
 frame
 comp_scg
 ssl_crypto_data_t
fatal_percent This parameter specifies the threshold for the memory utilization of
the specified mpool. The value of this parameter ranges from 1 to
100, in %.
condition_name This parameter specifies the name of the health check condition.
The value of this parameter ranges from MPOOL_1 to
MPOOL_16.

(that the memory utilization of the specified mpool does not exceed
the threshold) for triggering the “up” status. The value of this

(that the memory utilization of the specified mpool exceeds the
threshold) for triggering the “Down” status. The value of this
no ha hc memory mpool <mpool_name> <condition_name>

This command is used to delete a memory utilization health check condition configured for a
specified mpool on the local HA unit.
clear ha hc memory mpool

304
This command is used to delete the memory utilization health check conditions configured for all
the mpools on the local HA unit.
ha hc memory system [free_space_threshold] [used_swap_threshold]

This command is used to configure a system memory health check condition for the local HA unit.
The local unit will check both whether the free system space is smaller than the free space
threshold and whether the used swap space exceeds the threshold. During a health check, if the
free system space is smaller than the free space threshold and the swap space exceeds the
threshold, the health check result is “Down”.
free_space_threshold Optional. This parameter specifies the threshold for the system free
space, in MB. The value of this parameter ranges from 0 to 8192.
The default value is 50. 0 indicates the system will not check
whether the free system space is smaller than the free space
threshold.
used_swap_threshold Optional. This parameter specifies the threshold for the used swap
space, in MB. The value of this parameter ranges from 0 to 8192.
The default value is 0, indicating that the system will not check
whether the used swap space exceeds the threshold.

(that the health check result is “Up”) for marking the condition
status as “Up”. The value of this parameter ranges from 3 to 10. The
default value is 3.

(that the health check result is “Down”) for marking the condition
status as “Down”. The value of this parameter ranges from 3 to 10.
no ha hc memory system
This command is used to delete the system memory health check condition configured for the
local HA unit.
ha hc memory interval [interval]

This command is used to configure the interval at which all types of memory health checks are
performed on the local HA unit. The interval takes effects for the following types of memory
health checks:
 Health check on the memory utilization of ATCP zones
 Mbuf utilization health check

305
 Health check on the memory utilization of mpools
 System memory health check
memory health check is performed. The value of this parameter
ranges from 5000 to 1,000,000. The default value is 5000.
clear ha hc memory all

This command is used to delete all types of memory health checks configured for the local HA
unit.
ha hc process <process_name> <condition_name>

This command is used to configure a health check condition for a specified process running on the
local HA unit. The local unit will check whether this process is running. When the specified
process is running, the condition status is marked as “Up”; whileas the specified process is not
running, the condition status is marked as “Down”.
process_name This parameter specifies the name of a process. The entered process
name is case-sensitive and supports only the following predefined
names:
 lcd (LCDs management daemon)
 certificate (Certificate management daemon)
 ipmanage (Cluster and HA IP management daemon)
 aaa (AAA daemon)
 session (Session management daemon)
 rewrite (Quicklink and Web Resource Mapping daemon)
 snmpinfo (SNMP information daemon)
 webui (WebUI management daemon)
 l2tp (L2TP management daemon)
 proxy (Proxy monitor daemon)
 ddserver (DesktopDirect server)
 vdi (DesktopDirect VDI agent)
 radius (RADIUS management daemon)
condition_name This parameter specifies the name of the process health check
condition. The value of this parameter ranges from PROCESS_1 to

306
PROCESS_32.
no ha hc process <process_name> <condition_name>

This command is used to delete a health check condition configured for a specified process
running on the local HA unit.
clear ha hc process
This command is used to delete all the health check conditions configured for the processes
running on the local HA unit.
ha hc sslcard [interval] [up_check_times] [down_check_times]

This command is used to configure the SSL card health check condition for the local HA unit.
300,000 to 3,600,000. The default value is 300,000.

(that the SSL card works normally) for marking the condition status
as “Up”. The value of this parameter ranges from 3 to 10. The
default value is 3.

(that the SSL card works abnormally) for marking the condition
300,000 to 3,600,000. The default value is 300,000.

(that the SSL card works normally) for marking the condition status
as “Up”. The value of this parameter ranges from 3 to 10. The
default value is 3.

(that the SSL card works abnormally) for marking the condition
no ha hc sslcard

307
This command is used to delete the SSL card health check condition configured for the local HA
unit.
ha hc vcondition name <vcondition_name> <condition_name> <logic>

This command is used to define a virtual condition (vcondition). A vcondition is a combination of
real health check conditions and the logic among them can be “AND” or “OR”.
vcondtion_name This parameter specifies the name of the vcondition. The maximum
length of the vcondition name is 128 characters.
condtion_name This parameter specifies the predefined condition name that is

associated with the vcondition. The value of this parameter ranges
from V_1 to V_32.
logic This parameter specifies the logical relationship among multiple

sub-conditions of the vcondition, which can be either “AND” or
“OR”. When “AND” is specified, the vcondition is met only if all
the sub-conditions are met. When “OR” is specified, the vcondition
is met if any sub-condition is met.
no ha hc vcondition name <vcondition_name>

This command is used to delete the specified vcondition from the local unit.
Note:
If the command “no ha hc vcondition name” is executed to delete a specified vcondition,

the configurations related to this vcondition will also be deleted, including sub-conditions
and related failover rules.
ha hc vcondition member <vcondition_name> <condtition_name>

This command is used to add a real condition or exsiting vcondition to a vcondition as a
sub-condition. A vcondition can comprise a maximum of 16 sub-conditions.
vcondtion_name This parameter specifies the name of a vcondition.
condtion_name This parameter specifies the name of a sub-condition, which can be

a real health check condition or a vcondition. Its value should be a
no ha hc vcondition member <vcondition_name> <condtition_name>

This command is used to delete a sub-condition from a specified vcondition.
clear ha hc vcondition member <vcondition_name>

308
This command is used to delete all sub-conditions from a specified vcondition.
clear ha hc vcondition all

This command is used to delete all vconditions from the local unit.
show ha condition [unit_id] [all]

This command is used to display the condition status of a unit or all units.
unit_id Optional. This parameter specifies the ID of a unit. Its value ranges
from 0 to 32. The default value is 0, indicating all units. 1 to 32
indicates a specific HA unit.
all Optional. This parameter is available only when the “unit_id”

parameter is specified. If it is specified, the status of all configured
conditions (including Port, Gateway, CPU Utilization, CPU
Temperature, Memory, Process, SSL Card, and Virtual Condition)
and Peer Unit will be displayed. If it is not specified, the status of
only all conditions will be displayed.
Decision
ha decision rule <condtition_name> <action_name> [group_id]

This command is used to configure a failover rule for a specified floating IP group. The failover
rule indicates the failover operation to be performed when the result of a specified health check is
“Down”. A health check condition can be used for configuring a maximum of eight failover rules.
condtion_name This parameter specifies the name of the health check condition.
The value of this parameter can be the name of a real health check
condition or a vcondition. The system supports the following
values:
 PORT_1~PORT_32: port health check conditions
 GATEWAY_1~GATEWAY_32: gateway health check

conditions
 CPU_UTIL: CPU utilization health check condition
 CPU_TEMP: CPU overheat health check condition
 ATCPZONE_1~ATCPZONE_64: memory health check

conditions of ATCP zones
 MBUF: Mbuf utilization health check condition
 MPOOL_1~MPOOL_16: Mpool utilization health check

309
conditions
 SYS_MEM: system memory health check condition
 PROCESS_1~PROCESS_32: process health check conditions
 SSLCARD: SSL card health check condition
 User-defined vcondition names
action_name This parameter specifies the failover operation to be performed

when the result of a specified health check is “Down”. The value of
this parameter can only be “Unit_Failover”, “Group_Failover” or
“Reboot”.
group_id Optional. This parameter specifies the ID of the floating IP group

for which the failover rule takes effect. This parameter is available
only when the parameter “action_name” is set to “Group_Failover”.
Its value ranges from 0 to 256. 0 to 255 indicates a specified
floating IP group; 256 indicates all floating IP groups.
Note:
 To ensure that every unit can obtain the running status of other peer units, the failover
rules configured on all the units must be the same.
 The system provides predefined failover rules. You can view these predefined rules by
running the command “show ha decision”. “condition_name” of these predefined
rules are PORT_1~PORT_32, and the corresponding “action_name” are all
“Group_Failover”. You can execute this command to modify “action_name” of these
predefined rules.
no ha decision rule <condtition_name> <action_name> [group_id]

This command is used to delete a failover rule of a specified floating IP group.
Note: If the parameter “condition_name” is set to a value from “PORT_1” to “PORT_32”,

the system will reset “action_name” to “Group_Failover”.
show ha decision
This command is used to the failover rules of all floating IP groups on the local unit, including
both the predefined and customized rules.
AN(config)#show ha decision
ID Condition_Name Action_Name Group_ID
0 PORT_1 Group_Failover -

310
32 SYS_MEM Unit_Failover -
33 CPU_UTIL Group_Failover 1
34 CPU_TEMP Reboot -
clear ha decision rule

This command is used to delete the failover rules of all floating IP groups.

311
Chapter 9 WebWall
Chapter 9 WebWall
This chapter covers the CLI commands used for configuring the WebWall function.
The system provides the WebWall function to filter the packets that need to pass through the AG
appliance. With the WebWall function enabled on a specified interface, when the packets reach
this interface of the AG appliance, the system will employ the Access Control List (ACL) permit
and deny rules associated with this interface to permit or deny the packets.
Access List
The system supports a maximum of 1024 ACL permit and deny rules. Every ACL permit or deny
rule has a unique ID. The ACL permit or deny rule will take effect only when it is associated with
a system interface, bond interface or VLAN interface using the “accessgroup” command.
accesslist permit icmp echorequest <source_ip>

{source_netmask|source_prefix} <destination_ip>
{destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified ICMP echo request
packet to pass through the system.
source_ip This parameter specifies the IP address of the source subnet to

which the ICMP echo request packet belongs. Its value must be
source_netmask|source_prefix This parameter specifies the netmask or prefix length of the

source IP address.
 “source_netmask” indicates the netmask of the IPv4

address. Its value must be a dotted IP address or an integer
ranging from 0 to 32.
 “source_prefix” indicates the prefix length of the IPv6

address. Its value must be an integer ranging from 0 to 128.
destination_ip This parameter specifies the IP address of the destination subnet.

Its value must be an IPv4 or IPv6 address.
destination_netmask|destination This parameter specifies the netmask or prefix length of the

_prefix destination IP address.
 “destination_netmask” indicates the netmask of the IPv4

address. Its value must be a dotted IP address or an integer
 “destination_prefix” indicates the prefix length of the IPv6

312
Chapter 9 WebWall
address. Its value must be an integer ranging from 0 to 128.
accesslist_id This parameter specifies the ID of the ACL permit rule. Its value
accesslist permit icmp echoreply <source_ip>

This command is used to configure an ACL permit rule to allow the specified ICMP echo reply

which the ICMP echo reply packet belongs. Its value must be an

source IP address. For details, please refer to the
“source_netmask|source_prefix” parameter in the “accesslist
permit icmp echorequest” command.


_prefix destination IP address. For details, please refer to the
“destination_netmask|destination_prefix” parameter in the
“accesslist permit icmp echorequest” command.
accesslist permit tcp <source_ip> {source_netmask|source_prefix}

<source_port> <destination_ip> {destination_netmask|destination_prefix}
<destination_port> <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified TCP packet to pass
through the system.

which the TCP packet belongs. Its value must be an IPv4 or
IPv6 address.


313
Chapter 9 WebWall
source_port This parameter specifies the source port number. Its value must
be an integer ranging from 0 to 65535. “0” indicates all ports.


destination_port This parameter specifies the destination port number. Its value
must be an integer ranging from 0 to 65535. “0” indicates all
ports.
accesslist permit udp <source_ip> {source_netmask|source_prefix}

This command is used to configure an ACL permit rule to allow the specified UDP packet to pass
through the system.

which the UDP packet belongs. Its value must be an IPv4 or
IPv6 address.




314
Chapter 9 WebWall
ports.
accesslist permit esp <source_ip> {source_netmask|source_prefix}

<destination_ip> {destination_netmask|destination_prefix} <accesslist_id>
This command is used to configure an ACL permit rule to allow the specified ESP-encrypted
packet to pass through the system. (ESP is the short form for Encapsulating Security Payload.)

which the ESP-encrypted packet belongs. Its value must be an



accesslist permit ah <source_ip> {source_netmask|source_prefix}

This command is used to configure an ACL permit rule to allow the specified AH-encapsulated
packet to pass through the system. (AH is the short form for Authentication Header.)

which the AH-encapsulated packet belongs. Its value must be an

315
Chapter 9 WebWall



accesslist deny icmp echorequest <source_ip>

This command is used to configure an Access Control List (ACL) deny rule to disallow the
specified ICMP echo request packet to pass through the system.

which the ICMP echo request packet belongs. Its value must be




316
Chapter 9 WebWall
accesslist deny icmp echoreply <source_ip>

This command is used to configure an Access Control List (ACL) deny rule to disallow the
specified ICMP echo reply packet to pass through the system.

which the ICMP echo reply packet belongs. Its value must be an



accesslist deny tcp <source_ip> {source_netmask|source_prefix}

This command is used to configure an ACL deny rule to disallowthe specified TCP packet to pass
through the system.

which the TCP packet belongs. Its value must be an IPv4 or
IPv6 address.


317
Chapter 9 WebWall


ports.
accesslist deny udp <source_ip> {source_netmask|source_prefix}

This command is used to configure an ACL deny rule to disallow the specified UDP packet to
pass through the system.

which the UDP packet belongs. Its value must be an IPv4 or
IPv6 address.




318
Chapter 9 WebWall
ports.
accesslist deny esp <source_ip> {source_netmask|source_prefix}

This command is used to configure an ACL deny rule to disallow the specified ESP-encrypted

which the ESP-encrypted packet belongs. Its value must be an



accesslist deny ah <source_ip> {source_netmask|source_prefix}

This command is used to configure an ACL deny rule to disallow the specified AH-encapsulated

which the AH-encapsulated packet belongs. Its value must be an


319
Chapter 9 WebWall


The following commands are used to delete the configurations of the specified ACL permit or
deny rule.
no accesslist permit icmp echorequest <source_ip>

{source_mask|source_prefix} <destination_ip>
{destination_mask|destination_prefix} <accesslist_id>
no accesslist permit icmp echoreply <source_ip>

no accesslist permit tcp <source_ip> {source_mask|source_prefix}
<source_port> <destination_ip> {destination_mask|destination_prefix}
no accesslist permit udp <source_ip> {source_mask|source_prefix}

no accesslist permit esp <source_ip> {source_mask|source_prefix}
<destination_ip> {destination_mask|destination_prefix} <accesslist_id>
no accesslist permit ah <source_ip> {source_mask|source_prefix}
no accesslist deny icmp echorequest <source_ip>
no accesslist deny icmp echoreply <source_ip>

320
Chapter 9 WebWall
no accesslist deny tcp <source_ip> {source_mask|source_prefix}

no accesslist deny udp <source_ip> {source_mask|source_prefix}
no accesslist deny esp <source_ip> {source_mask|source_prefix}
no accesslist deny ah <source_ip> {source_mask|source_prefix}
show accesslist
This command is used to display all ACL permit and deny rules.
clear accesslist
This command is used to clear all ACL permit and deny rules.
Access Group
accessgroup <accesslist_id> <interface>
This command is used to associate existing ACL permit or deny rules with a specified interface.
accesslist_id This parameter specifies the ID of an existing ACL permit or deny

rule.
interface This parameter specifies the interface with which the ACL permit or
deny rule is associated. Its value must be the name of a system
interface, bond interface, or VLAN interface.
Example:
AN(config)#accessgroup 250 port1
Note: If an ACL permit or deny rule is deleted, the associations with this ACL rule and all
interfaces will be also deleted.
no accessgroup <accesslist_id> <interface>

This command is used to delete the disassociation between ACL permit or deny rules and the
specified interface.
show accessgroup
This command is used to display all the associations between the ACL permit or deny rules and
the interfaces.

321
Chapter 9 WebWall
clear accessgroup
This command is used to clear all the associations between the ACL permit or deny rules and the
interfaces.
WebWall
webwall <interface> <on|off> [mode]
This command is used to enable or disable the WebWall function on a specified interface.
When the WebWall function is enabled on an interface, the system will allow a packet to pass
through the interface only when the packet explicitly matches an ACL permit rule. When the
packet matches both an ACL permit rule and an ACL deny rule, the ACL deny rule will take
effect. When the packet matches multiple ACL permit or deny rules, it will be matched in an
ascending order of the ID of the ACL permit or deny rule. If no ACL permit or deny rule is
associated with the interface, no TCP, UDP and ICMP packet is allowed to pass through the
interface.
When the WebWall function is disabled on an interface, all packets can pass through the interface.
For security considerations, it is strongly recommended that administrators disable the WebWall
function only for diagnostic purposes. By default, the WebWall function is disabled on every
interface.
interface This parameter specifies the interface name. Its value must be the
name of a system interface, bond interface, or VLAN interface.
on|off This parameter specifies whether to enable or disable WebWall

function. Its value must only be “on” or “off”.
mode Optional. This parameter controls the WebWall behavior.
 0: indicates the normal mode. In this mode, all the packets

coming into the interface will be filtered by the ACL rules
associated with the interface using the “accessgroup”
command.
 1: indicates the ack mode. In this mode, The TCP packets with
the ACK flag will be permitted by default.
Note: When the WebWall function is disabled, the configurations of ACL permit or deny
rules and the associated interfaces will still exist.
show webwall
This command is used to display the current configurations of the WebWall function.

322
Chapter 9 WebWall
show statistics webwall [interface]

This command is used to display the current WebWall statistics for a specified interface (with the
WebWall function enabled). If the “interface” parameter is not specified, this command will
display the statistics for all interfaces (with the WebWall function enabled).
clear statistics webwall [interface]

This command is used to clear the current WebWall statistics for a specified interface (with the
WebWall function enabled). If the “interface” parameter is not specified, this command will clear
the statistics for all interfaces (with the WebWall function enabled).

323
Chapter 10 Client Security

The Client Security function controls how to perform security scan on remote clients prior to the
authentication for virtual portal access. End users can access internal resources only from remote
client meeting required security requirements.
With the Client Security function, the system will classify the remote client into a certain device
class based on a set of host integrity checks and device attributes such as IP address, Registry and
OS, and then assign the corresponding level of access privileges to the client.
This chapter covers the commands using for configuring device class. Other configurations are
available only via the WebUI.
client security {on|off}

This command is used to enable or disable the Client Security function. By default, this function is
disabled.
client security postlogin enable [interval]

This command is used to enable the post-login client security function. When this function is
enabled, AG performs host integrity checks against the client at the specified interval after login
until the end user logs out the virtual site or disconnects the VPN.
When this command is not configured, this function is disabled by default.
interval Optional. This parameter specifies the interval at which AG

performs client security checks against the client after the end user
logs into the virtual site. Its value must be an integer ranging from 0
to 3600. When it is set to 0, AG performs client security checks
against the client only once after the end user logs into the virtual
site.
client security postlogin disable

This command is used to disable the post-login client security function.
client security default <level>

This command is used to configure the default Client Security level. The default Client Security
level will be assigned to the device class when it is defined (The device class can be configured
only via WebUI). Administrators can modify the level of the device class using the command
“client security device”.
If this command is not configured, the default Client Security level is “none”.
level This parameter specifies the default Client Security level. Its value

324
must be:
 “none”: indicates none privilege.
 “low”: indicates only the Web access privilege.
 “medium”: indicates the Web, DD and fileshare access

privileges.
 “high”: indicates the Web, DD, VPN and fileshare access

privileges.
 custom level: indicates custom privileges. This value can be

used only when the custom level is predefined using the
“client security level” command.
no client security default

This command is used to reset the default Client Security level to “none”.
show client security default

This command is used to display the default Client Security level.
client security device <device_name> <level>

This command is used to configure a device class rule. The earlier the device class rule is
configured, the higher the priority is. By default, the default device class rule with the device class
name “Default” is provided for the virtual site.
After the Client Security function is enabled, the system matches the client accessing the virtual
site with all device class rules sequentially in the descending order of the priority until one rule is
matched. When the client passes the host security checks defined for a device class rule, matches
the device attributes configured for the device class rule, or both conditions, the client matches
this device class rule.
If no device class rule is matched, the client will be rejected from reaching the login page.
If the client matches a device class rule, the client will be assigned the access privileges indicated
by the Client Security level after logging into the virtual site.
device_name This parameter specifies the name of the device class to be added to
the virtual site. Its value must be a string of 1 to 32 characters.
level This parameter specifies the security level. Its value must be:
 “none”: indicates none privilege.
 “low”: indicates only the Web access privilege.
 “medium”: indicates the Web, DD and fileshare access

325
privileges.
 “high”: indicates the Web, DD, VPN and fileshare access

privileges.
 custom level: indicates custom privileges. This value can be

used only when the custom level is predefined using the
“client security level” command.
Note: If two-stage Client Security is enabled, the system only matches the client with
the first two device class rules. The configurations of two-stage Client Security, host
integrity and device attributes are available only via WebUI.
no client security device <device_name>

This command is used to delete the specified device class rule.
show client security device

This command is used to display all the device class rules.
show client security existeddevice

This command is used to display all the configured device classes.
client security level <level>

This command is used to define a custom Client Security level.
This parameter specifies the name of the custom Client Security

level
level. Its value must be a string of 1 to 64 characters.
no client security level <level>

This command is used to delete the specified custom Client Security level.
show client security level

This command is used to display the custom Client Security levels.
client security privilege web <level> [browse]

This command is used to associate the Web privileges with the specified custom Client Security
level.
level This parameter specifies the name of the existing custom Client
Security level defined by the “client security level” command.
browse Optional. This parameter specifies whether or not the client is

allowed to browse non-configured Web sites via the portal
navigation bar. This option is disabled by default.

326
no client security privilege web <level>

This command is used to disassociate the Web privileges from the specified custom Client
Security level.
client security privilege dd <level>

This command is used to associate the DD privileges with the specified custom Client Security
level.
no client security privilege dd <level>

This command is used to disassociate the DD privileges from the specified custom Client Security
level.
client security privilege vpn <level>

This command is used to associate the VPN privileges with the specified custom Client Security
level.
no client security privilege vpn <level>

This command is used to disassociate the VPN privileges from the specified custom Client
Security level.
client security privilege file <level>

This command is used to associate the file share privileges with the specified custom Client
Security level.
no client security privilege file <level>

This command is used to disassociate the file share privileges from the specified custom Client
Security level.
show client security privilege [level]

This command is used to display the privileges associated with the specified custom Client
Security level. If the “level” parameter is not configured, privileges associated with all custom
Client Security levels will be displayed.
client security export scp <server_name> <user_name> <file_path>

327
This command is used to export the Client Security configuration file to an SCP server.
server_name This parameter specifies the name of the remote SCP server to
which the Client Security configuration file will be exported. Its
user_name This parameter specifies the name of the user on the remote SCP
file_path This parameter specifies the file path of the Client Security
configuration file to be exported. The file path must include the file
name. Its value must be a string of 1 to 256 characters.
client security export tftp <server_ip> [file_name]

This command is used to export the Client Security configuration file to a TFTP server.
server_ip This parameter specifies the IP address of the remote TFTP server.
file_name Optional. This parameter specifies the file name of the Client
Security configuration file to be exported. The default name is
“setup.orig.xml”. Its value must be a string of 1 to 256 characters.
client security import <url> [lcc]

This command is used to import a Client Security configuration file to the virtual site.
url This parameter specifies the HTTP or FTP URL of the Client
Security configuration file. Its value must be a string of 1 to 512
characters.
lcc Optional. This parameter specifies the “lcc” mode. Its value must
be:
 “lcc”: indicates that after the remote client passes the client
security check, the browser will ignore the “Success_URL”
field, which was configured via WebUI for the specified
device class, and will be redirected to the login page.
 empty: indicates that after the remote client passes the client
security check, the browser will be redirected to the page
specified by the “Success_URL” field, which was configured
via WebUI for the specified device class.
show client security import [lcc]

328
This command is used to display the configuration file import status.
show client security config

This command is used to display the configurations of Client Security.
clear client security config

This command is used to clear the configurations of Client Security.

329
Chapter 11 System Monitoring
Graphic Monitoring
statmon {on|off}
This global command is used to enable or disable the status monitoring function. The status
monitoring function monitors and collects information regarding the system’s running status at
fixed intervals, such as the status of CPU utilization, system memory utilization and active
sessions. The administrator can view thestatus information in the form of graphs via WebUI. By
Note: If the system time of an HA unit is not the current time, the graphs of the status
information displayed on WebUI will be abnormal when this HA unit is added to the HA
domain.
statmon clear
This global command is used to clear all existing statistic information collected by the status
monitoring function.
statmon purge [unused_days]

This global command is used to clear statistic information that was not used for a specified
number of days.
unused_days This parameter specifies the number of days. Its value must be an
integer ranging from 0 to 4,294,967,295. The default value is 730.
show statmon status

This global command is used to display the current status of the status monitoring function
(enabled or disabled).
Logging
General Settings
log {on|off}
This global command is used to enable or disable the logging function of the AG appliance. By
After the logging function is enabled, the system generates system log messages according to the
log level specified by the “log level” command, and sends the system log messages to the log
buffer and to the remote syslog hosts (if configured using the “log host” command).

330
log level <level>

This global command is used to set the log level. If this command is not configured, the default
log level is info.
level This parameter specifies the valid log level. Its value must be
“emerg”, “alert”, “crit”, “err”, “warning”, “notice”, “info”, or
“debug”, and these values are listed from the highest priority to
lowest. The higher the priority of the log level, the higher the
severity of the event. When the log level is set, the system generates
logs of only this level and higher levels. For details, please refer to
RFC.
log facility <facility_name>

This global command is used to set the log facility which sends the system log messages. If this
command is not configured, the default log facility is “LOCAL0”.
facility_name This parameter specifies the log facility. Its value must be
“LOCAL0”, “LOCAL1”, “LOCAL2”, “LOCAL3”, “LOCAL4”,
“LOCAL5”, “LOCAL6” or “LOCAL7”. For details, please refer to
RFC.
log source port <source_port>

This global command is used to set the source port for sending system log messages. If this
command is not configured, the default source port is 514.
source_port This parameter specifies the source port for sending the system log
messages. Its value must be an integer ranging from 1 to 65,535.
log timestamp {on|off}

This global command is used to enable or disable timestamp for system log messages. When
timestamp is enabled, time information (date and time) will be added to every system log message.
log option logid {on|off}

This global command is used to enable or disable the option to append the log ID to log messages.
When this option is enabled, the log ID will be added to every system log message. By default,
this option is disabled.
log option levelinfo {on|off}

This global command is used to enable or disable the option to append the log level information to
log messages sent to the remote syslog hosts configured using the “log host” command. By

331
log option uniqueid <on|off>

This command is used to enable or disable the option to append a unique ID (the hardware
signature code generated by the Array Client or a random code generated by the AG appliance if
no unique ID is sent to the AG appliance) to system log messages. After this option is enabled, the
unique ID will be added to the system log messages generated when end users perform operations
related to sessions, AAA authentication and VPN tunnel. By default, this option is disabled.
on|off This parameter specifies whether to enable the option to append

unique IDs to system log messages. Its value must be “on” or “off”.
show log buff backward [expression]

This global command is used to display the system log messages stored in the log buffer in the
backward sequence of time.
expression Optional. This parameter specifies the regular expression for

filtering the output of the system log messages. Its value must be a
show log buff forward [expression]

This global command is used to display the system log messages stored in the log buffer in the
forward sequence of time.
expression Optional. This parameter specifies the regular expression for

filtering the output of the system log messages. Its value must be a
clear log buffer

This global command is used to clear all the system log messages from the log buffer.
log test
This command is used to generate a test log message at the level “emerg”.
show log config

This global command is used to display all log configurations.
clear log config

This global command is used to reset all the log configurations to default.
Log Customization
log http {combined|common|squid} [vip_option] [host_option]

332
This global command is used to set the HTTP access logging format. The system supports the
HTTP access log formats “combined”, “common” and “squid”. Please refer to the RFC for details.
vip_option This parameter specifies whether or not the VIP (virtual IP) on
which the request is received is logged. Its value must be:
 vip: indicates the VIP is logged.
 novip/None: indicates the VIP is not logged.
The default value is “None”.
host_option This parameter specifies whether or not the host in the request is
logged.
 host: the host in the request is logged.
 nohost/None: the host in the request is not logged.
The default value is “None”.
Note: this parameter cannot take effect only when the

“vip|novip|none” parameter is set to “none”.
log http welf
This global command is used to set the HTTP access logging format to “welf”.
log http custom <format>

This global command is used to customize the HTTP access logging format.
format This parameter specifies the HTTP access logging format. Its value
must be a string of 1 to 256 characters enclosed by double quotes
and formed using the symbols listed below. Besides, any characters
that are not part of the symbols listed below can also be added to
the log message.
Symbol Meaning
%a Cache result
%b Bytes returned by proxy to client
%c Client IP address
%d Date stamp
%e HTTP MIME type information
%f “PROXY_LOG”, tag can be used to distinguish with other logs.
%g Time stamp (military format)
%h Host name as pulled from client host
%i User-agent

333
%k Session cookies
%m HTTP method
%n Full date/time stamp[MM/DD/YYYY:HH:MM:SS +/-0000]
%o Port of virtual service
%p Proxy IP address, VIP
%q A single double quote
%r HTTP return status code
%s Real Server IP address
%t Unix time stamp
%u Request URL
%v Protocol version
%w Referrer (from client Referrer:header)
%B Username
%D SSL session ID
%N Full date/time stamp [DD/MMM/YYYY:HH:MM:SS +/-0000]
%P Real Server port
%R Elapsed time, time-taken
%T Time format compatible with W3C (GMT)
%U Full URL
So, for example, the following custom HTTP logging format instructs the log system to record the
time stamp, elapsed time, client IP address, cache result, HTTP return status code, bytes returned
by proxy to client, HTTP method, request URL and real server IP address.
AN(config)#log http custom "AN_SQUID_LOG %t %R %c %a/%r %b %m %u C DIRECT/%s -"
A piece of the log will be as follows:
INFO Jun 05 23:49:06 AN AN_SQUID_LOG 1338940146 0 110.52.84.41 TCP_MISS/200

1105 GET /Script/bottomSearch-1.0.js - DIRECT/58.83.194.202 -
This log format will be the same as the effect of the command “log http squid”.
no log http
This global command is used to disable HTTP access logging.
log http off

This global command is used to disable HTTP access logging function. The HTTP access logging
function records the logs of every HTTP request and response. By default, this function is enabled.
The default HTTP access logging format is “squid”.
Remote Syslog Host
log host <host_ip> [port] [protocol] [host_id] [log_level]

334
This global command is used to configure a remote syslog host used for storing system log
messages of the specified log level(s). A maximum of 6 remote log hosts can be configured.
host_ip This parameter specifies the IP address of the remote syslog host.
port Optional. This parameter specifies the port number of the remote
syslog host. Its value must be an integer ranging from 1 to 65,535.
protocol Optional. This parameter sets the protocol used to transmit system
log messages. Its value must be “TCP” or “UDP”. The default value
is “UDP”.
host_id Optional. This parameter specifies an identifier for the remote

syslog host. Its value must be an integer ranging from 0 to 65,535.
The default value is 0, indicating that all system log messages of the
specified level(s) will be sent to the remote syslog host without any
other filtering. If the host ID is set to a value larger than 0, system
log messages of specified level(s) will first be filtered based on the
configurations of log filter (configured via the “log filter”
command) and then sent to the remote syslog host.
Please note that the host ID “0” can be used by multiple remote
systlog hosts, while the host ID larger than 0 must be unique among
all remote syslog hosts.
log_level Optional. This parameter specifies the level(s) of the log. Its value
must be one or multiple of the following levels: “emerg”, “alert”,
“crit”, “err”, “warning”, “notice”, “info”, and “debug”. The default
value is “all”, indicating all of the above levels are selected.
Multiple levels in the parameter value must be separated by comma
and enclosed by double quotes.
Note: Before configuring a remote syslog host, please make sure that the remote syslog
host is ready to receive system log messages.
For example:
AN(config)#log host 10.3.53.3 555 udp 0 all

AN(config)#log host 10.3.53.3 44 tcp 1 emerg
no log host <host_ip> <port> [protocol]

335
This global command is used to delete the remote syslog host of the specified protocol type. If the
“protocol” parameter is not specified, the remote log host of the “UDP” type will be deleted.
log filter <host_id> <filter_id> <filter_string>

This global command is used to set a log filter for the specified log host. A maximum of 64 log
filters can be configured for one log host.
host_id This parameter specifies an existing log host ID set via the “log
host” command.
filter_id This parameter specifies the ID of the log filter. Its value must be an
filter_string This parameter specifies the log filter string. Its value must be a
string of 1 to 40 case-insensitive characters.
no log filter <host_id> [filter_id]

This global command is used to delete the specified log filter for the specified log host. If the
“filter_id” parameter is not specified or set to “0”, all log filters will be deleted.
log filtermode [mode]

This command is used to set the mode of log filters. If this command is not configured, the default
mode of log filter is “whitelist”.
mode Optional. This parameter specifies the mode of log filters. Its
value must be:
 whitelist: indicates that the system log messages that match

the log filter strings specified by the parameter
“filter_string” in the “log filter” command will be sent to
the remote syslog hosts configured using the “log host”
command.
 blacklist: indicates that the system log messages that match

the log filter strings specified by the parameter
“filter_string” in the “log filter” command will not be sent
to the remote syslog hosts configured using the “log host”
command. In turn, system log messages that do not match
the log filter strings will be sent to the remote syslog hosts.
The default value is “whitelist”.

336
Disabling Individual System Log
log message disable <log_id>

This global command is used to disable a specified system log message. The disabled system log
message will be added to the disabled system log message list. By default, the disabled system log
message list is empty, that is to say, all system log message are enabled. A maximum of 128
system log message can be disabled.
log_id This parameter specifies the ID of a system log message.
Administrators can check the system log message ID on WebUI:
1. Select Admin Tools > Monitoring > Logging > Disabled Log
under the global scope.
2. In the Disabled Log area, click the Log ID List action link to
view IDs of all system log messages.
no log message disable <log_id>

This global command is used to delete a specified system log message from the disabled system
log message list, that is to say, to enable the system log message.
show log message disable [log_id]

This global command is used to display a specified system log message in the disabled system log
message list. If the parameter “log_id” is not specified, all the system log messages in the disabled
system log message list will be displayed.
clear log message disable

This global command is used to clear all the system log messages from the disabled system log
message list, that is to say, to enable all the disabled system log messages.
Log Alert
log alert <rule_id> <expression> <email> <interval> [type]

This global command is used to configure a log alert rule. When a system log message matches
the log alert rule, a log alert email will be sent to the email address specified by the log alert rule.
rule_id This parameter specifies the log ID. Its value must be an integer
If a log alert rule with the same “log_id” already exists, the AG
appliance will prompt the administrator for whether or not to

337
overwrite the log alert rule with this “log_id”.
expression This parameter specifies the regular expression used for log
matching. Its value must be a string of 1 to 64 characters.
email This parameter specifies the email address used to receive log alert
emails. Its value must be a string of 1 to 128 characters enclosed by
double quotes.
interval This parameter specifies the interval to send log alert emails. Its
value must be an integer ranging from 0 to 10,000, in minutes. 0
means sending the log alert email immediately after a system log
message matches this log alert rule.
type Optional. This parameter specifies the content type of the log alert
email. Its value must be
 data: indicates that the contents of the system log messages

matched this log alert rule will be sent in the log alert email.
 count: indicates that the number of times that system log

messages matched this log alert rule will be sent in the log
alert email.
The default value is “data”.
no log alert <rule_id>

This global command is used to delete the specified log alert rule.
show log alert [rule_id]

This global command is used to display the specified log alert rule. If the “log_id” parameter is
not specified or set to 0, all log alert rules will be displayed.
clear log alert

This global command is used to clear all log alert rules.
SNMP Commands
General Settings
The Simple Network Management Protocol (SNMP) offers the communication rules between a
management device and the managed devices on the network. It defines a set of messages,
methods and syntax to implement the access and management from the management device to the
managed devices.

338
An SNMP managed network comprises primarily network management stations (NMSs) and an
agent. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the
NMS. The NMS and agents exchange management information through the SNMP protocol.
The AG appliance acts as an SNMP agent and currently supports the SNMP GET requests, but not
SNMP SET requests. For details, refer to the following commands.
snmp on [version]
This global command is used to enable the SNMP agent of the AG appliance.
version This parameter specifies the SNMP version(s) that are

supported by the SNMP agent of the AG appliance. Its value
must be:
 default: indicates that the SNMP agent supports versions

v1, v2c and v3.
 v3: indicates that the SNMP agent supports only version

v3.
The default value is “default”.
snmp off
This global command is used to disable the SNMP function. By default, this function is disabled.
show snmp
This global command is used to display all SNMP settings.
Example:
AN(config)#show snmp
snmp community reindeer
snmp location server room 6
snmp contact [email protected]
snmp host 10.2.21.1 rudolph
snmp enable traps
clear snmp
This global command is used to reset the SNMP settings to default.
SNMP Request
snmp community <string>

This global command is used to configure the community string of the SNMP agent on the AG
appliance. This community string is used as the password to control the access from the NMS to

339
the SNMP agent. If the SNMP requests sent by the NMS do not carry the correct community
string, the SNMP agent will reject the SNMP requests.
If this command is not configured, the default community string is “public”.
string This parameter specifies the community string. Its value must
be a string of 1 to 32 characters. The parameter value can only
be changed when the SNMP function is disabled.
Note: For the sake of security, it is strongly recommended to modify the default SNMP
community string to avoid possible system information interception.
Example:
AN(config)#snmp community reindeer
no snmp community
This global command is used to reset the community string to the default “public”.
snmp contact <contact_name>

This global command is used to configure the contact information of the administrator.
contact_name This parameter specifies the contact information of the

administrator. Its value must be a string of 1 to 128 characters
For example:
AN(config)#snmp contact "[email protected]"
no snmp contact
This global command is used to delete the contact information of the administrator.
snmp location <location>

This global command is used to configure the physical location of the SNMP agent.
location This parameter specifies the physical location of the AG

appliance. Its value must be a string of 1 to 128 characters
For example:
AN(config)#snmp location "server room 6"
no snmp location

340
This global command is used to delete the setting of physical location configured for the SNMP
agent.
snmp v3user <user_name> <auth_password> [security_level]

[priv_password]
This global command is used to add one user into the SNMP v3 user database for GET request
authentication. This is to control SNMP GET requests following USM (User-based Security
Model). Please note that the system uses MD5 for SNMPv3 user authentication.
user_name This parameter specifies the username of the SNMP v3 user

account needed to be added into the SNMP v3 user database. Its
auth_password This parameter specifies the password of the SNMP v3 user account
needed to be added into the SNMPv3 user database. Its value must
security_level Optional. This parameter specifies the security level. Its value must
be:
 authNopriv: indicates the authentication is performed and data

encryption is not provided.
 authPriv”: indicates both authentication and data encryption

are performed.
The default value is “authNopriv”.
priv_password Optional. This parameter specifies the private password for data
encryption. Its value must be a string of 8 to 32 characters.
Note: This parameter needs to be specified only when the

“security_level” parameter is set to “authPriv”.
no snmp v3user <user_name>

This global command is used to delete the specified SNMP v3 user account from the SNMP v3
user database.
SNMP Access Control
snmp ipcontrol {on|off}

This global command is used to enable or disable the SNMP access control function. When this
function is enabled, only the SNMP GET requests coming from the subnets configured using the

341
“snmp ippermit” command are permitted by the SNMP agent. By default, this function is disabled,
indicating all SNMP GET requests are permitted by the SNMP agent.
snmp ippermit <source_ip> <netmask>

This global command is used to add an SNMP access permit rule to permit the SNMP GET
requests coming from the specified subnet.
source_ip This parameter specifies the network IP address of the subnet. Its
netmask This parameter specifies the netmask of the subnet.
no snmp ippermit <source_ip> <netmask>

This global command is used to delete the specified SNMP access permit rule.
SNMP Traps
snmp enable traps

This global command is used to enable SNMP traps. SNMP traps enables the SNMP agent to
notify the NMS (configured using the “snmp host” command) of critical and important events
(such as SNMP agent start/termination). The supported traps are:
 agentStart: This trap is sent when the SNMP agent starts.
 agentStop: This trap is sent when the SNMP agent terminates.
 linkup: This trap is sent when the interface of the SNMP agent becomes “up”.
 linkdown: This trap is sent when the interface of the SNMP agent becomes “down”.
 caSyslog: This trap is sent when the system log level is larger than “err”.
no snmp enable traps

This global command is used to disable SNMP traps.
snmp host <host_ip> [trap_version] [user_name|community_name]

[engine_id] [auth_password] [security_level] [priv_password]
This global command is used to configure the remote SNMP host used as NMS for receiving the
SNMP traps.
host_ip This parameter specifies the IP address of the SNMP host. Its
trap_version Optional. This parameter specifies the SNMP trap version. Its
value must be “1”, “2” or “3”, indicating SNMP v1, SNMP v2

342
or SNMP v3.
 If this parameter is set to “1” or “2”, only the

“user_name|community_name” parameter needs to be
specified.
 If this parameter is set to “3”, the parameter

“user_name|community_name”, “engine_id”,
“auth_password” and “author_level” must be specified.
Please note that the system uses MD5 for SNMPv3 user
authentication.
user_name|community_name Optional. This parameter specifies the trap community string

for SNMP v1 and v2 or the trap user for SNMP v3. The default
value is “public”.
engine_id Optional. This parameter specifies the authoritative engine ID

of the remote SNMP host for SNMP v3. Its value must be a hex
number. The parameter length must be an even number and less
than or equal to 24.
auth_password Optional. This parameter specifies the authentication password.

security_level Optional. This parameter specifies the security level. Its value
must be:
 authNopriv: indicates the authentication is performed and

data encryption is not provided.
 authPriv”: indicates both authentication and data

encryption are performed.
The default value is “authNopriv”.
priv_password Optional. This parameter specifies the private password for

data encryption. Its value must be a string of 8 to 32 characters.
Note: This parameter needs to be specified only when the

security_level” parameter is set to “authPriv”.
no snmp host <host_ip>

This global command is used to delete an SNMP host.

343
Troubleshooting Commands
ping {ipv4|host_name}
This global command is used to check the network connectivity to the specified IPv4 network host
by sending Internet Control Message Protocol (ICMP) echo requests.
ipv4|host_name This parameter specifies the IP address or name of the IPv4 network
host.
ping6 {ipv6|host_name}
This global command is used to check the network connectivity to the specified IPv6 network host
by sending Internet Control Message Protocol (ICMP) echo requests.
host.
ping {ipv4|host_name}
This command is used to check the network connectivity to the specified IPv4 network host by
sending Internet Control Message Protocol (ICMP) echo requests.
For this command, the virtual site will always use global DNS settings to resolve the host name.
host.
traceroute {ipv4|host_name}
This global command is used to trace the route to the specified IPv4 network host by sending three
packets to each intermediate node on this route. After this command is executed, the TTL, host
names and IP addresses of the intermediate nodes (routers or gateways), as well as the round-trip
time of each packet to every node will be displayed.
host.
traceroute6 {ipv6|host_name}
This global command is used to trace the route to the specified IPv6 network host by sending three
packets to each intermediate node on this route. After this command is executed, the TTL, host
names and IP addresses of the intermediate nodes (routers or gateways), as well as the round-trip
time of each packet to every node will be displayed.

344
host.
traceroute {ipv4|host_name}
This command is used to trace the route to the specified IPv4 network host by sending three
packets to each intermediate node on this route. After this command is executed, the system will
display the TTL, host names and IP addresses of the intermediate nodes (routers or gateways), as
well as the round-trip time of each packet to every node.
For this command, the virtual site will always use global DNS settings to resolve the host name.
host.
nslookup {ip|host_name}
This global command is used to resolve the IPv4 address for the specified host name or vice versa.
After this command is executed, the IPv4 address resolved by the DNS server will be displayed
for the specified host name or vice versa.
ip|host_name This parameter specifies the host name or IPv4 address enclosed by
double quotes.
nslookup {ip|host_name}
This command is used to resolve the IPv4 address for the specified host name or vice versa. After
this command is executed, the IPv4 address resolved by the DNS server will be displayed for the
specified host name or vice versa.
For this command, if the “dns useglobal off” command is configured for the virtual site, the virtual
site will use its DNS settings to resolve the host name. If the “dns useglobal on” command is
configured for the virtual site, the virtual site will use global DNS settings to resolve the host
name.
ip|host_name This parameter specifies the host name or IPv4 address enclosed by
double quotes.
support <ip_address> <netmask|prefix>

This global command is used to configure a network segment, within which the users are allowed
to use the “test” account to log into the AG appliance via the SSH protocol or Console.
ip_address This parameter specifies the allowed IP address. Its value must be
netmask|prefix This parameter specifies the netmask or prefix length of the IP

345
address.
 “netmask” is used for an IPv4 address. Its value must be a

dotted IP address or an integer ranging from 0 to 32.
 “prefix” is used for an IPv6 address. Its value must be an

no support <ip_address> <netmask|prefix>

This global command is used to delete the specified network segment, within which the users are
allowed to use the “test” account to log into the AG appliance via the SSH protocol or Console.
show support
This global command is used to display all the network segments, within which the users are
clear support
This global command is used to clear all the network segments, within which the users are
Debug Commands
General Settings
debug enable
This global command is used to enable the debug function. Once this function is enabled, the AG
appliance will first clean the old files (such as sys_debug.tar.gz and sys_core.tar.gz) used to
collect debugging data. Then, the AG appliance will create a new file (such as englog.
20161030_133513) to store debugging data and this collecting process will not stop until the
“debug disable” command is executed.
debug disable
This global command is used to disable the debug function. Once the debug function is disabled,
the AG appliance will first generate a file named sys_debug.tar.gz to store the collected debug
data. Then, the AG appliance will clean up the collected debug data in the system. The file
sys_debug.tar.gz can be downloaded via WebUI.
The following is the generated tar file that only contains the debug information collected from the
moment of executing the “debug enable” command to the moment of executing the “debug
disable” command.
/var/crash/sys_debug.tar.gz
tcpdump
ssldump

346
debug.tar.gz (including englog, pipe and loopback information)
show debug file

This global command is used to display the debugging files.
show debug output [subsystem_name]

This global command is used to display the debugging output for the specified subsystem.
subsystem_name Optional. This parameter specifies the name of the subsystem. The
default value is “no_englog”.
Debug Snapshot
debug corefile [core_files_number]

This global command is used to set the number of system core files to be collected.
core_files_number Optional. This parameter specifies the number of system core files
to be collected. Its value must be an integer ranging from 1 to 10.
Note: Administrators must first execute this command to set the number of core files to be
collected before executing the “debug snapshot system” command to collect core files,
such as sys_core.tar.gz and app_core.tar.gz. If no value is specified, the system will not
collect any core file.
debug snapshot proxy [level]

This global command is used to take a snapshot of proxy activities. The output is saved into the
sys_debug.tar.gz file generated after the debug function is enabled using the “debug enable”
command. Please enable the debug function first before executing this command.
level This parameter specifies the quantity of the snapshot. Its value must
be “1”, “2” or “3”. “1” indicates the least data while “3” indicates
the most data.
debug snapshot system

This global command is used to take a snapshot of the system activities. The following four
categorized files might be generated after this command is executed:
 sys_snap.tar.gz.gpg
 sys_log.tar.gz.gpg
 sys_core.tar.gz.gpg

347
 app_core.tar.gz.gpg
The files “sys_snap.tar.gz.gpg”, “sys_log.tar.gz.gpg” “sys_core.tar.gz.gpg” or

“app_core.tar.gz.gpg” can be downloaded via WebUI.
Please note that the files “sys_core.tar.gz.gpg” and “app_core.tar.gz.gpg” can be generated only
when specific core files exist in the system.
debug snapshot all [level]

This global command is used to take a snapshot of both proxy and system activities. The output of
proxy is saved into the sys_debug.tar.gz file generated after the debug function is enabled using
the “debug enable” command and the system output is saved into the files “sys_snap.tar.gz.gpg”,
“sys_log.tar.gz.gpg” “sys_core.tar.gz.gpg” or “app_core.tar.gz.gpg”. Please enable the debug
function first before executing this command.
Please note that the files “sys_core.tar.gz.gpg” and “app_core.tar.gz.gpg” can be generated only
when specific core files exist in the system.
level This parameter specifies the quantity of the snapshot. Its value must
be “1”, “2” or “3”. “1” indicates the least data while “3” indicates
the most data.
Debug Trace
debug trace live event backward [regular_expression]

This global command is used to display the KDB (Kernel Debugger) events in the backward
sequence of time.
regular_expression Optional. This parameter specifies the regular expression to match

the KDB events. Its value must be a string of 1 to 64 characters.
debug trace live event forward [regular_expression]

This global command is used to display the KDB events in the forward sequence of time.
regular_expression Optional. This parameter specifies the regular expression to match

the KDB events. Its value must be a string of 1 to 64 characters.
debug trace live proxy [src_ip] [src_port] [dst_ip] [dst_port] [and|or]

[tcpdump_argument]
This global command is used to trace and display the proxy activities in real time.
src_ip Optional. This parameter specifies the source IP to be traced. Its

value must be an IPv4 address. The default value is 0.0.0.0,

348
indicating all source IP addresses will be traced live.
src_port Optional. This parameter specifies the source port to be traced. Its
value must be an integer ranging from 0 to 65535. The default value
is 0, indicating all source ports will be traced live.
dst_ip Optional. This parameter specifies the destination IP to be traced.

Its value must be an IPv4 address. The default value is 0.0.0.0,
indicating all destination IP addresses will be traced live.
dst_port Optional. This parameter specifies the destination port to be traced.

Its value must be an integer ranging from 0 to 65535. The default
value is 0, indicating all destination ports will be traced live.
and|or Optional. This parameter specifies the relationship between the

configured parameters (source IP, source port, destination IP,
destination port). Its value must be:
 and: indicates only the activities match the exact parameters

(source IP, source port, destination IP, destination port) will be
displayed.
 or: indicates any activity matches any one of the given

parameters will be displayed.
The default value is “or”.
tcpdump_argument Optional. This parameter specifies the argument used to trace TCP
activities via tcpdump, which is a TCP packet analyzer. Its value
debug trace live ssl <interface_name> <virtual_site> [encrypt|plain]

[ssldump_argument]
This global command is used to trace and display SSL activities in real time.
interface_name This parameter specifies the existing interface name. It can be a

system interface, bond interface or VLAN interface.
virtual_site This parameter specifies the name of the existing virtual site. Its
encrypt|plain Optional. This parameter specifies the display format of the data in

349
SSL communication packets. Its value must be:
 encrypt: The encrypted data in SSL communication packets

will be directly displayed on the screen.
 plain: The encrypted data in SSL communication packets will

be decrypted first and then be displayed on the screen.
The default value is “encrypt”.
ssldump_argument Optional. This parameter specifies the argument used to trace SSL
activities via ssldump, which is an SSL packet analyzer. Its value
must be a string of 1 to 128 characters enclosed by double quotes.
debug trace live tcp <interface_name> [tcpdump_argument]

This global command is used to trace and display TCP activities in real time.
interface_name This parameter specifies the existing interface name. It can be a

system interface, bond interface or VLAN interface.
debug trace proxy

This global command is used to trace proxy activities. The output is saved into the
sys_debug.tar.gz file generated after the debug function is enabled using the “debug enable”
command. Please enable the debug function first before executing this command.
debug trace ssl [encrypt|plain] [ssldump_argument]

This global command is used to trace SSL activities. The output is saved into the sys_debug.tar.gz
file generated after the debug function is enabled using the “debug enable” command. Please
enable the debug function first before executing this command.
encrypt|plain Optional. This parameter specifies the display format of the data in
SSL communication packets. Its value must be:
 encrypt: indicates the encrypted data in SSL communication

packets will be directly saved into the “englog” file.
 plain: indicates the encrypted data in SSL communication

350
packets will be decrypted first and then be saved into the

“englog” file.
The default value is “encrypt”.
ssldump_argument Optional. This parameter specifies the argument used to trace SSL
activities via ssldump, which is an SSL packet analyzer. Its value
must be a string of 1 to 128 characters enclosed by double quotes.
debug trace tcp loopback [tcpdump_argument]

This global command is used to trace TCP activities on the loopback interfaces. The output is
saved into a newly generated file (such as tcpdump_lo0.20161030_134410 included in the file
sys_debug.tar.gz). Please enable the debug function first before executing this command.
debug trace tcp nic [tcpdump_argument]

This global command is used to trace TCP activities on all the NICs. The output is saved into a
newly generated file (such as tcpdump_port1. 20161030_134410 included in the file
sys_debug.tar.gz ). Please enable the debug function first before executing this command.
debug trace tcp pipe0 [tcpdump_argument]

This global command is used to trace the TCP activities on pipe0. The output is saved into a
newly generated file (such as tcpdump_pipe0. 20161030_134410 included in the file
sys_debug.tar.gz ). Please enable the debug function first before executing this command.

351
debug trace tcp all [tcpdump_argument]

This global command is used to trace TCP activities on all the interfaces. Please enable the debug
function first before executing this command.
Debug Usage
debug usage mbuf

This global command is used to enable the function of tracking the usage of mbuf in the system.
no debug usage mbuf

This global command is used to disable the function of tracking the usage of mbuf by the system.
show debug usage mbuf

This global command is used to display the mbuf usage information. After the “show debug
usage mbuf” command is executed, the following output will be displayed:
AN#show debug usage mbuf

Mbuf usage Statistics
index: 1, app: 0x201993a8
Total mbufs: 2094848
Module Name no of mbufs (col 1) no of mbufs (col 2)
ID_0: 2094847 2094847
ID_1: 1 0
ID_21: 0 1
Debug File Export
debug ftp <username> <remote_ftp_ip> <file_name>

This global command is used to export the files storing the debugging data to the specified remote
FTP server. A time stamp will be inserted into the name of each exported file to differentiate them
from other files on the FTP server.
username This parameter specifies the username to log into the remote FTP

352
remote_ftp_ip This parameter specifies the IP address of the remote FTP server. Its
file_name This parameter specifies the name of the file to be exported to the
FTP server (without the “.tar.gz.gpg” suffix). Its value must be
“sys_snap”, “sys_snap.0”, “sys_snap.1”, “sys_log”, “sys_log.0”,
“sys_log.1”, “sys_core”, “app_core”, “sys_debug”, “sslkeylog” or
“all”. If the parameter value is set to “all”, all the latest tarball files
(sys_snap, sys_log, sys_core, app_core and sys_debug) are
exported to the remote FTP server.
debug scp {username@remote_scp_ip|host} <file_name>

This global command is used to export the files storing the debugging data to the specified remote
SCP server. A time stamp will be inserted into the name of each exported file to differentiate them
from other files on the SCP server.
username@remote_scp_ip|host This parameter specifies the username and the IP address or

host name of the remote SCP server. Its value must be a
file_name This parameter specifies the name of the file to be to the

remote SCP server (without the “.tar.gz” suffix). Its value
must be “sys_snap”, “sys_snap.0”, “sys_snap.1”, “sys_log”,
“sys_log.0”, “sys_log.1”, “sys_core”, “app_core”,
“sys_debug”, “sslkeylog” or “all”. If the parameter value is
set to “all”, all the latest tarball files (sys_snap, sys_log,
sys_core, app_core and sys_debug) are exported to the
remote SCP server.
Debug Monitor
debug monitor {on|off}

This global command is used to enable or disable the monitor function. Once this function is
enabled, it will trace and log (into a predefined file named “monitor.out0”) the status of the AG
appliance.
debug monitor export ftp <username> <remote_ftp_ip>

This global command is used to export the monitor result file to a remote FTP server. Please
disable the monitor module using the command “debug monitor off” before executing this
command.

353
debug monitor export scp <username@remote_address:filepath>

This global command is used to export the monitor result file to a remote SCP server. Please
disable the monitor module using the command “debug monitor off” before executing this
command.
username@remote addres:filepath This parameter specifies the username and the name or
IP address of the remote host on the remote SCP server.
Its value must be a string of 1 to 128 characters
enclosed by double quotes, such as
“[email protected]:/home/test”.
debug monitor import ftp <username> <ip_address> <file_path>

This global command is used to import a customized script from a remote FTP server. In the
customized script, administrators can enter the CLIs that display the system information they want
and then import the customized script. This way, they can collect the exact debugging information
that they want. Please disable the debug monitor function using the “debug monitor off”
command before executing this command.
to import the file from the FTP server. Its value must be a string of
debug monitor import scp <username@remote_address:filepath>

This global command imports a customized script from a remote server via SCP. On the
customized script, administrators can enter the CLIs which display the system information they
want and then import the customized script. This way, they can collect the exact debugging
information that they want. Please execute “debug monitor off” before executing this command.
username@remote_address:filepath This parameter specifies the username and the name or

IP address of the remote host on the remote SCP server.
Its value must be a string of 1 to 128 characters
enclosed by double quotes, such as

354
“[email protected]:/home/test”.
show debug monitor

This global command is used to display the monitor configurations including its status and
customized scripts imported by the users.

355
Chapter 12 Admin Tools
Administrators
Admin User and Admin Access
admin user <username> <password> [enable|config] [scope] [mode]

This global command is used to create a new administrator account. If the account already exists,
this global command is also used to update the account’s password and access privileges.
username This parameter specifies the administrator’s username. Its value

must be a string of 1 to 16 characters. Tabs, spaces, 8-bit characters
and special characters like “,”, “:”, “+”, “&”, “#”, “%”, “^”, “(”,
“)”, “!”, “@”, “~”, “*”, “?”, “"”, “<”, “>”, “=”, “|”, “\”, “/” are not
allowed. “$” can only appear in the end of the parameter value.
Besides, the parameter value must not begin with “-”.
password This parameter specifies the administrator’s password. Its value

must be a string of 1 to 256 characters. If the password begins with
a numeric character or includes any keystroke symbols such as “!”
or “$”, it must be enclosed by double quotes. If the parameter value
is set to “*”, this administrator is not allowed to login.
enable|config This parameter specifies the administrator’s access level. Its value
must be:
 enable: indicates that administrators are only allowed to run

the commands of Enable mode, and cannot access the Config
mode.
 config: indicates that administrators are allowed to run all

commands on the AG appliance to make changes to any part
of the appliance configuration.
scope Optional. This parameter sets the administrator’s access scope. Its
value must be:
 “virtual site name”: indicates that the site administrator can

run commands only under a specified virtual site.
 global: indicates that the global administrator can run

commands under the global scope and all virtual sites.
The default value is “global”.

356
Note: If the parameter value is set to “global”, the “mode”

parameter can be set to “all” only.
mode Optional. This parameter specifies the management mode to access

and manage the AG appliance. Its value must be:
 webui: indicates the administrator can access and manage the

AG appliance only through WebUI.
 all: indicates the administrator can access and manage the AG

appliance through Console, SSH, XML-RPC or WebUI.
no admin user <username>

This global command is used to delete a specified administrator account.
show admin users

This global command is used to display the list of current administrator accounts (including their
encrypted passwords).
clear admin users

This global command is used to clear all administrator accounts.
admin password <username> <password>

Under the global scope, this command is used to change an existing administrator’s password.
Under the virtual site scope, this command is used to change an existing administrator’s password.
username This parameter specifies the administrator’s username.
password This parameter specifies the administrator’s new password.
admin level <username> <enable|config>

This global command is used to change an existing administrator’s access level.
enable|config This parameter specifies the new access level. Its value must be:

mode.

357

admin access <ip_address> <netmask>

This global command is used to add an IP address or a subnet to be authorized for administrator
access. The administrator can access the system only from the authorized subnets. When no
authorized IPs or subnets have been configured, administrators can log into the system from any
source IP address.
ip_address The parameter specifies the source IP address to be authorized for

access. Its value must be an IPv4 address.
netmask This parameter specifies the netmask. Its value must be in dotted
decimal notation.
Note: After the “admin access” configurations are added or deleted, you need to restart the
WebUI for the configuration changes to take effect for all WebUI sessions. Therefore,
please execute the “webui restart” command after executing the “admin access”, “no
admin access” or “clear admin access” command.
no admin access <ip_address> <netmask>

This global command is used to delete an IP address or subnet authorized for administrator access.
show admin access

This global command is used to display all the configurations of administrator access.
clear admin access

This global command is used to clear all the configurations of administrator access.
admin sitelock access [virtual_site]

This global command is used to deny administrator access from a specified virtual site.
this parameter is not specified, the administrator access from all
virtual sites will be denied.
admin sitelock config [virtual_site]

This global command is used to deny administrator “Config” level access from a specified virtual
site. Administrators will still have “Enable” level access to the virtual site.
this parameter is not specified, administrator “Config” level access

358
from all virtual sites will be denied.
no admin sitelock [virtual_site]

This global command is used to delete configurations of administrator sitelock for a specified
virtual site. If the “virtual_site” parameter is not configured, configurations of administrator
sitelock for all virtual sites will be deleted.
show admin sitelock [virtual_site]

This global command is used to display the configured access restriction for site administrators of
a specified virtual site. If the “virtual_site” parameter is not configured, configured access
restrictions for site administrators of all virtual sites will be displayed.
admin announce <message> [mode]

This global command is used to set the message that will be sent to the specified administrator(s).
message This parameter specifies the content of the message. Its value must
mode Optional. This parameter specifies the administrators to whom the

message will be sent. Its value must be:
 global: indicates that the message will be sent to the global

administrators.
 “virtual site name”: indicates that the message will be sent to

the site administrators.
 “empty”: indicates that the message will be sent to both the

global and site administrators.
admin permit <username> <virtual_site>

This global command is used to allow a specified administrator to manage a specified virtual site.
no admin permit <username>

This global command is used to delete the administrator’s management privilege for a specified
virtual site.

359
Role-based Privilege Management
admin role name <role_name> <scope>

This global command is used to add an administrator role.
role_name This parameter specifies the name of the administrator role. Its
scope This parameter specifies the administrator’s access scope. Its value
must be:
 “virtual site name”: indicates that the site administrator can

run commands only under a specified virtual site.

no admin role name <role_name>

This global command is used to delete a specified administrator role.
show admin role name [role_name]

This command is used to display the configuration of a specified administrator role. If the
“role_name” parameter is not specified, configurations of all administrator roles will be displayed.
clear admin role name

This global command is used to clear configurations of all administrator roles.
admin role delegate <username> <role_name>

This global command is used to associate a role with an administrator.
username This parameter specifies the name of the administrator.
role_name This parameter specifies the name of an administrator role.
no admin role delegate <username> <role_name>

This global command is used to delete the association between an administrator role and an
administrator.
show admin role delegate <username>

This global command is used to display the association between a specified administrator and
configured administrator roles.
clear admin role delegate <username>

360
This global command is used to clear all associations between configured administrator roles and
a specified administrator.
admin role feature <role_name> <feature> <enable|config>

This global command is used to assign a feature to an administrator role.
role_name This parameter specifies the name of an administrator role.
feature This parameter specifies the feature to be assigned to the

administrator role. You can view all the available features by
executing the “show admin role feature list” command.
enable|config This parameter specifies the administrator’s access privilege. Its

value must be:
 enable: indicates that administrators assigned with this access

privilege can only view the existing configurations of the
feature.
 config: indicates that administrators assigned with this access

privilege can view and change the configurations of the
feature.
no admin role feature <role_name> <feature>

This global command is used to delete a feature from a specified administrator role.
show admin role feature <role_name|list>

This global command is used to display the features assigned to a specified administrator role.
role_name|list This parameter specifies how to list the available features. Its value
must be:
 “role name”: indicates the features assigned to the specified

administrator role will be displayed.
 list: indicates all available features will be displayed.
clear admin role feature <role_name>

This global command is used to clear all features assigned to a specified administrator role.
show admin role settings [role_name]

This global command is used to display the settings configured for a specified administrator role.
If the “role_name” parameter is not specified, settings for all administrator roles will be displayed.

361
Admin AAA
admin aaa {on|off}

This global command is used to enable or disable the Admin AAA function, which allows the
system to authenticate and authorize administrators using external AAA servers. By default, this
admin aaa localuser alwayson

This global command is used to enable administrators to be authenticated using the local database
before using external AAA servers. When the administrators fail the authentication performed by
the local database, the system will use external AAA servers to authenticate administrators if the
Admin AAA function has been enabled. By default, this function is enabled.
no admin aaa localuser alwayson

This global command is used to disable administrators from being authenticated using the local
database before using external AAA servers. That is, the system will use external AAA servers to
authenticate the administrators first. If the external AAA servers return the “Accept” or “Deny”
response, the system will not use the local database to authenticate the administrators later.
However, if the system does not receive any response from the AAA servers, the system will then
use the local database to authenticate the administrators.
admin aaa method {ldap|radius} <rank>

This global command is used to add a AAA method and add the AAA method to the rank list for
Admin AAA.
Two AAA methods are supported:
 LDAP (ladp): indicates that the LDAP host(s) configured using the “admin aaa ldap host”
command will be used for authentication and authorization.
 RADIUS (radius): indicates that the RADIUS host(s) configured using the “admin aaa
radius host” command will be used for authentication and authorization.
rank This parameter specifies the rank number of the AAA method in the
rank list. Its value must be 1 or 2.
When the rank number of the AAA method “ladp” is 1, the rank
number of the AAA method “radius” can only be 2, and vice versa.
no admin aaa method {ldap|radius} <rank>

This global command is used to delete the LDAP or RADIUS AAA method and their rank setting.
admin aaa method rank {on|off}

362
This global command is used to enable or disable AAA rank for Admin AAA. By default, this
When AAA rank is enabled for Admin AAA, the AAA method with rank 1 will be used for
authentication first. If an administrator fails the authentication using this AAA method, the system
will use the AAA method with rank 2 to authenticate the administrator. However, when AAA rank
is disabled for Admin AAA, only the AAA method with rank 1 can be used for authentication.
That is, if an administrator fails the authentication using this AAA method, the system will reject
the administrator.
admin aaa ldap host <ip> <port> <username> <password> <base>

<timeout> [index] [tls_flag]
This global command is used to configure an LDAP host for Admin AAA if the LDAP AAA
method is used. A maximum of three LDAP hosts can be configured.
username This parameter specifies the username of the LDAP host

administrator.
password This parameter specifies the password of the LDAP host

administrator.
base This parameter specifies the Distinguished Name (DN) of the entry
at which to start the search for administrators. Its value must be a
timeout This parameter specifies the idle timeout to allow search to run, in
seconds. Its value must be an integer ranging from 1 to 65,535.

protocol.

TLS protocol.

363
no admin aaa ldap host <index>

This global command is used to delete a specified LDAP host for Admin AAA.
admin aaa ldap idletimeout [idle_time]

This global command is used to set the idle timeout value for the configured LDAP host(s). The
connection to an LDAP host will be terminated when the connection has been idle for a specified
timeout value.
idle_time Optional. This parameter specifies the idle timeout value in

no admin aaa ldap idletimeout

This global command is used to delete the idle timeout setting for the configured LDAP host(s).
admin aaa ldap searchfilter <filter_string>

This global command is used to configure a search filter for the configured LDAP host(s). The
search filter plays an important role in authenticating and authorizing users through LDAP. For
the functions of the search filter in static and dynamic binding, please refer to the commands
“admin aaa ldap bind dynamic” and “admin aaa ldap bind static”.
filter_string This parameter specifies a filter string used to search for the LDAP
entries. Its value must be a string of 1 to 80 characters, which must
be enclosed by double quotes.
The filter string consists of:
 attribute: Common Name (cn), Distinguished Name (dn), User

Id (uid), Organization Unit (ou) and so on.
 comparison operator: “>”, “<” or “=”.
 logical operator: “&” (and), “|” (or), “!” (not), “=” (equal to),
or “*” (any).
Please refer to the RFC for details of the LDAP filter string.
The filter string can contain at most three tokens represented by

“<USER>”. For example, if the “filter_string” parameter is set to
“cn=<USER>”, the AG appliance will generate a search filter by
replacing “<USER>” with an administrator’s real username when
the administrator requests authentication.

364
For example:
vs(config)#admin aaa ldap searchfilter “cn=<USER>”

vs(config)#admin aaa ldap searchfilter “(!(cn=<USER>))”
vs(config)#admin aaa ldap searchfilter
“(&(objectClass=Person)(|(sn=<USER>)(cn=<USER>*)))”
no admin aaa ldap searchfilter

This global command is used to delete the search filter configured for the configured LDAP
host(s).
admin aaa ldap attribute group <attribute>

This global command is used to specify an attribute used to obtain the external LDAP group of the
administrator from the LDAP entry.
attribute This parameter specifies the name of the attribute to be extracted

(from the LDAP entries) as the group information for the
administrators. Its value must be a string of 1 to 80 characters.
no admin aaa ldap attribute group

This global command is used to delete the configuration of the attribute used to obtain the external
LDAP group from the LDAP entry.
admin aaa group in dn

This global command is used to enable the function of extracting DN (Distinguished Name) as the
administrators’ group information. The part of the DN to be extracted as the group information is
configured using the “aaa group regex” command. By default, this function is disabled.
no admin aaa group in dn

This global command is used to disable the function of extracting DN (Distinguished Name) as
the administrators’ group information.
admin aaa group regex <expression>

This global command is used to specify a regular expression used to extract the administrators’
group information from the DN.
expression This parameter specifies the regular expression that defines the part
of the DN to be extracted as the group information. Its value must
admin aaa ldap defaultgroup <group_name>

This global command is used to define the default group assigned to authenticated administrators
that do not belong to any other LDAP group when the LDAP AAA method is used.

365
group_name This parameter specifies the default group name for administrators
that do not belong to any other LDAP group. Its value must be a
no admin aaa ldap defaultgroup

This global command is used to delete the setting of the default group for authenticated
administrators that do not belong to any other LDAP group when the LDAP AAA method is used.
admin aaa ldap bind dynamic

This global command is used to enable the “dynamic” LDAP Bind mode. In this case, the AG
appliance will fetch Distinguished Name (DN) from the LDAP host.
In dynamic LDAP bind mode, the system sends a Bind request containing the LDAP admin’s
username and password to the LDAP host and sends a Search request containing the search filter
string (configured by “aaa server ldap searchfilter”) to obtain the LDAP entry of the
administrator. The system obtains the first DN and sends it together with the password of the
administrator in another Bind request to the LDAP host. After the administrator passes the
authentication, the system reuses the obtained LDAP entry to authorize the administrator.
no admin aaa ldap bind dynamic

This global command is used to disable the “dynamic” LDAP Bind mode.
admin aaa ldap bind static <dn_prefix> <dn_suffix>

This global command is used to enable the “static” LDAP Bind mode. In this case, the AG
appliance will construct the administrator’s DN by concatenating the strings
<dn_prefix><USER><dn_suffix>. <USER> is the username used to log into the AG appliance.
In static LDAP Bind mode, the system sends the DN (<dn_prefix><USER><dn_suffix>) together
with the password of the administrator in a Bind request to the LDAP host. After the administrator
passes the authentication, the system sends a Search request containing the configured search filter
string to obtain the LDAP entry of this administrator. Then, it authorizes the administrator based
on the obtained LDAP entry.
dn_prefix This parameter specifies the DN prefix. Its value must be a string of
1 to 80 characters.
dn_suffix This parameter specifies the DN suffix. Its value must be a string of
1 to 80 characters.
no admin aaa ldap bind static

This global command is used to disable the “static” LDAP Bind mode.
admin aaa radius host <ip> <port> <secret> <retries> <timeout> [index]

366
This global command is used to configure a RADIUS host for Admin AAA if a RADIUS method
is used. A maximum of three RADIUS hosts can be configured.
ip This parameter specifies the IP address of the RADIUS host. Its

port This parameter specifies the port of the RADIUS host. Its value
secret This parameter specifies the shared secret text string used by the
AG appliance and the RADIUS host to encrypt passwords and
exchange responses. Its value must be a string of 1 to 80 characters.
retries This parameter specifies the retry times to connect to the RADIUS
host. Its value must be an integer ranging from 1 to 65,535.
index Optional. This parameter specifies the host index Its value must be
no admin aaa radius host <index>

This global command is used to delete a specified RADIUS host.
admin aaa radius attribute group <attribute>

This command is used to specify an attribute used to obtain the external RADIUS group of the
administrator from the RADIUS entry. Please note that individual attributes may vary depending
on the individual network requirements.
attribute This parameter specifies the ID of the attribute used to obtain the
external RADIUS group of the administrator from the RADIUS
entry. For example, use 25 for the “Class” attribute. Numbers for
other attributes are available in the RADIUS RFC (RFC 2865) and
are listed below.
1 User-Name
2 User-Password
3 CHAP-Password
4 NAS-IP-Address
5 NAS-Port

367
6 Service-Type
7 Framed-Protocol
8 Framed-IP-Address
9 Framed-IP-Netmask
10 Framed-Routing
11 Filter-Id
12 Framed-MTU
13 Framed-Compression
14 Login-IP-Host
15 Login-Service
16 Login-TCP-Port
17 (unassigned)
18 Reply-Message
19 Callback-Number
20 Callback-Id
21 (unassigned)
22 Framed-Route
23 Framed-IPX-Network
24 State
25 Class
26 Vendor Specific
27 Session Timeout
28 Idle-Timeout
29 Termination-Action
30 Called-Station-Id
31 Calling-Station-Id
32 NAS-Identifier
33 Proxy-State
34 Login-LAT-Service
35 Login-LAT-Node

368
36 Login-LAT-Group
37 Framed-AppleTalk-Link
38 Framed-AppleTalk-Network
39 Framed-AppleTalk-Zone
40-59 (rev. for accounting)
60 CHAP-Challenge
61 NAS-Port-Type
62 Port-Limit
63 Login-LAT-Port
no admin aaa radius attribute group

This global command is used to delete the configuration of the attribute used to obtain the external
RADIUS group of the user from the RADIUS entry.
admin aaa radius defaultgroup <group_name>

This global command is used to define the default group assigned to authenticated administrators
that do not belong to any other RADIUS group when the RADIUS AAA method is used.
group_name This parameter specifies the default group name for administrators
that do not belong to any other RADIUS group. Its value must be a
no admin aaa radius defaultgroup

This global command is used to delete the setting of the default group for authenticated
administrators that do not belong to any other RADIUS group when the RADIUS AAA method is
used.
admin aaa radius nasip <nasip>

This global command is used to set the “NAS-IP-Address” (IP address of NAS, Network Access
Server) attribute in the RADIUS requests. If this command is not configured, the IP address of the
first active interface will be used.
nasip This parameter specifies the NAS IP address of the RADIUS server.
no admin aaa radius nasip

This command is used to delete the setting of the “NAS-IP-Address” attribute.
admin group <group_name> <access_level> [scope]

369
This global command is used to set the access privilege for a specified external administrator
group.
group_name This parameter specifies the name of an external administrator

group.
access_level This parameter specifies the access privilege assigned to the

external administrator group. Its value must be:

mode.

scope Optional. This parameter specifies the access scope of the external
administrator group. Its value must be:
 “virtual site name”: indicates that the site administrator can run
commands only under a specified virtual site.

The default value is “global”.
no admin group <group_name>

This global command is used to delete the setting of the access privilege for a specified external
administrator group.
show admin group

This global command is used to display settings of access privileges for all external administrator
groups.
clear admin group

This global command is used to clear settings of access privileges for all external administrator
groups.
show admin aaa config

This global command is used to display all configurations related to the Admin AAA function.
clear admin aaa config

This global command is used to clear all configurations related to the Admin AAA function.

370
System Access
Console Access
system console reset

This global command is used to reset the system console.
pager <lines>
This global command is used to enable the pagination function for the command output and set the
number of lines in the command output that can be displayed in one page. If one page cannot
display the entire command output, you can press Enter to display one more line each time or
press Space to display one more page each time.
lines This parameter specifies the number of lines to be displayed in one

page. Its value must be an integer ranging from 0 to 255. If it is set
to 0, the lines that the current window can contain will be
displayed.
no pager
This global command is used to disable the display paging function. After this command is
executed, all outputs will be displayed without stopping.
show pager
This global command is used to display the setting for the display paging function.
WebUI Access
webui {on|off}
This global command is used to enable or disable the Web User Interface (WebUI).
webui restart
This global command is used to restart the WebUI.
webui ip <ip_address>
This global command is used to set the WebUI IP address. After this command is executed,
administrators can access the system via WebUI only through the specified IP address. Only one
IPv4 address and one IPv6 address can be set as the WebUI IP address.
ip_address This parameter specifies the IP address for WebUI access. It must
be an IPv4 or IPv6 address. The value of the WebUI IP address
must be an interface IP or a virutal site IP. Otherwise, the WebUI

371
may fail to work.
no webui ip <ip_address>
This global command is used to delete a specified WebUI IP address.
clear webui ip
This global command is used to clear the WebUI IP address setting. After executing this command,
users can access the WebUI through any interface IP or configured virtual site IP.
webui port <port>

This global command is used to set the port number for accessing the WebUI. If this command is
not configured, the default port number is 8888.
port This parameter specifies the port number for accessing the WebUI.
clear webui port

This global command is used to reset the port number of WebUI to the default value.
webui language <login_language>

This global command is used to set the login language of WebUI. If this command is not
configured, the default login language of WebUI is English.
login_language This parameter specifies the login language of WebUI. Its value
must be “en” (English), “cn” (Simplified Chinese) or “jp”
(Japanese).
clear webui language

This global command is used to set the login language of WebUI to the default value.
webui idletimeout <timeout>

This global command is used to set the idle timeout value for WebUI. If this command is not
configured, the default idle timeout value is 15 minutes.
timeout This parameter specifies the idle timeout value for WebUI. Its value
must be an integer ranging from 1 to 65,535, in minutes.
clear webui idletimeout

This global command is used to reset the WebUI idle timeout value to the default value.
show webui settings

This global command is used to display the WebUI status.

372
WebUI SSL Settings
webui ssl import pem [url]

This command is used to import a PEM-format certificate for the WebUI in the copy-n-paste way
or from a remote FTP, TFTP or HTTP server. A PEM-format certificate file contains a Certificate
Authority (CA) certificate and the associated private key.
When the “url” parameter is not specified, you can import the certificate by coping and pasting the
contents of the PEM-format certificate into the CLI. The entering of “…” is required in the bottom
line following the certificate to mark the end of the import.
url Optional. This parameter specifies the FTP, TFTP or HTTP URL
from which the PEM-format certificate is imported. Its value must
webui ssl import interca [url]

This command is used to import an intermediate certificate for the WebUI in the copy-n-paste way
or from a remote FTP, TFTP or HTTP server.
When the “url” parameter is not specified, you can import the certificate by copying and pasting
the contents of the intermediate certificate into the CLI to import the certificate. The entering of
“…” is required in the bottom line following the certificate to mark the end of the import.
url Optional. This parameter specifies the FTP, TFTP or HTTP URL
from which the intermediate certificate is imported. Its value must
show webui ssl certificate

This command is used to display the certificate imported for the WebUI.
show webui ssl interca

This command is used to display the intermediate certificate imported for the WebUI.
clear webui ssl cert

This command is used to delete the certificate imported for the WebUI.
clear webui ssl interca

This command is used to delete the intermediate certificate imported for the WebUI.
SSH Access
ssh {on|off}

373
This global command is used to enable or disable the SSH access function on the AG appliance.
By default, SSH access is enabled.
ssh ip <ip_address>
This global command is used to set the SSH IP address. After this command is executed,
administrators can access the system via SSH only through the specified IP address. If this
command is not configured, administrators can access the AG appliance via SSH at any available
IP address (including virtual site IP addresses) on the AG appliance.
ip_address This parameter specifies the IP address for SSH access. Its value
must be:
 “0.0.0.0”: indicates all the IPv4 addresses configured on the

system.
 “::”: indicates all the IPv6 addresses configured on the system.
Please note that the value of the SSH IP address must be an

interface IP or a virtual site IP.
no ssh ip <ip_address>
This global command is used to delete a specified SSH IP address.
ssh idletimeout <minutes> [inputonly|inputoutput]

This global command is used to set the idle timeout value for SSH access. If this command is not
configured, the default idle timeout value is 9,999,999, indicating no SSH idle timeout.
minutes This parameter specifies the idle timeout value for SSH access. Its
value must be an integer ranging from 1 to 9,999,999, in minutes.
inputonly|inputoutput Optional. This parameter indicates when the SSH session will be
considered as not idle.
 inputonly: indicates that the SSH session will be considered as

not idle only when there is user input.
 inputoutput: indicates that the SSH session will be considered

as not idle when there is user input or TTY output.
The default value is “inputonly”.
no ssh idletimeout
This global command is used to reset the idle timeout value for SSH access to the default setting,
9,999,999.
ssh auth passwd {on|off} <username>

374
This global command is used to enable or disable SSH password authentication for a specified
administrator. By default, this function is enabled for every administrator.
username This parameter specifies the existing administrator’s username

configured via the “admin user” command or the default
administrator’s username “array”.
ssh auth key {on|off} <username>

This global command is used to enable or disable SSH public key authentication for a specified
administrator. By default, this function is disabled for every administrator.

ssh regenerate keys

This global command is used to regenerate host keys for the SSH server on the AG appliance.
After this command is executed, the SSH server will use the newly generated keys as its host key.
SSH clients will need to update with the new public keys of the SSH server in order to connect
with the server.
ssh import key <username> [url]

This global command is used to import an SSH public key for a specified administrator.

url Optional. This parameter specifies the HTTP, FTP or TFTP URL
from which the SSH public key is imported. Its value must be a
string of 1 to 256 characters. The default value is empty.
no ssh key <username>

This global command is used to delete the SSH public key imported for a specified administrator.
show ssh key [username]

This global command is used to display the SSH public key imported for a specified administrator.
If the “username” parameter is not specified, SSH public keys imported for all administrators will
be displayed.
clear ssh key

This global command is used to clear SSH public keys imported for all administrators.

375
show ssh conf

This global command is used to display the SSH access status, the settings of the SSH IP address,
idle timeout, SSH public key authentication status and SSH password authentication status.
RESTful API Access
restapi on [port]
This command is used to enable RESTful API-based Web service. By default, this function is
disabled. RESTful API-based Web service uses the HTTPS protocol.
port Optional. This parameter specifies the port number at which the
RESTful API-based Web service listens. Its value must be an
integer ranging from 1025 to 65,000, but cannot be the same port
used by other services.
restapi off
This command is used to disable RESTful API-based Web service.
show restapi
This command is used to display the configuration of RESTful API Web service.
XML-RPC Access
xmlrpc on [https|http]
This command is used to enable the XML-RPC function, which works by sending an HTTP-based
request (including the XML-RPC message) to the AG appliance. By default, the XML-RPC
https|http Optional. This parameter specifies the protocol used to transmit the
XML-RPC messages. The default value is “https”.
xmlrpc off
This command is used to disable the XML-RPC function.
xmlrpc ip <ip_address>
This global command is used to set the XML-RPC IP address. After this command is executed,
administrators can access the system via XML-RPC only through the specified IP address. If this
command is not configured, 0.0.0.0 will be used as the default value and administrators can access
the AG appliance via XML-RPC at any available IPv4 address (including virtual site IP addresses)
on the AG appliance.

376
ip_address This parameter specifies the IP address for XML-RPC access. Its
value must be an IPv4 address configured in the system or 0.0.0.0,
indicating all the IPv4 addresses configured in the system.
no xmlrpc ip <ip_address>
This global command is used to delete a specified IP address configured for XML-RPC access.
xmlrpc port <port>

This command is used to configure the port number for XML-RPC access. If this command is not
configured, the default port number is 9999.
port This parameter specifies the port number for XML-RPC access.
xmlrpc authentication {on|off}

This global command is used to enable or disable the XML-RPC authentication function.
xmlrpc authentication user <username> <password>

This global command is used to configure the username and password for XML-RPC
authentication.
username This parameter specifies the username for XML-RPC

Authentication. Its value must be a string of 1 to 8 characters.
password This parameter specifies the password for XML-RPC

Authentication. Its value must be a string of 1 to 13 characters.
show xmlrpc
This global command is used to display configurations of the XML-RPC function and the
XML-RPC Authentication function, including the XML-RPC IP address, the designated
XML-RPC port, and the configured XML-RPC Authentication username and password.
clear xmlrpc
This command is used to reset the settings of the XML-RPC function, the XML-RPC
authentication function to default values.
System Management
System Information
show version

377
This global command is used to display the basic information of the AG appliance, such as host
name, Array Networks software version, system CPU, available memory and total memory, latest
booting time, licensed features, and system up time.
Example:
AN(config)#show version
ArrayOS Rel.AG.9.4.0.94 build on Fri Jun 24 23:39:57 2017
Host name : AN
System CPU : Intel(R) Pentium(R) CPU G6950 @ 2.80GHz
System Module : X8SIE-LN4
System RAM : 3829948 kbytes.
System boot time : Fri Aug 12 09:57:08 GMT (+0000) 2017
Current time : Fri Aug 12 11:22:09 GMT (+0000) 2017
System up time : 1 day, 19:25
Platform Bld Date : Fri Jun 24 23:39:57 CST 2017
SSL HW : HW ( 1X4D ) Initialized
Compression HW : No HW Available
Power supply : 1U, AC
Network Interface : 4 x Gigabit Ethernet copper
Model : Array AG1100, RAM Limit: 4096 MB
Serial Number : 0437A33459211000002262016314154
Maximum Sessions : 500
Maximum VPortals : 256
Licensed Features : WebWall Clustering SSL SwCompression VPNClient
HostCheck CacheCleaner WebApps SSF MobileClient
DesktopDirect AdvancedClient AdvancedDLP SSF_SM SMS
SWMaintenance MobileDirect
License Key : kKwDxIWU-cLA0IQ0w-nU8nnX+V-P9g=#131-4d67d9a8-25cf122a
-6d67eaa3-feef0122-4d#7ebaa-fdaf1#dc-ba98765
License Date : Expires on Sep 28 2018
Array Networks Customer Support

Telephone : 1-877-992-7729 (1-877-99-ARRAY)
Email : [email protected]
Update : please contact support for instructions
Website : http://www.arraynetworks.net
Other Root Version

Rel.AG.9.4.0.30 build on Wed Mar 30 0:45:32 2017
show version

378
This command is used to display the basic information of the AG appliance, such as host name,
Array Networks software version, system CPU, available memory and total memory, latest
booting time, licensed features, and system up time.
System Resource Status
show memory
This global command is used to display the memory critical information relating to the AG
appliance.
Example:
The following lines describe system connection resource usage:

ITEM SIZE LIMIT USED FREE REQUESTS
TCP small pcb: 64, 20000, 426, 19574, 4490795
TCP pcb: 288, 20000, 1, 19999, 5219107
Each connection owns a “pcb” data structure. There are two kinds of “pcb” data structures. “small
pcb” is for TCP connections in “TIME_WAIT” state with size equal to 64 bytes. And, “pcb” is for
all the other TCP connections with larger size (288 bytes). The “LIMIT” column specifies the total
number of data structure items. “USED” refers to the number of items in use. “Free” indicates
items remaining that may be used. “REQUEST” is the accumulation of total usages and is always
incremented.
System License
system license <key> [validate|novalidate]

This global command is used to enter a license key for the AG appliance. Without a valid license
key, the AG appliance will not automatically reload configurations or run properly.
key This parameter specifies the license key value.
validate|novalidate Optional. This parameter specifies whether to validate the entered

license key. If the parameter value is specified as “validate”, the
system will first validate the entered key. If the key is validated, the
system will import and save the license key. If specified as
“novalidate”, the system will import and save the license key
without any validation. The default value is “validate”.
System Reboot and Shutdown
system reboot [mode]

This global command is used to reboot the system. The last saved system configurations (using the
“write memory” command) will be loaded during the reboot process.

379
mode Optional. This parameter specifies whether to interact with the AG

appliance. Its value must be:
 default: indicates that the default prompt will be displayed.

The default prompt is:
Unsaved configuration changes will be lost.
This will reboot the system immediately.
Type “YES” to continue:
 noninteractive: indicates that the default prompt will not be

displayed, and the system will reboot immediately.
The default value is default.
system shutdown [halt|poweroff] [mode]

This global command is used to shut down the system.
halt|poweroff Optional. This parameter specifies the mode used for system
shutdown. Its value must be:
 halt: indicates that the system halts but the power is not
turned off. The system will automatically reboot when the
power comes back after power off. This parameter value
is very convenient when the AG appliance is remote to the
administrator.
 poweroff: indicates that the system halts and the power is

turned off.
The default value is poweroff.
mode Optional. This parameter specifies whether to interact with the

AG appliance. Its value must be:
 default: indicates that the default prompt will be

displayed. The default prompt is:
Unsaved configuration changes will be lost.
This will reboot the system immediately.
Type “YES” to continue:
 noninteractive: indicates that the default prompt will not

be displayed, and the system will reboot immediately.

380
The default value is default.
System Update and Fallback
system update <url>

This global command is used to update the software version running on the system. When this
command is executed, the system will import the new software package from the specified
HTTPS, HTTP or FTP URL and install the software package. The system will automatically
reboot immediately after the software package is installed and the new software version will take
effect after the reboot.
url This parameter specifies the HTTPS, HTTP or FTP URL used to
import the new software package. Its value must be a string of 1 to
256 characters.
Example:
AN(config)#system update http://192.168.10.10/Rel_AG_9_4_0_94.array
This will upgrade your system from http://192.168.10.10/Rel_AG_9_4_0_94.array

Power outages or other systems failures may corrupt the system.
It is highly recommended that you save your configuration on an
external system prior to upgrading or downgrading.
Any configuration changes that have not been "saved" will be lost.
After a successful patch the system will be rebooted.
Array Networks, Inc.
Type "YES" to confirm upgrade: YES
Note: If this command is excuted via an SSH connection and the SSH connection is
terminated during the update, the system will not be able to complete the update process.
Do not disconnect the connections to the AG appliance during the system update process.
system package <url> [md5_value]

This command is used to import a system software package into the system.
import the new software package. Its value must be a string of 1 to
256 characters.
md5_value Optional. This parameter specifies the MD5 value of the new
software package. The MD5 value is used to validate the integrity

381
of the imported software package.
The default value is empty, indicating no MD5 integrity validation.
Note: After the system software package is imported into the system, you can update the
system using this package by executing the “system update” command with the “URL”
parameter set to “/var/package/package_name”.
no system package <package_name>

This command is used to delete an imported system software package.
package_name This parameter specifies the name of the imported software

package to be deleted. You can view the names of imported
software packages by executing the “show system package”
command.
show system package [package_name]

This command is used to display imported system software packages.
package_name Optional. This parameter specifies the name of the imported

software package to be displayed.
The default value is empty, indicating that all imported system

software packages will be displayed.
system fallback
This global command is used to enable the system fallback function. After this comamnd is
executed, the system will boot from the other root partition on next reboot.
no system fallback
This global command is used to disable the system fallback function. The system will boot from
the current root partition on next reboot.
system component update <url>

This global command is used to update components on the AG appliance
import the component updating package. Its value must be a string
system component revert

This global command is used to revert the component to the previous version.

382
System Dump
system dump <on|off>

This global command is used to enable or disable the system dump function during a system panic.
When this feature is enabled, the system running information will be stored on the file system for
future usage.
on|off This parameter specifies whether to enable the system dump

function. Its value must be “on” or “off”.
show system dump

This global command is used to display the status of system dump function.
Configuration Management
Viewing Running Configuration and Startup Configuration
show running [display_mode] [expression]

This global command is used to display the current running system configurations for a specified
virtual site or the global scope.
display_mode Optional. This parameter specifies which running system

configurations will be displayed. Its value must be:
 “all”: indicates that running system configurations of both the

global and all virtual sites will be displayed.
 “global”: indicates that running system configurations of the

global will be displayed.
 virutal site name: indicates that running system configurations

of a specified virtual site will be displayed.
 expression: indicates the running system configuration that

matches the expression will be displayed.
The default value is empty, indicating that running system

configurations of both the global and all virtual sites will be
displayed.
expression Optional. This parameter specifies a regular expression string that is

used to match the running configuration. Its value must be a string
of 1 to 1024 characters. For example, if the parameter value is set to
“aaa”, only the AAA configurations will be displayed. The default
value is empty, indicating the entire running configuration will be

383
displayed.
Please note that this parameter can take effect only when the
“display_mode” parameter is set to “all”, “global” or the virtual site
name.
show running [expression]

This command is used to display the current running system configurations.

used to match the running configuration. Its value must be a string
of 1 to 1024 characters. For example, if the parameter value is set to
“aaa”, only the AAA configurations will be displayed. The default
value is empty, indicating the entire running configuration will be
displayed.
show startup [expression]

Under the global scope, this command is used to display both the global and site configurations
saved in the startup configuration file by executing the “write memory” command.
Under the virtual site scope, this command is used to display the configurations saved in the
startup configuration file by executing the “write memory” command for a specified virtual site.

used to match the configurations saved in the startup configuration
file. Its value must be a string of 1 to 256 characters. For example,
if the parameter value is set to “aaa”, the AAA configurations of a
specified virtual site saved in the startup configuration file will be
displayed. The default value is empty, indicating the entire startup
configuration will be displayed.
Configuration Backup
Note: The backup files are in the UTF-8 encoding format on the appliance’s disk, the
remote SCP server or the remote TFTP server. To read or edit the backed up file, make
sure that your file viewer or editor supports UTF-8 encoding.
write memory [mode]

This global command is used to save the global running configurations to the startup configuration
file.

384
mode Optional. This parameter specifies whether to save the virtual-site

configurations. Its value must be:
 empty: indicates that only the global running configurations

will be saved.
 “all”: indicates both global and all the virtual-site running

configurations will be saved.
write memory
This command is used to save the virtual site’s running configurations to the startup configuration
file.
write file <mode> [file_name]

This global command is used to back up the global running configurations to a backup file on the
appliance’s disk.
mode This parameter specifies whether to save the virtual-site

 file name: indicates that only the global running configurations

will be backed up.
 “all”: indicates both global and all the virtual-site running

configurations will be backed up.
file_name Optional. This parameter specifies the name of the backup file. Its
value must be a string of 1 to 256 characters. This parameter needs
to be specified only when the “mode” parameter is set to “all”.
write file <file_name>

This command is used to back up the virtual site’s running configurations to a backup file on the
appliance’s disk.
file_name This parameter specifies the name of the backup file. Its value must
no config <file_name>
Under the global scope, this command is used to delete a specified user-defined configuration file.

385
Under the virtual site scope, this command is used to delete a specified user-defined configuration
file.
show config file [file_name] [regex]

Under the global scope, this command is used to display a specified backup file.
Under the virtual site scope, this command is used to display a specified backup file.
value must be:
 empty: indicates all backup files will be displayed.
 backup file name: indicates configurations of a specified

backup file will be displayed.
regex Optional. This parameter specifies the regular expression to match

the backup file. Its value must be a string of 1 to 256 characters. For
example, if the parameter value is set to “aaa”, the AAA
configurations of a specified virtual site in the backup file will be
displayed.
clear config file

Under the global scope, this command is used to clear all backup files for the global scope.
Under the virtual site scope, this command is used to clear all backup files for a specified virtual
site.
write net scp <server_name> <username> <file_path>

Under the global scope, this command is used to back up the global running configurations to a
specified remote SCP server.
Under the virtual site scope, this command is used to back up the virtual site’s running
configurations to a specified remote SCP server.
server_name This parameter specifies the host name or IP address of the SCP
server. Its value must be a string of 1 to 128 characters. If the IP
address is entered, it should be enclosed by double quotes.
username This parameter specifies the username to access the remote SCP
server. Its value must be a string of 1 to 64 characters. After the
username is entered, the password prompt for this SCP server will
appear.

386
file_path This parameter specifies the path to save the configuration file. Its
write net tftp <server_ip> [file_name]

This global command is used to back up the global running configurations to a specified remote
TFTP server.
server_ip This parameter specifies the IP address of the TFTP server. Its value
file_name Optional. This parameter specifies the name of the configuration

file in which the configuration data is saved. Its value must be a
string of 1 to 256 characters. The default value is “ca.cfg”.
write net tftp <server_ip> <file_name>

This command is used to back up the virtual site’s running configurations to a specified remote
TFTP server.
server_ip This parameter specifies the IP address of the TFTP server. Its value
file_name This parameter specifies the name of the configuration file in which
the configuration data is saved. Its value must be a string of 1 to
256 characters.
write net all scp <server_name> <username> <file_path>

This global command is used to back up all the running configurations including virtual-site
running configurations to a specified remote SCP server.
appear.
file_path This parameter specifies the path to store the configuration file. Its
write net all tftp <server_ip> [file_name]

387
This global command is used to back up all the running configurations including virtual-site
running configurations to a specified remote TFTP server.
file_name Optional. This parameter specifies the name of the configuration

file in which the configuration data is saved. Its value must be a
string of 1 to 256 characters. The default value is
“AG_conf.all_cfg_tar”.
Configuraiton Restore
Note: The files restored from the appliance’s disk, the remote SCP server, the remote
TFTP server or the Web server must be in the UTF-8 encoding format. To read or edit the
restored file, make sure that your file viewer or editor supports UTF-8 encoding.
configure memory [mode]

This global command is used to restore the global configurations from the startup configuration
file.
mode Optional. This parameter specifies whether to restore the virtual-site

 empty: indicates only the global configurations will be

restored.
 “all”: indicates both global and all the virtual-site

configurations will be restored.
configure memory
This command is used to restore the virtual site’s configurations from the startup configuration
file.
configure file <mode> [file_name]

This global command is used to restore the global configurations from a specified backup file.
mode This parameter specifies whether to restore the virtual-site running

 empty: indicates only the global configurations will be

388
restored.
 “all”: indicates both the global and all the virtual-site

configurations will be restored.
value must be a string of 1 to 256 characters. This parameter needs
to be specified only when the “mode” parameter is set to “all”.
Note: Execution of the command “configure file all” will not clear the current
configurations from the system. To replace all the current configurations with the loaded
configurations, the administrator needs to execute the command “clear config all” first.
configure file <file_name>

This command is used to restore the virtual site’s configurations from a specified backup file.
file_name This parameter specifies the name of the backup file. Its value
configure net scp <server_name> <username> <file_path>

Under the global scope, this command is used to restore the global configurations from a specified
remote SCP server.
Under the virtual site scope, this command is used to restore the virtual site’s configurations from
a specified remote SCP server.
username This parameter specifies the remote user account name. Its value
must be a string of 1 to 64 characters. After the username is entered,
the password prompt for this SCP server will appear.
file_path This parameter specifies the path of the configuration file saved on
the remote SCP server. Its value must be a string of 1 to 256
characters.
configure net tftp <server_ip> <file_name> [force_flag]

remote TFTP server.
a specified remote TFTP server.

389
file_name This parameter specifies the name of the configuration file. Its
force_flag Optional. This parameter specifies whether to force the system to

restore the global configurations. This parameter only works under
the global scope. Its value must be:
 force: indicates the global configurations will be restored

directly.
 empty: indicates a prompt will appear to confirm whether to

display the configurations before restore them.
configure net http <url>

Web server.
a specified Web server.
url This parameter specifies the URL address of the configuration file.
For example, http://www.xyz.com/array.conf. Its value must be a
configure net all scp <server_name> <username> < file_path>

This global command is used to restore the entire configurations from a specified remote SCP
server.
server_name This parameter specifies the host name or IP address of the remote
SCP server. Its value must be a string of 1 to 128 characters. If the
IP address is entered, it should be enclosed by double quotes.
appear.
file_path This parameter specifies the path of the configuration file saved on
the remote SCP server. Its value must be a string of 1 to 256

390
characters.
configure net all tftp <server_ip> <file_name>

This global command is used to restore the entire configurations from a specified remote TFTP
server.
file_name This parameter specifies the name of the configuration file. Its
configure net all http <url>

This global command is used to restore the entire configurations from a specified Web server.
url This parameter specifies the URL address of the configuration file.
For example, http://www.xyz.com/array.conf. Its value must be a
Configuration Clearance
clear config secondary [webui]

This global command is used to restore all the secondary AG settings like NAT, FWD, SNMP, log,
domain server, proxy server and so on. After this command is executed, please execute the “write
memory” command to save the current configuration, otherwise the system will be restored to the
original status after a system reboot.
webui Optional. This parameter specifies whether or not the WebUI

configurations will be restored. Its value must be:
 webui: indicates the WebUI configurations will be restored.
 nowebui: indicates the WebUI configurations will not be

restored.
The default value is webui.
clear config primary

This global command is used to restore the basic network settings to default values (including
settings about IP address, cluster, access list, group, WebUI, “Enable” level password, “array”
user password and so on). Also, all administrator accounts except “array” will be deleted. After

391
this command is executed, please execute the “write memory” command to save the current
configuration, otherwise the system will be restored to the original status after a system reboot.
This command cannot be executed if there are other configurations dependent on these basic
network settings. In this situation, please execute the command “clear config secondary” first to
delete the related configurations. Then, execute the command “clear config primary” again.
clear config all

Under the global scope, this command is used to clear all settings on the AG appliance.
Under the virtual site scope, this command is used to clear all settings of the virtual site.
Configuration Factory Reset
clear config factorydefault

This global command is used to reset the AG appliance to the factory default settings. After this
command is executed, the system will automatically reboot.
Configuration Synchronization
The Configuration Synchronization feature allows administrators to transfer configuration
information between AG appliances within the same network.
synconfig peer <peer_name> <peer_ip>

This global command is used to add a synchronization peer with a unique name and IP address.
peer_name This parameter specifies the name of the synchronization peer. Its
peer_ip This parameter specifies the IP address of the synchronization peer.
Note: Synchronization peers must be configured on all synchronization nodes.
no synconfig peer <peer_name>

This global command is used to delete a specified synchronizing peer.
show synconfig peer

This global command is used to display all configured synchronization peers.
clear synconfig peer

This global command is used to clear all synchronization peers.
synconfig challenge <code>

392
This global command is used to configure a challenge code for system configuration
synchronization. The challenge codes on synchronization nodes must be identical.
code This parameter specifies the challenge code. Its value must be a
string of 1 to 31 case-sensitive characters. The “$” character is also
supported.
no synconfig challenge
This global command is used to delete the configured challenge code.
show synconfig challenge

This global command is used to display the currently configured challenge code.
Note: The challenge code is displayed in encrypted format. The administrator must
securely record the original challenge code.
clear synconfig challenge

This global command is used to clear the configured challenge code.
synconfig to <peer_name>
This global command is used to manually synchronize running configurations from the local node
to a specified peer node. After this command is executed, prior to applying the new configurations,
the “clear config secondary” will be executed on the peer node. This will remove all the existing
configurations except for appliance-sepcific settings. The appliance-sepcific settings unaffected
include system IP addresses, SSH IP address, WebUI IP address, WebUI IP port, IP route, host
name, Bond, VLAN, WebWall, accesslist and accessgroup.
peer_name This parameter specifies the name of the synchronization peer. If

the parameter value is set to “all”, configurations will be
synchronized to all peer nodes defined using the “synconfig peer”
command.
synconfig from <peer_name>

This global command is used to manually synchronize configurations from a specified peer node
to the local node. This command can only synchronize the peer’s startup configuration rather than
the running configuration.
peer_name This parameter specifies the name of the synchronization peer.
synconfig rollback local <peer_name>

This global command is used to restore the system back to the configuration state before the
execution of the “synconfig from” command.

393
peer_name This parameter specifies the name of the synchronization peer. This
parameter must be specified in order to determine the configuration
state to be restored.
synconfig rollback peer <peer_name>

This global command is used to restore the configurations of a specified peer back to the
configuration state before the execution of the “synconfig to” command.
peer_name This parameter specifies the name of the synchronization peer. If

the parameter value is set to “all”, then all peers that have been
previously specified with the “synconfig to” command will be
rolled back.
show synconfig diff <peer_name>

This global command is used to display the configuration difference between the local node and a
specified peer.
peer_name This parameter specifies the name of the synchronization peer.
show synconfig status from [peer_ip]

This global command is used to display the results of synchronization from a specified peer node
to the local node. If the “peer_ip” parameter is not specified, the results of synchronization from
all peer nodes to the local node will be displayed.
show synconfig status history

This global command is used to display the history of synchronization events initiated on the AG
appliance.
synconfig copy file <file_name>

This global command is used to copy a file from the local node to the peer node in the backend.
file_name This parameter specifies the name of the file to be copied. Its value
synconfig delete file <file_name>

This global command is used to delete a file from the peer node in the backend.
file_name This parameter specifies the name of the file to be deleted.
synconfig copy directory <directory_name>

394
This global command is used to copy a directory from the local node to the peer node in the
backend.
directory_name This parameter specifies the name of the directory to be copied. Its
synconfig delete directory <directory_name>

This global command is used to delete a directory from the peer node in the backend.
directory_name This parameter specifies the name of the directory to be deleted.
Remote Host Access

ssh remote <user@hostname>
This global command is used to create an SSH connection to a remote host. The system supports
all standard SSH parameters under the UNIX system. For details, please refer to the technical
documentation about OpenSSH command.
user@hostname This parameter specifies the username and the name or IP

address of the remote host. Its value must be enclosed by double
quotes.
Note: If attributes need to be set for this parameter, this

parameter and the attribute must be enclosed by single quotes
first, and then enclosed by double quotes. For example, ssh
remote “‘192.168.1.24 –p 8888’”.
Example:
AN#ssh remote "[email protected]"

[email protected]'s password:
Linux server1 2.6.32-22-generic #33-Ubuntu SMP Wed Apr 28 13:27:30 UTC 2010 i686
GNU/Linux
Welcome to Ylmf_OS!
* Information: http://www.ylmf.com/
0 packages can be updated.

0 updates are security updates.
Last login: Wed Apr 20 00:39:35 2011 from 10.3.46.1

root@ server1:~#
telnet <host port>

395
This global command is used to create a Telnet connection to a remote host. The system supports
all standard Telnet parameters under the UNIX system. For details, please refer to the technical
documentation about Telnet commands.
host port This parameter specifies the IP address and the port of the remote
host. Its value must be enclosed by double quotes.
Note: If attributes need to be set for this parameter, this parameter

and the attribute must be enclosed by single quotes first, and then
enclosed by double quotes. For example, telnet “‘192.168.1.24 -l
admin’”.
Example:
AN#telnet "'172.16.2.182 -4'"

Trying 172.16.2.182...
Connected to 172.16.2.182 -4.
Escape character is '^]'.
Trying SRA secure login:
User (root): array
Password:
[ SRA accepts you ].................succeed

396
Chapter 13 Advanced System Operations

To configure the advanced system options such as RTS, Bond and NAT on the AG appliance, the
administrator must be in the global shell and in Config mode.
RTS
ip rts on <rts_mode>
This command is used to enable the RTS function. RTS ensures that all of the response packets
from a remote server can be directed to the link from which the corresponding request packets are
sent by a client.
rts_mode This parameter specifies the RTS mode. Its value can only be
“gateway” or “all”. “gateway” means that RTS records external
senders as configured gateways. “all” means that RTS records all
external senders that send packets to the unit. By default, the RTS
mode will be “all”.
ip rts off
This command is used to disable the RTS function.
ip rts expire [timeout]

This command is used to set the maximum period (in seconds) before an unused RTS entry times
out and expires. The parameter value ranges from 1 to 21474836. The default period is 60
seconds.
show ip rts
This command is used to display the RTS configuration.
clear ip rts
This command is used to reset the RTS configuration.
show statistics rts

This command is used to display the running RTS statistics.
Note: The maximum number of RTS entries may vary according to the amount of system
memory as shown in the following table. Each RTS entry uses about 264KB memory
space.
Table 13-1 Relation between RTS Entry and System Memory
System Memory Maximum RTS Entry Memory Usage

1G 10,000 2.5M

397
System Memory Maximum RTS Entry Memory Usage

2G 20,000 5M
4G 40,000 10M
clear statistics rts

This command is used to clear the RTS statistics.
Bond
bond name <bond_id> <bond_name>
This command assigns a name to the specified bond interface. The AG appliance supports at most
6 bond interfaces.
bond_id This parameter specifies the default bond interface ID (bond1,

bond2, bond3, bond4, bond5 and bond6) on the AG appliance.
bond_name This parameter specifies a network interface name specified by an

alphanumeric string. Its default values are respectively bond1,
bond2, bond3, bond4, bond5 and bond6.
bond interface <bond_name> <interface_name> [1|0]

This command is used to add a system interface to the specified bond interface. At most 12 system
interfaces can be added to a bond interface.
The optional “1|0” parameter sets the interface as either the primary (1) or backup (0) interface in
the bond. Multiple primary or backup interfaces can be set in the bond. When all the primary
interfaces in the bond fail, the backup interfaces will attempt to take over the work.
bond_name This parameter specifies a network interface name specified by an

alphanumeric string. Its default values are bond1, bond2, bond3 and
bond4.
interface_name This parameter specifies a network interface name specified by an

alphanumeric string. The default interface names are “port1”,
“port2”, “port3”…etc. The interface can be set by using the
“interface name” command.
1|0 1: This is the default value and sets the interface as one of the
primary interfaces in the bond.
0: Sets the interface as one of the backup interfaces in the bond.
no bond interface <bond_name> <interface_name>

This command is used to remove the system interface from the bond interface.

398
show bond [bond_name]

This command is used to display all the current system bond interface settings. If the bond
interface name is specified, the command will only display settings for the specified interface.
clear bond [bond_name]

This command resets the specified bond interface configuration to the default settings. If no bond
interface name is specified, the settings for all the bond interfaces are reset.
NAT
nat port <vip> <network_ip> <netmask> [timeout] [gateway]
This command is used to enable network address translation (NAT) along with port translation.
NAT converts the address of each server or device on the inside network into one IP address for
the Internet and vice versa. The AG appliance will check for subnet overlap or verify that the
configured virtual IP exists. Data packets will be NATTed if and only if:
 The source IP address is in the range of the configured “network_ip” and “netmask”.
 The configured “gateway” is the same as the route gateway. If the “gateway” is set to the
default value (0.0.0.0), the “vip” and the route gateway should be within the same network
segment.
Up to 512 NAT ports can be configured on one AG appliance.
vip This parameter specifies a supplied virtual IP address.
network_ip This parameter specifies the network IP to perform the network

translation on.
netmask This parameter specifies the netmask for the network performing
the NAT.
timeout Optional. This parameter specifies the timeout setting in seconds.

The default value is 60 seconds.
gateway Optional. This parameter specifies the gateway IP address to which

data packets are routed after being NATTed. The default is 0.0.0.0.
no nat port <vip>

This command is used to remove the specified virtual IP address from the NAT configurations.
show nat port

This command is used to display all NAT configurations.
clear nat port

399
This command is used to stop and remove the NAT configurations.
nat static <vip> <network_ip> [timeout] [gateway]

This command is used to set a static NAT route. Data packets will be NATTed if and only if:
 The source IP address is in the range of the configured “network_ip”.
 The configured “gateway” is the same as the route gateway (The route gateway is configured
by using the command “ip route default”). If the “gateway” is set to the default value
(0.0.0.0), the “vip” and the route gateway should be within the same network segment.
Up to 512 NAT static routes can be configured on one AG appliance.
vip This parameter specifies a supplied virtual IP address.
network_ip This parameter specifies the network IP to perform the network

translation on.
timeout Optional. This parameter specifies the timeout value in seconds.

The default is 60 seconds.
gateway Optional. This parameter specifies the gateway IP address to which

data packets are routed after being NATTed. It defaults to 0.0.0.0.
no nat static <vip>

This command is used to remove the specified virtual IP address from the static NAT
configurations.
show nat static

This command is used to display all static NAT configurations.
clear nat static

This command is used to stop and remove the static NAT configurations.
show nat table

This command is used to display the existing network translations for incoming and outgoing
traffic.
HTTP Compression
http compression {on|off}
This global command is used to enable or disable the HTTP Compression function. By default,
this function is disabled. When this function is enabled, Text, XML and HTML will be
compressed by default. To compress other types of HTTP data, please configure HTTP
compression policies using the command “http compression policy useragent”.

400
show http compression status

This command is used to display the status of the HTTP Compression function.
http compression policy useragent <user_agent> <mime_type>

This global command is used to configure an HTTP compression policy to compress a specified
MIME type of data for a user agent.
user_agent This parameter specifies the name of the user agent. Its value
should be a string of 1 to 256 characters. It is recommended that the
parameter value should be enclosed in double quotes.
mime_type This parameter specifies the MIME media type which data
compression is used. Its value can only be:
 doc
 xls
 ppt
 js
 css
 pdf
http compression advanced useragent on

This global command is used to add the recommended HTTP compression policies. After this
command is executed, the following configurations will be added to the system:
http compression policy useragent "MSIE 6" "css"

http compression policy useragent "MSIE 6" "js"
http compression policy useragent "MSIE 7.0" "css"
http compression policy useragent "MSIE 7.0" "js"
http compression policy useragent "MSIE 8.0" "css"
http compression policy useragent "MSIE 8.0" "js"
http compression policy useragent "Mozilla/5.0" "css"
http compression policy useragent "Mozilla/5.0" "js"
That is, the system compresses JavaScript and CSS-type data for the following four types of
browsers (user agents): IE 6, IE 7, IE 8 and Mozilla 5.0.
no http compression policy useragent <user_agent> <mime_type>

This global command is used to delete an HTTP compression policy.
show http compression policy useragent

401
This global command is used to display all the configured HTTP compression policies including
recommended policies.
clear http compression policy useragent

This global command is used to clear all the configured HTTP compression policies including
recommended policies.
show http compression config

This global command is used to display the status of the HTTP Compression function and
configured HTTP compression policies.
clear http compression config

This global command is used to disable the HTTP Compression function and clear configured
HTTP compression policies.
show statistics compression [virtual_site_name]

This global command is used to display the statistics on HTTP compression under the specified
virtual site.
virtual_site_name This parameter specifies the name of the virtual site. Its value can
be a virtual site name or all. “all” indicates that the statistics on
HTTP compression under all virtual sites will be displayed.
clear statistics compression

This global command is used to clear the statistics on HTTP compression.
http compression policy urlexclude <keyword>

This command is used to configure a URL-excluded compression policy to disable HTTP
compression for URLs matching the “keyword” setting under the virtual site.
keyword This parameter specifies a regular expression. Its value should be a

no http compression policy urlexclude <keyword>

This command is used to delete a specified URL-excluded compression policy configured under
the virtual site.
show http compression policy urlexclude

This command is used to show all URL-excluded compression policies configured under the
virtual site.
clear http compression policy urlexclude

402
This command is used to clear all URL-excluded compression policies configured under the
virtual site.

403
Chapter 14 IPv6 Support
Chapter 14 IPv6 Support

To fulfil the IPv6 support for various modules, NDP (Neighbor Discovery Protocol) requires
configuration on AG to perform address transformation.
ipv6 ndp <ipv6_address> <mac_address>

This command is used to add a static NDP entry to the system.
ipv6_address This parameter specifies the IPv6 address of a remote host.
mac_address This parameter specifies the MAC address of the remote host.
no ipv6 ndp <ipv6_address>

This command is used to remove the static NDP entry of the specified IPv6 address.
show ipv6 ndp

This command is used to display all the static NDP entries.
clear ipv6 ndp

This command is used to clear all the static NDP entries.

404
Chapter 15 DesktopDirect
Basic ART Commands

show art status [instance_name]
This global command is used to display the general ART status for an existing ART instance: the
number of registered users, the state of local name resolution and strict user policy, and the RDP
port.
instance_name Optional. This parameter specifies the name of the ART instance to
be displayed. If this parameter is not specified, all the configured
instances will be displayed.
show art tech

This global command is used to display all the ART configurations.
show art info <instance_name> [user_name]

This global command is used to display ART information of the specified user.
instance_name This parameter specifies the name of the ART instance to which the
user belongs. Its value should be a string of 1 to 50 characters.
user_name Optional. This parameter specifies the name of the user. Its value
should be a string of 1 to 100 characters. If this parameter is not
specified, information of all the users in the specified ART instance
will be displayed.
clear art configuration factorydefault

This global command is used to reset ART configurations to default factory settings.
Name Resolution
art name resolution local enabled <instance_name>

This global command is used to enable ART local name resolution for the specified ART instance.
instance_name This parameter specifies the name of the ART instance. Its value
no art name resolution local enabled <instance_name>

This global command is used to disable ART local name resolution for the specified ART
instance.

405
instance_name This parameter specifies the name of the ART instance.
art name resolution local host <host_id> <host_ip>

This global command is used to create a new local host entry.
host_id This parameter specifies the ID of the host. Its value should be a
host_ip
This parameter specifies the IP address of the host. Its value should
be given in dotted decimal notation.
no art name resolution local host <host_id>

This global command is used to delete an existing local host entry.
host_id This parameter specifies the ID of the host.
show art name resolution local hosts [host_id]

This global command is used to display the information of the specified local host.
host_id Optional. This parameter specifies the ID of the host. If this

parameter is not specified, information of all the local hosts will be
displayed.
clear art name resolution local hosts

This global command is used to delete all the existing local name service hosts. When this CLI
command is executed, the administrator needs to enter “Yes” to confirm this operation.
art name resolution local expiration <minute>

This global command is used to set the expiration timeout value of local host entries.
minute This parameter specifies the timeout value. Its value should be an
integer ranging from 1 to 4,294,967,295.
ART Instance
art create instance <instance_name>
This global command is used to create a new ART instance.

406
clear art instance <instance_name>

This global command is used to delete an existing ART instance and all the data associated with
the instance.
art instance assign portal <instance_name>

This virtual site command is used to assign an ART instance to this virtual site.
no art instance assign portal

This virtual site command is used to reset the virtual site assignment to the default instance.
art policy strictuser <instance_name>

This global command is used to enable the strict user policy for the specified ART instance.
no art policy strictuser <instance_name>

This global command is used to disable the strict user policy for the specified ART instance.
art proxy mode <instance_name> <ip>

This global command is used to set an ART instance to operate in proxy mode to listen on the
specified IP address.
ip This parameter specifies the remote ART server IP address. Its

value should be given in dotted decimal notation.
no art proxy mode <instance_name>

This global command is used to disable the proxy mode for an ART instance.
show art proxy mode <instance_name>

407
This global command is used to display proxy mode information for an ART instance.
show art proxy listen <instance_name>

This global command is used to display proxy listening information for an ART instance.
art rdp port <instance_name> <port>

This global command is used to specify the default RDP port for the specified ART instance.
port This parameter specifies the port. Its value should be an integer
ranging from 1 to 65,535.
ART Users, Groups and Desktops
ART User
art user <instance_name> <user_name>

This global command is used to create a user for the specified ART instance.
user belongs.
user_name This parameter specifies the name of the user. Its value should be a
no art user <instance_name> <user_name>

This global command is used to delete an exsiting user from the specifid ART instance.
user belongs.
user_name This parameter specifies the name of the user.
show art users <instance_name> [user_name]

This global command is used to display the information of a user in the specified instance.

408
user belongs.
user_name Optional. This parameter specifies the name of the user to be

displayed. If this parameter is not specified, a list of all the users in
this specified ART instance will be displayed.
art rename user <instance_name> <old_user> <new_user>

This global command is used to rename an existing user in the specified ART instance.
user belongs.
old_user This parameter specifies the current name of the user.
new_user This parameter specifies the new name of the user.
ART Group
art group define <instance_name> <group_name>

This global command is used to create a group for the specified ART instance.
group belongs to.
group_name This parameter specifies the name of the group. Its value should be
no art group define <instance_name> <group_name>

This global command is used to delete an exsiting group from the specified ART instance.
group belongs to.
group_name This parameter specifies the name of the group.
show art group all [instance_name]

This global command is used to display the information of the groups in the specified ART
instance.
instance_name Optional. This parameter specifies the name of the ART instance. If

409
this parameter is not specified, all the groups will be displayed.
clear art group all

This global command is used to delete all the group information.
art group rename <instance_name> <old_group> <new_group>

This global command is used to rename an exsiting group in the specified ART instance.
group belongs.
old_group This parameter specifies the current name of the group.
new_group This parameter specifies the new name of the group.
art group member <instance_name> <group_name> <user_name>

This global command is used to add a user to the specified group.
group belongs.
no art group member <instance_name> <group_name> <user_name>

This global command is used to delete a user from the specified group.
group belongs.
show art group members <instance_name> <group_name>

This global command is used to display all the users of the specified group.
group belongs.

410
clear art group members <instance_name> <group_name>

This global command is used to delete the users from the specified group.
group belongs.
art group mapping ad <instance_name> <server> <base> <username>

<password>
This global command is used to configure external group mapping for Active Directory.
server This parameter specifies the name of the AD server. Its value
base This parameter specifies the AD server host base string. Its value
username This parameter specifies the username for logging into the AD
server. Its value should be a string of 1 to 255 characters.
password This parameter specifies the password for logging into the AD
no art group mapping ad <instance_name>

This global command is used to remove the external group mapping for Active Directory.
show art group mapping ad [instance_name]

This global command is used to display the information of external group mapping for Active
Directory.
instance_name Optional. This parameter specifies the name of the ART instance.

411
Desktop Publishing
art desktop define {host|ip} [description] [mac_address] [custom_para] [port]

This global command is used to define a desktop.
host|ip This parameter specifies the hostname or the IP address of the

desktop. The value of the hostname should be a string of 1 to 250
characters and the value of IP should be given in dotted decimal
notation.
description Optional. This parameter specifies the description of the desktop.

Its value should be a string of 1 to 250 characters.
mac_address Optional. This parameter specifies the MAC address. Its value
should be a string of 1 to 255 characters without any spaces or
dashes (for example, 112233445566 or aabbccddeeff).
custom_para Optional. This parameter specifies the administrator’s self-defined

feature to be performed on the client. Its value should be a string of
port Optional. This parameter specifies the RDP Port. Its value should
be an integer ranging from 0 to 65535, and defaults to 0.
Note: If hostnames of desktops cannot be resolved using the virtual site's DNS settings,
the administrator needs to execute the “dns useglobal on” command to allow the virtual
site to use the global DNS settings for hostname resolution. Otherwise, the virtual site
cannot fetch the assigned desktops for users.
no art desktop define {host|ip}

This global command is used to delete an exsiting desktop.

desktop.
show art desktop all [host|ip]

This global command is used to display the specified desktop.
host|ip Optional. This parameter specifies the hostname or the IP address of

the desktop. If this parameter is not specified, all the desktops
defined will be displayed.

412
art desktop rename {host|ip} {new_host|new_ip} [description] [mac_add]

[custom_para] [port]
This global command is used to update the information of an exsiting desktop.
host|ip This parameter specifies the current hostname or the IP address of

the desktop.
new_host|new_ip This parameter specifies the new hostname or IP address of the

desktop.
description Optional. This parameter specifies the new description of the

desktop.
mac_add Optional. This parameter specifies the new MAC address.
custom_para Optional. This parameter specifies the administrator’s new

self-defined feature to be performed on the client.
port Optional. This parameter specifies the new RDP Port.
art desktop assign group <instance_name> <group_name> {host|ip}

This global command is used to assign a desktop to the specified group.
group belongs. Its value should be a string of 1 to 50 characters.
group_name This parameter specifies the name of the group to which the
desktop is assigned. Its value should be a string of 1 to 250
characters.

desktop.
no art desktop assign group <instance_name> <group_name> {host|ip}

This global command is used to delete the assignment of the desktop to the specified group.
group belongs.
desktop is assigned.

413

desktop.
show art desktop group <instance_name> <group_name>

This global command is used to display the desktops assigned to the specified group.
group belongs.
group_name This parameter specifies the name of the group to be displayed.
art desktop assign user <instance_name> <user_name> {host|ip}

This global command is used to assign a desktop to the specified user.
user belongs.
user_name This parameter specifies the name of the user to which the desktop
is assigned. Its value should be a string of 1 to 100 characters.

desktop.
no art desktop assign user <instance_name> <user_name> {host|ip}

This global command is used to delete the assignment of the desktop to the specified user.
user belongs.
is assigned.

desktop.
show art desktop user <instance_name> <user_name>

This global command is used to display the desktops assigned to the specified user.
user belongs.

414
user_name This parameter specifies the name of the user to be displayed.
show art desktop associate {host|ip}

This global command is used to display all the associations of the desktop.

desktop to be displayed.
art reset desktop <instance_name> <user_name> <host|ip>

This global command is used to reset a desktop creation timestamp for the specified user.
user belongs.
is assigned.

desktop.
Power Management
art powermanagement wakeup desktop <instance_name> <user_name>
{host|ip}
This global command is used to wakeup the registered desktop for the specified user.
user belongs. Its value should be a string of 1 to 50 characters.
host|ip This parameter specifies the hostname or IP address of the desktop.

The value of hostname should be a string of 1 to 250 characters and
the value of IP should be given in dotted decimal notation.
art powermanagement wakeup timeout <instance_name> <seconds>

This global command is used to set the timeout value. It is the maximum time to wait before a
wakeup attempt is regarded as failed.

415
seconds This parameter specifies the timeout value in seconds. Its value
should be an integer ranging from 1 to 4,294,967,295.
show art powermanagement wakeup timeout <instance_name>

This global command is used to display the settings of power management wakeup timeout for the
specified ART instance.
art powermanagement ipbird enabled <instance_name>

This global command is used to enable the IPBird power management provider for the specified
ART instance.
no art powermanagement ipbird enabled <instance_name>

This global command is used to disable the IPBird power management provider for the specified
ART instance.
art powermanagement ipbird unit <instance_name> <unit_ip> <username>

<password>
This global command is used to add an IPBird unit for the specified ART instance.
unit_ip This parameter specifies the IP address of the unit. Its value should
username This parameter specifies the administrator username for logging

into the IPBird unit. Its value should be a string of 1 to 100
characters.
password This parameter specifies the administrator password for logging

into the IPBird unit. Its value should be a string of 1 to 100
characters.
no art powermanagement ipbird unit <instance_name> <unit_ip>

This global command is used to delete the specified IPBird unit from the specified ART instance.

416
unit_ip This parameter specifies the IP address of the unit.
show art powermanagement ipbird units <instance_name>

This global command is used to display all the configured IPBird units for the specified ART
instance.
instance_name This parameter specifies the name of the ART instance to be

displayed.
art powermanagement wol enabled <instance_name>

This global command is used to enable the Wake-On-LAN (WoL) power management provider
for the specified ART instance.
no art powermanagement wol enabled <instance_name>

This global command is used to disable the WoL power management provider for the specified
ART instance.
art powermanagement wol relay <instance_name>

This global command is used to enable the WoL Relay function for the specified ART instance.
This function allows the ART server to communicate with software agents located on different
subnets utilizing standard multicast messages, which in turn are converted to local subnet
broadcast messages.
no art powermanagement wol relay <instance_name>

This global command is used to disable the WoL Relay function for the specified ART instance.
art powermanagement wol multicast <instance_name> <multicast_ip>

<multicast_port>
This global command is used to set the IP address and port used for sending multicast messages to
WoL relay agents.

417
multicast_ip This parameter specifies the IP address used for sending multicast
messages. Its value should be given in dotted decimal notation.
multicast_port This parameter specifies the port used for sending multicast
messages. Its value should be an integer ranging from 1 to 65,535.
art powermanagement wol agent <instance_name> <agent_ip>

This global command is used to add a WoL relay agent for the specified ART instance.
agent_ip This parameter specifies the IP address of the relay agent. Its value
should be given in dotted decimal notation.
no art powermanagement wol agent <instance_name> <agent_ip>

This global command is used to delete a WoL relay agent from the specified ART instance.
agent_ip This parameter specifies the IP address of the relay agent.
show art powermanagement wol agents <instance_name>

This global command is used to display all the configured WoL relay agents for the specified ART
instance.
art powermanagement wol interface <instance_name> <interface_ip>

This global command is used to specify the interface through which the WoL Magic Packets are
sent.
interface_ip This parameter specifies the IP address of the interface. Its value
no art powermanagement wol interface <instance_name> <interface_ip>

This global command is used to delete the interface through which the WoL Magic Packets are
sent.

418
interface_ip This parameter specifies the IP address of the interface.
show art powermanagement wol interface <instance_name>

This global command is used to display the WoL interface configurations for the specified ART
instance.
show art powermanagement providers <instance_name> [enabled]

This global command is used to display the power management providers for the specified ART
instance.
enabled Optional. If this parameter is specified, only enabled power

management providers will be displayed; otherwise, all the power
management providers will be displayed.
Device Based Identification

art device identification enabled <instance_name>
This global command is used to enable Device Based Identification for the specified ART
instance.
should be string of 1 to 50 characters.
no art device identification enabled <instance_name>

This global command is used to disable Device Based Identification for the specified ART
instance.
art device identification device authorize <instance_name> <device_type>

[device_id] [user_name]
This global command is used to add a device to the list of authorized devices.

419
device_type This parameter specifies the type of the device. Its value should be
device_id Optional. This parameter specifies the DeviceID. Its value should
be a string of 1 to 255 characters. If this parameter is not specified,
this operation will apply to all the devices of the specified device
type.
user_name Optional. This parameter specifies the name of the user to which the
device is associated. Its value should be a string of 1 to 100
characters. If this parameter is not specified, this operation will
apply to all the users in the specified ART instance.
no art device identification device authorize <instance_name>

<device_type> [device_id] [user_name]
This global command is used to remove a device from the list of authorized devices.
device_type This parameter specifies the type of the device.
device_id Optional. This parameter specifies the DeviceID.
device is associated.
art device identification device enable <instance_name> <device_type>

This global command is used to enable a previously disabled device.
art device identification device disable <instance_name> <device_type>


420
This global command is used to disable a previously enabled device. The disabled devices will
remain in the database and could be re-enabled later.
clear art device identification device <instance_name> <device_type>

<device_id>
This global command is used to delete all the Device Based Identification authorization records
for a specified device.
device_id This parameter specifies the DeviceID.
clear art device identification user <instance_name> <user_name>

for a specified user.
user belongs.
clear art device identification all <instance_name>

for a specified instance.
art device identification autoregistration enabled <instance_name>

This global command is used to enable Automatic Device Registration for the specified ART
instance.

421
no art device identification autoregistration enabled <instance_name>

This global command is used to disable Automatic Device Registration for the specified ART
instance.
art device identification autoregistration peruser <instance_name>

This global command is used to enable per-user Automatic Device Registration for the specified
ART instance. This option is valid only when Automatic Device Registration is enabled. When
this function is enabled, device authorization requests are created to users who use the device for
login for the first time, no matter whether this device has been registered for other users before.
no art device identification autoregistration peruser <instance_name>

This global command is used to disable per-user Automatic Device Registration for the specified
ART instance.
art device identification autoregistration accept <instance.index>

This global command is used to accept a pending device registration request.
instance.index This parameter specifies the name of the ART instance and the
device index (For example, default.3523).
art device identification autoregistration reject <instance.index>

This global command is used to reject a pending device registration request.
instance.index This parameter specifies the name of the ART instance and the
device index.
art device identification autoregistration acceptall <instance_name>

This global command is used to automatically accept all the registration requests for the specified
ART instance.
no art device identification autoregistration acceptall <instance_name>

422
This global command is used to cancel automatically accepting all the registration requests for the
art device identification compact <instance_name>

This global command is used to delete all the rejected device registration requests and disabled
authorizations for the specified ART instance.
show art device identification devices all <instance_name>

This global command is used to display all the information about device registration requests and
device authorizations for the specified ART instance.
The information will be displayed in the following format “<Index>. <State> <User name>
<Device Type> <DeviceID>”, where:
 Index – Unique index of the request or authorization.
 State – Empty (when authorization is enabled), Disabled, Pending or Rejected.
 User name – Empty if the record is not associated to any specific user.
 Device Type – The type of the device, such as iPhone or iPad.
 DeviceID – The UDID of the device.
For example:
1. iPad elgel-we089u7-slnklnsed
12. (Disabled) user1 iPhone sdoih-24kl23-kjbna7
20. (Pending) iPhone hosdh-ksjd9783-sdkjse
show art device identification devices user <instance_name>

<user_name>
This global command is used to display the information about device registration requests and
device authorizations for the specified user.
user belongs.
show art device identification devices search <instance_name> <udid>

423
This global command is used to display the information about device registration requests and
device authorizations for the specified device.
instance_name This parameter specifies the name of the ART instance and the
device index (optional).
udid This parameter specifies the DeviceID.
show art device identification configuration <instance_name>

This global command is used to display the current settings of Device Based Identification for the
instance_name This parameter specifies the UDID of the device.
Host SSO
art hostsso <instance_name> <host> <username> <password>
This global command is used to create or modify a Host SSO entry for the specified ART
instance.
host This parameter specifies the hostname. Its value should be a string
username This parameter specifies the username for logging into the host. Its
value should be a string of 1 to 100 characters.
password This parameter specifies the password for logging into the host. Its
no art hostsso <instance_name> <host>

This global command is used to delete a specified Host SSO entry from the ART instance.
host This parameter specifies the hostname.
show art hostsso <instance_name>

This global command is used to display all the Host SSO entries for the specified ART instance.

424
Registration Policies
art registration policy desktopsperuser <instance_name> <max_number>
This global command is used to set the maximum number of desktops that can be registered by
each user in the specified ART instance.
max_number This parameter specifies the maximum number of desktops. Its

value should be an integer ranging from 0 to 4,294,967,295. “0”
means no limitation.
art registration policy multipleusers <instance_name>

{allowed|not-allowed|single}
This global command is used to specify whether a desktop can be registered by multiple users in
the specified ART instance.
allowed|not-allowed|single This parameter specifies whether the desktop can be registered by

multiple users. Its value can only be:
 allowed: indicates that the desktop can be registered by

multiple users.
 not-allowed: indicates that the desktop cannot be registered by

any users which belong to the specified instance.
 single: indicates that the desktop can only be registered by one

user.
art registration policy registrationlifetime <instance_name> <days>

This global command is used to set the number of days for which the desktop remains available
after registration in the specified ART instance.
days This parameter specifies the number of days the desktop remains
available after registration. Its value should be an integer ranging
from 0 to 4,294,967,295. “0” means that the desktop will always be

425
available.
show art registration policy <instance_name>

This global command is used to display all the registration policy configurations for the specified
ART instance.
SMX & VMView SSO

art vdiauth {on|off} <instance_name>
This global command is used to enable or disable the VDI authentication for the specified ART
instance.
art vdiauth account <instance_name> <user_name> <ad_user> <ad_pw>

This global command is used to configure a VDI authentication account for the specified user.
user belongs.
ad_user This parameter specifies the username of the AD server. Its value
ad_pw This parameter specifies the password of the AD server. Its value
no art vdiauth account <instance_name> [user_name]

This global command is used to delete a VDI authentication account for the specified user.
user belongs.
user_name Optional. This parameter specifies the name of the user. If this
parameter is not specified, the operation will apply to all the users
in the specified ART instance.

426
show art vdiauth account <instance_name> [user_name]

This global command is used to display VDI authentication account information for the specified
user.
user belongs.
parameter is not specified, the operation will apply to all the users
in the specified ART instance.
show art vdiauth conf

This global command is used to display all the VDI authentication information.
Replication
art replication enable
This global command is used to enable the Replication function.
no art replication enable

This global command is used to disable the Replication function.
art replication join <ip>

This global command is used to specify a member to join a replication group.
ip This parameter specifies the IP address of the member. Its value

art replication leave

This global command is used to leave the replication group.
art replication master enable

This global command is used to enable the replication as the master.
art replication peer define <ip>

This global command is used to specify a replication peer.
ip This parameter specifies the IP address of the peer. Its value should
no art replication peer define <ip>

This global command is used to delete an existing replication peer.

427
ip This parameter specifies the IP address of the peer.
clear art replication peer all

This global command is used to delete all replication peers.
show art replication status

This global command is used to display the current replication status.
Client Package
art client package import package <package_name> <url> [clean]
This global command is used to import a client package.
package_name This parameter specifies the name of the package. Its value should
url This parameter specifies the URL of the package. Its value should
clean Optional. If this parameter is specified, the temporary file generated

by importing the package will be deleted. Its value can only be
“clean”.
show art client package configuration [package_name]

This global command is used to display the client package configuration. If the parameter
“package_name” is not specified, a list of all the client packages will be displayed.
package_name Optional. This parameter specifies the name of the package to be

displayed.
clear art client package all

This global command is used to delete all the client packages.
Application Publishing
Terminal Server
art application terminalserver server define {host|ip} [port] [server_name]

This global command is used to create a new terminal server.

428

terminal server. The value of the hostmame should be a string of 1
to 255 characters and the value of the IP address should be given in
dotted decimal notation.
port Optional. This parameter specifies the RDP port configured on the
server. Its value should be an integer ranging from 1 to 65535, and
defaults to 3389.
server_name Optional. This parameter specifies the name of the terminal server.
Its value should be a string of 1 to 255 characters. If this parameter
is not specified, the hostname or IP address proided by the
administrator will be used as the terminal server name.
no art application terminalserver server define <server_name>

This global command is used to delete an exsiting terminal server and all the related settings.
server_name This parameter specifies the name of the terminal server.
art application terminalserver server enabled <server_name>

This global command is used to enable a terminal server.
no art application terminalserver server enabled <server_name>

This global command is used to disable a terminal server. The disabled terminal server remains in
the configuration, but it will not be used by any applications.
show art application terminalserver server [server_name]

This global command is used to display the application publishing configuration of a specified
terminal server.
server_name Optional. This parameter specifies the name of the terminal server
to be displayed. If this parameter is not specified, configurations of
all the terminal servers will be displayed.
art application terminalserver servergroup define <group_name>

This global command is used to create a terminal server group.

429
group_name This parameter specifies the name of the terminal server group. Its
no art application terminalserver servergroup define <group_name>

This global command is used to delete an exsiting terminal server group.
group_name This parameter specifies the name of the terminal server group.
art application terminalserver servergroup rename <old_group_name>

<new_group_name>
This global command is used to rename an exsiting terminal server group.
old_group_name This parameter specifies the current name of the terminal server
group. Its value should be a string of 1 to 250 characters.
new_group_name This parameter specifies the new name of the terminal server group.
art application terminalserver servergroup member <group_name>

<server_name>
This global command is used to add a terminal server to the specified terminal server group.
no art application terminalserver servergroup member <group_name>

<server_name>
This global command is used to delete an exsiting terminal server from the specified terminal
server group.
show art application terminalserver servergroup [group_name]

This global command is used to display the configuration of a specified terminal server group.
group_name Optional. This parameter specifies the name of the terminal server
group to be displayed. If this parameter is not specified,
configurations of all the terminal server groups will be displayed.

430
art application terminalserver application define <app_name>

This global command is used to create a terminal server based application.
app_name This parameter specifies the name of the application. Its value
no art application terminalserver application define <app_name>

This global command is used to delete an exsiting terminal server based application.
app_name This parameter specifies the name of the application.
art application terminalserver application rename <old_app_name>

<new_app_name>
This global command is used to rename an exsiting terminal server based application.
old_app_name This parameter specifies the current name of the application. Its
new_app_name This parameter specifies the new name of the application. Its value
art application terminalserver application description <app_name>

<description>
This global command is used to add the description of the specified application.
description This parameter specifies the description. Its value should be a string
no art application terminalserver application description <app_name>

This global command is used to delete the description of the specified application.
art application terminalserver application location <app_name> <location>

This global command is used to set the location of the specified application. The location refers to
the path and the name of the executable application on the terminal server.

431
location This parameter specifies the location of the application. Its value
art application terminalserver application directory <app_name>

<directory>
This global command is used to set the remote working directory of the specified application after
the user logs into the DD client.
directory This parameter specifies the directory of the application. Its value
no art application terminalserver application directory <app_name>

This global command is used to delete the remote working directory of the specified application.
art application terminalserver application folder <app_name> <folder>

This global command is used to set the folder where the specified application will be displayed
after the user logs into the DD client.
folder This parameter specifies the folder of the application. Its value
should be a string of 1 to 255 characters. It can support multil-layer
folders separated by the “\” character. For example, “Daily\Office”
will display the application in the Office folder.
no art application terminalserver application folder <app_name>

This global command is used to delete the folder of the specified application.
art application terminalserver application enabled <app_name>

This global command is used to enable the specified application.
no art application terminalserver application enabled <app_name>

432
This global command is used to disable the specified application. A disabled application remains
in the configuration, but it will not be presented to the user.
art application terminalserver application server <app_name>

{server|server_group}
This global command is used to add a server (or a group of servers) to the list of servers that host
the specified application. When the user selects to launch the application, DesktopDirect will
select one of the servers.
server|server_group This parameter specifies the name of the server or server group. Its
no art application terminalserver application server <app_name>

{server|server_group}
This global command is used to delete an exsiting server (or a group of servers) from the list of
servers that host the specified application.
server|server_group This parameter specifies the name of the server or server group.
art application terminalserver application windowsize fullscreen

<app_name>
This global command is used to set the application to be displayed in a window that will cover the
length and width of the screen.
art application terminalserver application windowsize custom

<app_name> <width> <height>
This global command is used to set the width and the height of the window where the application
will be displayed.
width This parameter specifies the width of the window in pixels. Its
value should be an integer ranging from 1 to 65,535.

433
height This parameter specifies the height of the window in pixels. Its
value should be an integer ranging from 1 to 65,535.
art application terminalserver application refreshicon <app_name>

This global command is used to refresh the icon of the application by communicating with one of
the servers that host the application.
show art application terminalserver application [app_name]

This global command is used to display the configuration of a specified application. If the
“app_name” parameter is not specified, configurations of all the applications will be displayed.
app_name Optional. This parameter specifies the name of the application to be

displayed.
clear art application terminalserver

This global command is used to delete all the terminal server based application configurations.
XenApp Definition
art application xenapp farm define <farm_name>

This global command is used to define a new XenApp server farm from which XenApp
applications will be launched.
farm_name This parameter specifies the name of the farm. Its value should be a
no art application xenapp farm define <farm_name>

This global command is used to delete an existing XenApp server farm.
farm_name This parameter specifies the name of the farm.
art application xenapp farm rename <old_farm_name> <new_farm_name>

This global command is used to rename an existing XenApp farm.
old_farm_name This parameter specifies the current name of the farm. Its value
new_farm_name This parameter specifies the new name of the farm. Its value should

434
art application xenapp farm enabled <farm_name>

This global command is used to enable a specified XenApp server farm.
no art application xenapp farm enabled <farm_name>

This global command is used to disable a specified XenApp server farm. When disabled, the farm
retains the configuration but its applications will not be presented to the user.
art application xenapp farm folder <farm_name> <folder>

This global command is used to set a XenApp server farm folder where applications of a specified
XenApp server farm will be presented to the user.
folder This parameter specifies the folder (on the user portal) where
applications of a specified XenApp server farm will be presented to
the user. For example, if folder “HR” is specified, all applications
from the farm will be presented under the HR folder that is
presented at the root of the user’s portal. Its value should be a string
no art application xenapp farm folder <farm_name>

This global command is used to delete a XenApp server farm folder.
art application xenapp farm server <farm_name> <host|ip:port> [order]

This global command is used to add a new XenApp server to the XenApp server farm.
host|ip:port This parameter specifies the hostname or IP address of the server.

The value of the hostname should be a string of 1 to 255 characters.
The port number of an IP address is optional, and defaults to 80.
order Optional. This parameter specifies the position of the newly added
server in the server farm. If it is not specified or larger than the

435
current number of servers in the farm, the server will be inserted as

the last one. Its value should be an integer ranging from 0 to
4,294,967,295, and defaults to 99,999.
no art application xenapp farm server <farm_name> <order>

This global command is used to delete an existing XenApp server from the XenApp server farm.
order This parameter specifies the position of the server.
show art application xenapp farm [farm_name]

This global command is used to display the configuration of a XenApp server farm.
farm_name Optional. This parameter specifies the name of the farm to be

displayed. If this parameter is not specified, the configurations of
all XenApp server farms will be displayed.
clear art application xenapp

This global command is used to delete all XenApp related configuration.
Association
art application associate instance <app_or_farm> <instance_name>

This global command is used to associate a XenApp server farm or a Terminal Server based
application to a specified instance.
app_or_farm This parameter specifies the name of the XenApp server farm or the
Terminal Server based application. Its value should be a string of 1
to 255 characters.
instance_name This parameter specifies the name of the instance. Its value should
no art application associate instance <app_or_farm> <instance_name>

This global command is used to disassociate a XenApp server farm or a Terminal Server based
application from a specified instance.
Terminal Server based application.

436
instance_name This parameter specifies the name of the instance.
art application associate group <app_or_farm> <instance_name>

<group_name>
application to a specified group.
instance_name This parameter specifies the name of the instance to which the
group belongs.
no art application associate group <app_or_farm> <instance_name>

<group_name>
This global command is used to disassociate a XenApp server farm or a Terminal Server basd
application from a specified group.
instance_name This parameter specifies the name of the instance to which the
group belongs.
art application associate user <app_or_farm> <instance_name>

<user_name>
application to a specified user.
instance_name This parameter specifies the name of the instance to which the user
belongs.

437
no art application associate user <app_or_farm> <instance_name>

<user_name>
This global command is used to disassociate a XenApp server farm or a Terminal Server based
application from a specified user.
Terminal Server based application. Its value should be a string of 1
to 255 characters.
instance_name This parameter specifies the name of the instance to which the user
belongs.
show art application associate [app_name]

This global command is used to display the association-related configuration of an application.
app_name Optional. This parameter specifies the name of the application to be

displayed. If this parameter is not specified, association-related
configuration for all applications will be displayed.
clear art application associate <app_name>

This global command is used to delete all association-related configuration of an application.
External Providers
art external provider create <provider_name> <provider_type>
This global command is used to create an external provider.
provider_name This parameter specifies the name of the external provider. Its value
provider_type This parameter specifies the type of the external provider. Its value
can only be “xendesktop”, “vmview” or “epapi”.
Note: According to the XML specification, the characters “<”, “&”, “>”, “"” and “'”
should not contained in the XML contents. Because the Xendesktop provider sends the
HTTP Post request in XML format, please do not include those characters in the username
or password when preparing an XML HTTP Post request.

438
art external provider rename <old_name> <new_name>

This global command is used to rename an existing external provider.
old_name This parameter specifies the current name of the external provider.
new_name This parameter specifies the new name of the external provider.
art external provider config xendesktop <provider_name> <host|ip> <port>

<domain>
This global command is used to configure a XenDesktop data collector for the specified external
provider.
provider_name This parameter specifies the name of the external provider.
host|ip This parameter specifies the hostname or IP address of the

XenDesktop data collector. Its value should be a string of 1 to 255
characters.
port This parameter specifies the port of the XenDesktop data collector.
Its value should be an integer ranging from 1 to 65,535, and
defaults to 80.
domain This parameter specifies the domain name of the XenDesktop data
collector. Its value should be a string of 1 to 255 characters.
no art external provider config xendesktop <provider_name> <host|ip>

<port>
This global command is used to remove the XenDesktop data collector configuration of the
specified external provider.
host|ip This parameter specifies the hostname or IP address of the

XenDesktop data collector.
port This parameter specifies the port of the XenDesktop data collector.
art external provider config vmview <provider_name> <host|ip> <port>

<domain> <timeout>
This global command is used to configure a VMView connection server for the specified external
provider.

439
host|ip This parameter specifies the hostname or IP address of the VMView

connection server. Its value should be a string of 1 to 255
characters.
port This parameter specifies the port of the VMView connection server.
Its value should be an integer ranging from 1 to 65,535, and
defaults to 443.
domain This parameter specifies the domain name of the VMView

connection server. Its value should be a string of 1 to 255
characters.
timeout This parameter specifies the timeout value of the connection

between AG and the VMView connection server. Its value should
no art external provider config vmview <provider_name> <host|ip> <port>

This global command is used to remove the VMView connection server configuration of the
specified external provider.
host|ip This parameter specifies the hostname or IP address of the VMView

connection server.
port This parameter specifies the port of the VMView connection server.
art external provider config epapi <provider_name> <host|ip> <port>

This global command is used to configure an External Provider (EP) Application Programming
Interface (API) server for a specified external provider.
host|ip This parameter specifies the hostname or IP address of the EP API

port This parameter specifies the port of the EP API server. Its value
should be an integer ranging from 1 to 65,535.
no art external provider config epapi <provider_name> <host|ip> <port>

440
This global command is used to remove the EP API server configuration of the specified external
provider.
host|ip This parameter specifies the hostname or IP address of the EP API

server.
port This parameter specifies the port of the EP API server.
art external provider assign instance <provider_name> <instance_name>

This global command is used to assign an external provider to a specified ART instance.
external provider is assigned. Its value should be a string of 1 to 50
characters.
no art external provider assign instance <provider_name>

<instance_name>
This global command is used to delete the assignment of the external provider to the specified
ART instance.
external provider is assigned.
show art external provider assignment instance <provider_name>

This global command is used to display assignments of the specified external provider by ART
instance.
art external provider assign group <provider_name> <instance_name>

<group_name>
This global command is used to assign an external provider to a specified group.

441
group belongs.
external provider is assigned. Its value should be a string of 1 to
250 characters.
no art external provider assign group <provider_name> <instance_name>

<group_name>
group.
group belongs.
external provider is assigned.
show art external provider assignment group <provider_name>

This global command is used to display assignments of the specific external provider by group.
art external provider assign user <provider_name> <instance_name>

<user_name>
This global command is used to assign an external provider to a specified user.
user belongs.
user_name This parameter specifies the name of the user to which the external
provider is assigned. Its value should be a string of 1 to 100
characters.
no art external provider assign user <provider_name> <instance_name>

<user_name>
user.

442
user belongs.
user_name This parameter specifies the name of the user to which the external
provider is assigned.
show art external provider assignment user <provider_name>

This global command is used to display assignments of the specific external provider by user.
show art external provider assignment name <provider_name>

This global command is used to display assignments of the specific external provider.
show art external provider name <provider_name>

This global command is used to display the external provider by the provider name.
show art external provider type <provider_type>

This global command is used to display the external providers by the provider type.
provider_type This parameter specifies the type of the external provider. Its value
can only be “xendesktop”, “vmview” or “epapi”.
show art external provider all

This global command is used to display all the external providers.
clear art external provider [provider_name]

This global command is used to delete the specified external provider. If the parameter
“provider_name” is not specified, all the external providers will be deleted.
provider_name Optional. This parameter specifies the name of the external

provider.

443
Data Protection
art dataprotection default redirect <option>
This global command is used to enable a specified data protection redirection option. These
settings will apply to all users who do not have a custom policy assigned to them.
option This parameter specifies the option to be enabled. Its value can only
be:
 drive
 clipboard
 printer
 smartcard
 ports
 POS
no art dataprotection default redirect <option>

This global command is used to disable the specified data protection redirection option.
option This parameter specifies the option to be disabled.
art dataprotection custom define <policy_name>

This global command is used to create a custom data protection policy.
policy_name This parameter specifies the name of the policy. Its value should be
no art dataprotection custom define <policy_name>

This global command is used to delete a custom data protection policy.
policy_name This parameter specifies the name of the policy.
art dataprotection custom rename <old_policy> <new_policy>

This global command is used to rename an existing custom data protection policy.
old_policy This parameter specifies the current name of the policy to be

renamed.
new_policy This parameter specifies the new name of the policy.

444
art dataprotection custom redirect <option> <policy_name>

This global command is used to enable the specified redirection option for the specified policy.
option This parameter specifies the option to be enabled. Its value can only
be:
 drive
 clipboard
 printer
 smartcard
 ports
 POS
no art dataprotection custom redirect <option> <policy_name>

This global command is used to disable the specified redirection option for the specified policy.
option This parameter specifies the option to be disabled.
art dataprotection assign instance <policy_name> <instance_name>

This global command is used to assign a data protection policy to a specified ART instance.
policy is assigned. Its value should be a string of 50 characters.
no art dataprotection assign instance <policy_name> <instance_name>

This global command is used to delete the assignment of the data protection policy to the specified
ART instance.
policy is assigned.

445
art dataprotection assign group <policy_name> <instance_name>

<group_name>
This global command is used to assign a data protection policy to a specified group.
group belongs.
group_name This parameter specifies the name of the group to which the policy
is assigned. Its value should be a string of 250 characters.
no art dataprotection assign group <policy_name> <instance_name>

<group_name>
group.
group belongs.
group_name This parameter specifies the name of the group to which the policy
is assigned.
art dataprotection assign user <policy_name> <instance_name>

<user_name>
This global command is used to assign a data protection policy to a specified user.
user belongs.
user_name This parameter specifies the name of the user to which the policy is
assigned. Its value should be a string of 100 characters.
no art dataprotection assign user <policy_name> <instance_name>

<user_name>
user.

446
user belongs.
user_name This parameter specifies the name of the user to which the policy is
assigned.
show art dataprotection policy [policy_name]

This global command is used to display the configuration of a policy. If the parameter
“policy_name” is not specified, all the configured policies and related information will be
displayed.
policy_name Optional. This parameter specifies the name of the policy.
Client Settings
art client settings set <set_name>
This global command is used to define a new client settings set.
set_name This parameter specifies the name of the set. Its value should be a
no art client settings set <set_name>

This global command is used to delete an exsiting client settings set.
set_name This parameter specifies the name of the set.
show art client settings set [set_name]

This global command is used to display the client settings set configuration. If the parameter
“set_name” is not specified, a list of all the client settings sets will be displayed.
set_name Optional. This parameter specifies the name of the set to be

displayed.
art client settings custom <set_name> <platform> <custom_parameter>

<custom_value>
This global command is used to configure custom client settings. Administrators can define their
own feature and its corresponding value to be performed on the client with the specified platform.

447
platform This parameter specifies the platform. Its value must only be:
 all
 windows
 macos
 iphone
 ipad
 android
custom_parameter This parameter specifies the name of the feature. For the supported
parameter values, please refer to the following table for details.
custom_value This parameter specifies the value of the feature. For the supported
parameter values, please refer to the following table for details.
Table 15-1 Parameter Types of the Custom Parameter
Note: The default values in the following table indicate the values that will be used by the
system if this command is not executed.
Custom Parameter Description Value
Determines whether to record  0: The sound is not recorded.

audiocapturemode the sound on the local  1: The sound is recorded.
computer.
 0: The bulk compression is

disabled.
Determines whether to enable
compression  1: The bulk compression is
the bulk compression.
enabled.
 0: The RDP efficient

multimedia streaming is not
Determines whether the RDP used for video playback.
efficient multimedia
videoplaybackmode  1: The RDP efficient
streaming for video playback
will be used. multimedia streaming is used
for video playback.

448
 0: The font smoothing is

Determines whether to enable disabled.
allow_font_smoothing the font smoothing for the  1: The font smoothing is
remote session. enabled.
Determines whether to enable  0: The desktop composition is

the desktop composition disabled.
allow_desktop_composition (needed for Aero) when the  1: The desktop composition is
end user logs into the remote enabled.
host.
 0: The cursor blinking is

Determines whether to enable enabled.
disable_cursor_setting cursor blinking during a  1: The cursor blinking is
Terminal Services session. disabled.
Determines whether to enable  0: The DirectX is disabled.

redirectdirectx the DirectX for the remote  1: The DirectX is enabled.
session.
 0: The client does not

Determines whether the client automatically try to
will automatically try to reconnect.
autoreconnection_enabled
reconnect to the remote host  1: The client automatically
if the connection is dropped. tries to reconnect.
Determines whether a prompt  0: The saved credentials will

for credentials will be be used and no prompt for
displayed when the end user credentials will be displayed.
prompt_for_credentials
connects to a remote host for  1: The prompt for credentials
which the credentials have will be displayed.
been previously saved.
 0: The security layer

Determines whether the
negotiation is disabled and
negotiate_security_layer security layer negotiation is
the session is started by using
enabled.
SSL.

449
 1: The security layer

negotiation is enabled and the
session is started by using
x.224 encryption.
 0: The authentication method

Determines whether the will not be used.
authentication method will be
gatewayprofileusagemethod  1: The authentication method
used for the remote desktop
gateway. will be used.
 0: The same credential will

Determines whether to use not be used.
the same credential for both
promptcredentialonce  1: The same credential will be
the remote desktop gateway
and the remote host. used.
 1: Set the connection speed to

Modem (56 Kbps).

Low-speed broadband (256
Kbps – 2 Mbps).

Satellite (2 Mbps – 16 Mbps
with high latency).
Determines the connection
connection_type  4: Set the connection speed to
speed of the client.
High-speed broadband (2
Mbps – 10 Mbps).

WAN (10 Mbps or higher
with high latency).

LAN (10 Mbps or higher).
Determines how to use the  0: The remote desktop

gatewayusagemethod remote desktop gateway gateway server is not used.
server. The bypass remote desktop
gateway server for local

450
address check box is cleared.
 1: The remote desktop

gateway server is always
used, even for local
connections.

gateway server is used if the
end user cannot connect to
the remote host directly (for
example, bypass for local IP
addresses).
 3: The default remote

gateway settings are used.

gateway server is not used.
The bypass remote desktop
gateway server for local
address check box is cleared.
 0: The password is required

(NTLM).
Specifies the credentials that
should be used to validate the  1: The smart card is used.
gatewaycredentialssource
connection to the remote
 4: Allow end users to select
desktop gateway.
later.

Specifies the maximum
number of times the client Its value is an integer ranging from
autoreconnect_max_retries will try to reconnect to the 1 to 200.
remote host if the connection The default value is 1.
is dropped.
 0: The multiple monitor is

disabled.
Determines whether to
multimon  1: The multiple monitor is
support the multiple monitor.
enabled.

Determines whether the
smart_sizing window size of the client PC  0: The window size of the
can be adaptively adjusted. client PC cannot be

451
adaptively adjusted.
 1: The window size of the

client PC can be adaptively
adjusted.
 0: The RemoteApp
capabilities of the remote host
Determines whether the will be checked.
RemoteApp capabilities of
disableremoteappcapscheck  1: The RemoteApp
the remote host will be
checked. capabilities of the remote host
will not be checked.
 0: No new session is started.

Determines whether a new The current active session
terminal server session is will be used.
disableconnectionsharing
started every time the  1: A new login session is
RemoteApp is launched. started for the RemoteApp.
 0: Monitor spanning is not

Determines whether the enabled.
remote session window will
span  1: Monitor spanning is
be spanned across multiple
monitors. enabled.
 0: The RDP file will not be

displayed in temp.
Determines whether the RDP
showrdpfile  1 - The RDP file will be
file will be displayed in temp.
displayed in temp.
 0: Windows key
combinations are applied on
Determines how Windows the local computer.
key combinations are applied  1: Windows key
keyboardhook
when you are connected to a combinations are applied on
remote host. the remote computer.
 2: Windows key
combinations are applied in

452
full-screen mode only (Only

when using the full screen).
 0: The sound will be played

on the local host.
Controls whether to play the  1: The sound will be played

audiomode sound, and where to play the on the remote host.
sound.
 2: The sound will not be
played.

Controls whether to allow
users to access the remote
desktop that they have
accessed previously by
double clicking the RDP file
generated when accessing the
remote desktop via the
DesktopDirect portal for the
first time.
 0: Yes.
Note: With this parameter
configured, if a wrong  1: No. Users can access the
username or password was remote desktop only via the
securityrdp
entered previously, users DesktopDirect portal.
cannot log into the remote (recommended)
desktop even with the valid
username and password until
users log out and log in again.
Please note that if the SSO
function is enabled using the
“art client settings sso”
command, this issue will also
occur if a wrong username or
password was used to log into
the virtual site previously.
 0: The window size of the

Controls whether to allow published application cannot
users to adjust the window be adjusted.
validappsize
size of the published  1: The window size of the
application. published application can be
adjusted.

453
 The default value is 0.
screen_mode_id Controls how to decide the

 1: The size of the RDP
size of the RDP window.
window will be decided by
This configuration can take
the setting specified by the
effect only when the
“art client settings
mult-monitor (configured by
screensize” command.
using the “multimon” custom
parameter) is disabled.  2: The size of the RDP
window is full screen no
matter whether the “art client
settings screensize”
command is configured or
not.
 0: If server authentication
fails, connect without giving
a warning.
fails, do not connect.
Determines what should
authentication_level happen when server
fails, show a warning and
authentication fails.
allow the user to connect or
not.
 3: Server authentication is not

required.
no art client settings custom <set_name> <platform> <custom_parameter>

This global command is used to remove the custom client settings.
platform This parameter specifies the platform.
name This parameter specifies the name of the feature.
art client settings powermanagement <set_name> <platform>

{enabled|disabled}
This global command is used to enable or disable the power management function.

454
enabled|disabled This parameter specifies whether power management is enabled or

not.
art client settings sso <set_name> <platform> {enabled|disabled} [domain]

This global command is used to enable or disable the single-sign-on (SSO) function.
enabled|disabled This parameter specifies whether single-sign-on is enabled or not.
domain Optional. This parameter specifies the name of the domain to be

used when SSO is enabled. Its value should be a string of 1 to 255
characters.
art client settings keepalive <set_name> <platform> [second]

This global command is used to set the interval at which the clients are allowed to send
Keep-Alive packets to AG.
second Optional. This parameter specifies the interval in seconds. Its value
should be an integer ranging from 1 to 60, and defaults to 60.
art client settings customdestinations <set_name> <platform>

{enabled|disabled}
This global command is used to enable or disable the ability for the users associated with the set to
access non-registered desktops.
enabled|disabled This parameter specifies whether the users can access

non-registered desktops or not.

455
art client settings console <set_name> <platform> {enabled|disabled}

This global command is used to enable or disable console connections.
enabled|disabled This parameter specifies whether the console connections are

enabled or not.
art client settings screensize <set_name> <platform> <width> <height>

This global command is used to set the resolution of the remote desktop. The configuration can
take effect only when the multi-monitor (configured by using the “multimon” custom parameter in
the “art client settings custom” command) is disabled.
width This parameter specifies the width that appears on the client. Its
value should be an integer ranging from 0 to 4,294,967,295.
height This parameter specifies the height that appears on the client. Its
value should be an integer ranging from 0 to 4,294,967,295.
art client settings colordepth <set_name> <platform> {0|8|16|24}

This global command is used to set the color depth of the remote desktop.
0|8|16|24 This parameter specifies the maximum number of colors supported

by a session. The higher the number the more bandwidth is
consumed. The default value is 0.
art client settings hideconnbar <set_name> <platform> {enabled|disabled}

This global command is used to display or hide the desktop connection bar on the top the window
when the user connects a desktop.

456
enabled|disabled This parameter specifies whether the desktop connection bar will be
displayed or not.
art client settings rdpagent <set_name> <platform> <url> [proxy]

This global command is used to set the RDP agent.
url This parameter specifies the URL where the installation package
can be downloaded. Its value should be a string of 1 to 255
characters.
proxy Optional. This parameter specifies the proxy address and port (for
example, 192.168.1.1:8080). Its value should be a string of 1 to 255
characters.
no art client settings rdpagent <set_name> <platform>

This global command is used to remove RDP agent settings.
art client settings citrix <set_name> <platform> <url> [proxy]

This global command is used to set the Citrix client.
url This parameter specifies the URL where the installation package
can be downloaded. Its value should be a string of 1 to 255
characters.
proxy Optional. This parameter specifies the proxy address and port (for
example, 192.168.1.1:8080). Its value should be a string of 1 to 255
characters.

457
no art client settings citrix <set_name> <platform>

This global command is used to remove Citrix client settings.
art client settings userexperience <set_name> <platform> <function>

{enabled|disabled}
This global command is used to configure RDP user experience related parameters.
function This parameter specifies the function to be configured. Its value

must be:
 bitmapcaching
 desktopwallpaper
 fullwindowdrag
 menuanimation
 themes
enabled|disabled This parameter specifies whether the function chosen is enabled or

not.
art client settings credential <set_name> <platform> {enabled|disabled}

This global command is used to allow or disallow the end users to store RDP login credentials on
the client PC. With this function enabled, a check box will be displayed on the client side so that
end users can decide whether to store their RDP login credentials by selecting this check box or
not. By default, this function is disabled.
platform This parameter specifies the platform. Its value must be:
 windows: indicates that this function can be configured for the

Windows platform.
 all: indicates that this function can be configured for all the
platforms. Currently, the system only supports the Windows

458
platform.
enabled|disabled This parameter specifies whether to enable or disable the function.
Note: To support Network Level Authentication (NLA)

authentication, this parameter should be set to “Enabled”.
Otherwise, the remote PC will reject the RDP session from AG.
art client settings alerts <set_name> <platform> <idle> <lifetime>

This global command is used to set a timeout alert. The user will be warned when the idle time or
lifetime of a session is larger than the configured value.
idle This parameter specifies the idle timeout value in seconds. Its value
must be an integer ranging from 0 to 4,294,967,295. If it is set to 0,
the idle timeout alert is disabled and will not affect a user’s session.
lifetime This parameter specifies the lifetime timeout value in seconds. Its
value must be an integer ranging from 0 to 4,294,967,295. If it is set
to 0, the lifetime timeout alert is disabled and will not affect a user’s
session.
art client settings associate instance <set_name> <instance_name>

This global command is used to associate the client settings with the specified instance.
no art client settings associate instance <set_name> <instance_name>

This global command is used to disassociate the client settings with the specified instance.
art client settings associate group <set_name> <instance_name>

<group_name>

459
This global command is used to associate the client settings with the specified group.
instance_name This parameter specifies the instance to which the group belongs.
no art client settings associate group <set_name> <instance_name>

<group_name>
This global command is used to disassociate the client settings with the specified group.
art client settings associate user <set_name> <instance_name>

<user_name>
This global command is used to associate the client settings with the specified user.
instance_name This parameter specifies the instance to which the user belongs.
no art client settings associate user <set_name> <instance_name>

<user_name>
This global command is used to disassociate the client settings with the specified user.

460
Client Verification
art clientverification rule define <rule> [url]
This global command is used to configure a client verification rule.
rule This parameter specifies the name of the rule. Its value should be a
url Optional. This parameter specifies the URL of the rule. Its value
no art clientverification rule define <rule>

This global command is used to delete a client verification rule.
rule This parameter specifies the name of the rule.
art clientverification rule associate instance <rule> <instance_name>

This global command is used to associate a client verification rule with an instance.
no art clientverification rule associate instance <rule> <instance_name>

This global command is used to disassociate a client verification rule with an instance.
art clientverification rule associate group <rule> <instance_name>

<group_name>
This global command is used to associate a client verification rule with a group.

461
no art clientverification rule associate group <rule> <instance_name>

<group_name>
This global command is used to disassociate a client verification rule with a group.
art clientverification rule associate user <rule> <instance_name>

<user_name>
This global command is used to associate a client verification rule with a user.
no art clientverification rule associate user <rule> <instance_name>

<user_name>
This global command is used to disassociate a client verification rule with a user.
show art clientverification rule associate <rule>

This global command is used to display the client verification rule associations.
rule This parameter specifies the name of the rule to be displayed.
show art clientverification rule content <rule>

This global command is used to display the client verification rule configuration.
rule This parameter specifies the name of the rule to be displayed.
show art clientverification rule all

462
This global command is used to display the list of all the client verification rules.
clear art clientverification all

This global command is used to delete the entire client verification settings.
ART Import and Export
Import
Note: The files imported from the local file system or the remote TFTP server must be in
the UTF-8 encoding format. Otherwise, the importing might fail.
art import users file <instance_name> {add|skip} {refresh|append}

<file_name>
This global command is used to import the information of the users and their desktops from the
local file system to the database.
add|skip This parameter specifies the option to deal with the non-existence
user. Its value can only be:
 add: indicates that the non-existence users will be added to the

instance.
 skip: indicates that the non-existence users will be ignored.
refresh|append This parameter specifies the option to deal with the desktops of the
existing user. Its value can only be:
 refresh: indicates that all the exsiting desktops for the user will
be deleted and the new desktops (from the file) will be added.
 append: indicates that the new desktops (from the file) will be
added to the user while the old desktops still exsit.
file_name This parameter specifies the name of the file in the local file
system. Its value should be a string of 1 to 255 characters.
art import users tftp <instance_name> {add|skip} {refresh|append} <ip>

<file_name>
This global command is used to import the information of the users and their desktops from the
remote TFTP server to the database.

463
add|skip This parameter specifies the option to deal with the non-existence
user. Its value can only be:
 add: indicates that the non-existence users will be added to the

instance.
 skip: indicates that the non-existence users will be ignored.
refresh|append This parameter specifies the option to deal with the desktops of the
existing user. Its value can only be:
 refresh: indicates that all the exsiting desktops for the user will
be deleted and the new desktops (from the file) will be added.
 append: indicates that the new desktops (from the file) will be
added to the user while the old desktops still exsit.
ip This parameter specifies the TFTP server IP. Its value should be
given in dotted decimal notation.
file_name This parameter specifies the name of the file on the remote TFTP
art import config file <file_name>

This global command is used to import ART configurations from the local file system to the
database.
system.
art import config tftp <ip> <file_name>

This global command is used to import ART configurations from the remote TFTP server to the
database.
ip This parameter specifies the TFTP server IP.
server.

464
Export
Note: The files exported to the local file system or the remote TFTP server are in the
UTF-8 encoding format. To read or edit the exported file, make sure that your file viewer
or editor supports UTF-8 encoding.
art export users file <instance_name> <file_name>

This global command is used to export the information of the users and their desktops from the
database to the local file system.
system. Its value should be a string of 1 to 255 characters.
Note: The information of users with no desktops assigned will not be exported from the
database to the local file system.
art export users tftp <instance_name> <ip> <file_name>

This global command is used to export the information of the users and their desktops from the
database to the remote TFTP server.
Note: The information of users with no desktops assigned will not be exported from the
database to the remote TFTP server.
art export config file <file_name>

This global command is used to export ART configurations from the database to the local file
system.
system.
art export config tftp <ip> <file_name>

465
This global command is used to export ART configurations from the database to the remote TFTP
server.
server.
clear art export file <file_name>

This global command is used to delete a file that was previously exported to the local file system.
system.
show art export files

This global command is used to display all the files that were previously exported to the local file
system.
clear art export files

This global command is used to delete all the files that were previously exported to the local file
system.

466
Chapter 16 MotionPro
This chapter describes all the CLI commands used to configure the MotionPro feature. All
MotionPro CLI commands are available under the virtual site scope.
Basic Commands
show motionpro config
This command is used to display all the MotionPro CLI configurations.
clear motionpro resource

This command is used to delete all the MotionPro resources.
AAA
The commands listed below are used for DeviceID Authentication. For other User Authentication
and Certificate Authentication methods, please refer to Chapter 4 AAA.
aaa server name <type> <server_name> [description]

This command is used to define a AAA server of DeviceID..
type This parameter specifies the type of the AAA server. Its value must
only be “deviceid”
server_name This parameter specifies the name of the AAA server, which must
be unique among all servers in the same virtual site. Its value must
description Optional. This parameter specifies the server description. Its value
must be a string of 1 to 127 characters. If it is not specified, the
default description will be the value of “server_name”.
aaa server deviceid rejectunregister <server_name>

This command is used to reject user login with devices that are not registered to the system for the
specified DeviceID server.
server_name This parameter specifies the name of an existing DeviceID

no aaa server deviceid rejectunregister <server_name>

This command is used to permit user login with devices that are not registered to the system for
the specified DeviceID server.

467
show aaa server deviceid rejectunregister <server_name>

This command is used to display whether to reject or permit the user login with devices that are
not registered to the system for the specified DeviceID server.
aaa server deviceid autoregister <server_name>

This command is used to enable automatic registration for the unregistered devices during user
login for the specified DeviceID server.

Note: The “aaa server deviceid autoregister” configuration will not take effect if the
“aaa server diviceid rejectunregister” command is configured for the same DeviceID
server.
no aaa server deviceid autoregister <server_name>

This command is used to disable automatic registration for the unregistered devices during user
login for the specified DeviceID server.
aaa server deviceid autoapprove <server_name>

This command is used to enable automatic approval for registered devices for the specified
DeviceID server; otherwise, device status will be “pending” even after devices have been
registered successfully, and administrators need to approve the devices manually.

no aaa server deviceid autoapprove <server_name>

This command is used to disable automatic approval for registered devices for the specified
DeviceID server.
show aaa server deviceid autoapprove <server_name>

This command is used to display whether automatic approval is enabled or disabled for the
registered devices for the specified DeviceID server.
aaa server deviceid bindusername <server_name>

This command is used to enable the Bind Username function for the specified DeviceID server.
With this function enabled, the username and the device ID are registered in the system as a whole.
If a user accesses the portal with a device, other users who log in with this registered device need
to register the device again.

468
Note: The following two commands work only when this function is enabled.
no aaa server deviceid bindusername <server_name>

This command is used to the disable the Bind Username function for the specified DeviceID
server.
show aaa server deviceid bindusername <server_name>

This command is used to the display the status of the Bind Username function for the specified
DeviceID server.
aaa server deviceid devicelimit <server_name> <user_limit>

This command is used to set the user upper limit per device for the specified DeviceID server.

user_limit This parameter specifies the maximum users with which a

device can be associated. Its value can be an integer ranging
from 0 to 4,294,967,295. “0” means no upper limit on users.
no aaa server deviceid devicelimit <server_name>

This command is used to delete the setting of the user upper limit per device for the specified
DeviceID server.
show aaa server deviceid devicelimit <server_name>

This command is used to display the setting of the user upper limit per device for the specified
DeviceID server.
aaa server deviceid userlimit <server_name> <device_limit>

This command is used to set the device upper limit per user for the specified DeviceID server.

device_limit This parameter specifies the maximum devices that a user can
have. Its value can be an integer ranging from 0 to
4,294,967,295. “0” means no upper limit on devices.
no aaa server deviceid userlimit <server_name>

469
This command is used to delete the setting of the device upper limit per user for the specified
DeviceID server.
show aaa server deviceid userlimit <server_name>

This command is used to display the setting of the device upper limit per user for the specified
DeviceID server.
localdb deviceid account <account_name> <device_id> <device_name>

<status>
This command is used to configure a DeviceID rule for the specified LocalDB account.
account_name This parameter specifies the username of the LocalDB account.
device_id This parameter specifies the device ID. Its value should be a string
of 1 to 511 characters, which must be enclosed in double quotes.
device_name This parameter specifies the name to describe the device. Its value
status This parameter specifies the status of the device. The parameter
value can only be:
 approve: The LocalDB user can use the device to access

internal resources.
 pending: The LocalDB user can use the device to access

internal resources only after the administrator’s approval.
 deny: The LocalDB user cannot use the device to access

internal resources.
no localdb deviceid account <account_name> <device_id>

This parameter is used to delete a DeviceID rule configured for the specified LocalDB account.
account_name This parameter specifies the username of the LocalDB account. If

the parameter value is set to “*”, all DeviceID rules configured for
all LocalDB accounts will be deleted.
device_id This parameter specifies the device ID.
show localdb deviceid account [account_name] [device_id]

This command is used to display a DeviceID rule configured for the specified LocalDB account.
account_name Optional. This parameter specifies the username of the LocalDB

470
account.
device_id Optional. This parameter specifies the device ID.
If this parameter is specified when the parameter “account_name”

is not specified, all the DeviceID rules containing this device ID
will be displayed.
If this parameter is not specified when the parameter

“account_name” is specified, all the DeviceID rules configured for
the specified LocalDB account will be displayed.
If both this parameter and the parameter “account_name” are not

specified, the DeviceID rules configured for every LocalDB
account will be displayed.
aaa method register <method_name>

This command is used to set the AAA method used for device registration or MotionProOTP
application registration. For device registration, when a AAA method is configured on the
MotionPro pilot for the first time, a AAA method named “DD_Register” will be added to the
system.
method_name This parameter specifies the name of the AAA method.
no aaa method register <method_name>

This command is used to delete the AAA method used for device registration or MotionProOTP
application registration.
show aaa method register

This command is used to display the AAA method used for device registration or MotionProOTP
application registration.
Role
motionpro role define <role_name>
This command is used to add a new role.
role_name This parameter specifies the name of the role. Its value should be
no motionpro role define <role_name>

This command is used to delete an existing role.

471
role_name This parameter specifies the name of the role.
show motionpro role define [role_name]

This command is used to display the specified role.
role_name Optional. This parameter specifies the name of the role. If this
parameter is not specified, all the roles defined will be displayed.
motionpro role associate user <role_name> <user_name>

This command is used to associate a user with the specified role.
user_name This parameter specifies the name of the user. Its value should be
no motionpro role associate user <role_name> <user_name>

This command is used to disassociate a user from the specified role.
show motionpro role associate user <role_name> [user_name]

This command is used to display the association between the role and the user.
parameter is not specified, all the user-association configurations
of the role will be displayed.
Client Rule
motionpro client rule define <rule_name> [url]
This command is used to add a new MotionPro client rule.
rule_name This parameter specifies the name of the rule. Its value should be

472
url Optional. This parameter specifies the URL of the rule file. Its
no motionpro client rule define <rule_name>

This command is used to delete an existing MotionPro client rule.
rule_name This parameter specifies the name of the rule.
show motionpro client rule define [rule_name]

This command is used to display the specified MotionPro client rule.
rule_name Optional. This parameter specifies the name of the rule. If this
parameter is not specified, all the rules defined will be displayed.
motionpro client rule associate role <rule_name> <role_name>

This command is used to associate a MotionPro client rule with the specified role.
no motionpro client rule associate role <rule_name> <role_name>

This command is used to disassociate a MotionPro client rule from the specified role.
show motionpro client rule associate role [role_name]

This command is used to display the MotionPro client rules associated with the specified role.
parameter is not specified, the rule-association configuration of
all the roles will be displayed.
motionpro client rule associate user <rule_name> <user_name>

This command is used to associate a MotionPro client rule with the specified user.

473
no motionpro client rule associate user <rule_name> <user_name>

This command is used to disassociate a MotionPro client rule from the specified user.
show motionpro client rule associate user [user_name]

This command is used to display the rules associated with the specified user.
parameter is not specified, the rule-association configuration of
all the users will be displayed.
motionpro client rule associate vsite <rule_name>

This command is used to associate a MotionPro client rule with the virtual site.
no motionpro client rule associate vsite <rule_name>

This command is used to disassociate a MotionPro client rule from the virtual site.
show motionpro client rule associate vsite [rule_name]

This command is used to display the specified rule associated with the virtual site.
rule_name Optional. This parameter specifies the name of the rule. If this
parameter is not specified, all the rules associated with the
virtual site will be displayed.
show motionpro client rule allnames

This command is used to display the names of all the MotionPro client rules.
motionpro client senddeviceid {on|off}

This command is used to enable or disable the DeviceID transmission to the RADIUS server.
After this function is enabled, the MotionPro client will pass the DeviceID to the RADIUS server
upon login. By default, this function is disabled.

474
motionpro client {enable|disable} <device_type>

This command is used to enable or disable the access to the virtual site for the MotionPro client on
the specified type of device. By default, MotionPro clients on all types of devices are allowed to
access the virtual site.
device_type This parameter specifies the device type. Its value must be
“macos”, “iphone”, “ipad”, “windows”, “android”, “linux” or “all”.
“all” indicates all types of devices.
Web Resources
Web APP
motionpro webapp define <url> <description> [sso] [folder]

This command is used to add a new Web Application.
url This parameter specifies the URL of the Web Application. Its
description This parameter specifies the description of the Web Application.

sso Optional. This parameter specifies the SSO-related parameters.

folder Optional. This parameter specifies the name of the folder in

which the Web Application will be displayed on the MotionPro
Client. Its value should be a sting of 1 to 255 characters.
no motionpro webapp define <url>

This command is used to delete an existing Web Application.
url This parameter specifies the URL of the Web Application.
show motionpro webapp define [url]

This command is used to display the specified Web Application.
url Optional. This parameter specifies the URL of the Web

Application. If this parameter is not specified, all the Web
Applications defined will be displayed.

475
motionpro webapp associate role <url> <role_name>

This command is used to associate a Web Application with the specified role.
no motionpro webapp associate role <url> <role_name>

This command is used to disassociate a Web Application from the specified role.
show motionpro webapp associate role [role_name]

This command is used to display the Web Applications associated with the specified role.
parameter is not specified, the association configurations
between all the roles and Web Applications will be displayed.
motionpro webapp associate user <url> <user_name>

This command is used to associate a Web Application with the specified user.
no motionpro webapp associate user <url> <user_name>

This command is used to disassociate a Web Application from the specified user.
show motionpro webapp associate user [user_name]

This command is used to display the Web Applications associated with the specified user.
between all the users and Web Applications will be displayed.

476
Native Applications
motionpro nativeapp define <app_name> <description> <os_type>
<app_type> [parameters] [app_id]
This command is used to add a new Native Application.
app_name This parameter specifies the name of the Native Application. Its
description This parameter specifies the description of the Native

Application. Its value should be a string of 1 to 255 characters.
os_type This parameter specifies the Operating System type of the

Native Application. Its value can only be “iOS” or “Android”.
app_type This parameter specifies the type of the Native Application. Its
value can only be “built-in” or “third-party”.
 “built-in” refers to the applications integrating Application

Tunnel API. All the data transmitted through this type of
applications will be encrypted by the SSL L3VPN tunnel
established by directly using the built-in application.
 “third-party” refers to the applications not integrating

Application Tunnel API. In order to encrypt the data
transmitted through this type of applications, SSL
L3VPN/IPsec VPN tunnels need to be established using the
VPN on Demand (VoD) function for accessing enterprise
resources.
parameters Optional. This parameter is used to match the local applications.

Its value should be a string of 1 to 255 characters. For iOS, this
parameter must match the URL Scheme of the application, and if
not specified, the application will not be displayed on the
MotionPro Client.
app_id Optional. This parameter specifies the application ID. Its value
should be an integer ranging from 0 to 2,147,483,647, and
defaults to 0.
no motionpro nativeapp define <app_id>

This command is used to delete an existing Native Application.

477
app_id This parameter specifies the application ID.
show motionpro nativeapp define [app_id]

This command is used to display the specified Native Application.
app_id Optional. This parameter specifies the application ID. If this

parameter is not specified, all the Native Applications defined
will be displayed.
motionpro nativeapp associate role <app_id> <role_name>

This command is used to associate a Native Application with the specified role.
no motionpro nativeapp associate role <app_id> <role_name>

This command is used to disassociate a Native Application from the specified role.
show motionpro nativeapp associate role [role_name]

This command is used to display the Native Applications associated with the specified role.
between all the roles and Native Applications will be displayed.
motionpro nativeapp associate user <app_id> <user_name>

This command is used to associate a Native Application with the specified user.
no motionpro nativeapp associate user <app_id> <user_name>

This command is used to disassociate a Native Application from the specified user.

478
show motionpro nativeapp associate user [user_name]

This command is used to display the Native Applications associated with the specified user.
between all the users and Native Applications will be displayed.
MDM
motionpro mdm on
This command is used to enable the Mobile Device Management (MDM) function.
motionpro mdm off

This command is used to disable the MDM function.
motionpro mdm import apn <url>

This command is used to import an Apple Push Notification (APN) certificate.
url This parameter specifies the URL of the APN certificate. Its
value should be a string of 1 to 255 characters starting with
“http://”.
motionpro mdm apn interval <database_check_interval>

<ssl_tunnel_reconnect_interval>
This command is used to set the interval for MDM to check database and the interval of SSL
reconnection.
database_check_interval This parameter specifies the interval for the MDM server to
check the database for notification to be sent to mobile devices
(Android) or APN (iOS) in seconds. Its value should be an
integer ranging from 1 to 3600, and defaults to 3.
ssl_tunnel_reconnect_interval This parameter specifies the interval of the SSL reconnection

between the MDM server and the APN server in minutes. Its
value should be an integer ranging from 1 to 10, and defaults to
5.
show motionpro mdm apn interval

479
This command is used to display the interval for MDM to check database and the interval of SSL
reconnection.
motionpro mdm device check <device_check_interval>

<device_inactive_check_times>
This command is used to set the configuration of MDM checking the mobile device status.
device_check_interval This parameter specifies the interval for the MDM server to
check the mobile device status in minutes. Its value should be an
integer ranging from 1 to 60, and defaults to 1.
device_inactive_check_times This parameter specifies the maximum times of consecutive

device checks for setting the mobile device status as inactive. Its
value should be an integer ranging from 2 to 10, and defaults to
3.
show motionpro mdm device check

This command is used to display the configuration of MDM checking the mobile device status.
show motionpro mdm config

This command is used to display all the MDM configurations.
motionpro mdm externalsetting <push_ip> <push_port> <service_url>

This command is used to enable the external MDM function. With this function enabled, when
logging into the MotionPro virtual site using the MotionPro client, the end user will be promoted
to join MDM.
push_ip This parameter specifies the push IP address or the domain name of
the MDM server. Its value must be a string of 1 to 63 characters and
must be enclosed by double quotes if the parameter value is set to
an IP address.
push_port This parameter specifies the push port of the MDM server. Its value
service_url This parameter specifies the URL that providing the MDM service.
no motionpro mdm externalsetting

This command is used to disable the external MDM function.
show motionpro mdm externalsetting

This command is used to display the configuration of the external MDM function.

480
Backup and Restore
Note:
The files backed up to the remote TFTP server are in the UTF-8 encoding format. To read
or edit the backed up file, make sure that your file viewer or editor supports UTF-8
encoding.
The files restored from the remote TFTP server must be in the UTF-8 encoding format. To
read or edit the restored file, make sure that your file viewer or editor supports UTF-8
encoding.
motionpro backup tftp <tftp_ip> <file_name>

This command is used to back up the MotionPro configurations to the remote TFTP server.
tftp_ip This parameter specifies the IP address of the TFTP server. Its value
file_name This parameter specifies the name of the configuration file to be

saved on the remote TFTP server. Its value should be a string of 1 to
256 characters.
motionpro restore tftp <tftp_ip> <file_name>

This command is used to restore the MotionPro configurations from the remote TFTP server.
file_name This parameter specifies the name of configuration file saved on the
remote TFTP server. Its value should be a string of 1 to 256
characters.
Import and Export
Note:
The files imported from the appliance’s disk or the remote TFTP server must be in the
UTF-8 encoding format. Otherwise, the importing might fail.
The files exported to the appliance’s disk or the remote TFTP server are in the UTF-8
encoding format. To read or edit the exported file, make sure that your file viewer or editor
supports UTF-8 encoding.

481
localdb deviceid import file <file_name>

This command is used to import the device IDs from a configuration file on the appliance’s disk to
the virtual site’s database.
file_name This parameter specifies the name of the configuration file on the
appliance’s disk. Its value should be a string of 1 to 256 characters.
localdb deviceid export file <file_name>

This command is used to export the device IDs from the virtual site’s database to a configuration
file on the appliance’s disk.
appliance’s disk. Its value should be a string of 1 to 256 characters.
localdb deviceid import tftp <tftp_ip> <file_name>

This command is used to import the device IDs from a configuration file on the specified remote
TFTP server to the virtual site’s database.
characters.
localdb deviceid export tftp <tftp_ip> <file_name>

This command is used to export the device IDs from the virtual site’s database to a configuration
file on the specified remote TFTP server.
characters.
motionpro import file <file_name>

This command is used to import the MotionPro CLI configurations from a configuration file on
the appliance's disk to the virtual site's database.

482
appliance's disk. Its value should be a string of 1 to 256 characters.
motionpro export file <file_name>

This command is used to export the MotionPro CLI configurations from the virtual site's database
to a configuration file on the appliance's disk.
appliance's disk. Its value should be a string of 1 to 256 characters.
motionpro import tftp <tftp_ip> <file_name>

This command is used to import the MotionPro CLI configurations from a configuration file on
the specified remote TFTP server to the virtual site's database.
characters.
motionpro export tftp <tftp_ip> <file_name>

This command is used to export the MotionPro CLI configurations from the virtual site's database
to a configuration file on the specified remote TFTP server.
characters.
Portal Configuration
motionpro portal tabpage <tab_type> <display_mode>
This command is used to configure whether a specific tab page will be displayed on the
MotionPro portal. With this function, administrators can hide corresponding tab pages from end
users when the system does not have the specific feature licensed. By default, all the tab pages are
displayed.
tab_type This parameter specifies the type of the tab page. Its value can only
be “web”, “application” or “desktop”.

483
display_mode This parameter specifies the display mode of the tab. Its value can
only be “display” or “not_display”.
show motionpro portal tabpage

This command is used to display the MotionPro portal tab page setting.
clear motionpro portal tabpage

This command is used to clear the MotionPro portal tab page setting.
motionpro portal vpnpolicy <policy_name>

This command is used to configure the VPN policy for the MotionPro portal. When this command
is not configured, the default policy is used. That is, if DesktopDirect resources are configured, the
L4VPN tunnel will be established; otherwise, the SSL L3VPN tunnel will be established.
policy_name This parameter specifies the name of the VPN policy. Its value must
be:
 tcpproxy: indicates that the L4VPN tunnel will be established

for end users.
 l3vpn: indicates that the SSL L3VPN tunnel will be

established for end users.
 both: indicates that both the L4VPN tunnel and the SSL
L3VPN tunnel will be established for end users. This VPN
policy works only for MotionPro clients on PCs. Android and
iOS MotionPro clients will still use the default policy.
 disable: indicates that neither L4VPN tunnel nor the SSL

L3VPN tunnel will be established for end users. This policy
works only for Andriod and iOS MotionPro clients. MotionPro
clients on PCs will still use the default VPN policy.
no motionpro portal vpnpolicy

This command is used to delete the VPN policy configured for the MotionPro portal.
show motionpro portal vpnpolicy

This command is used to display the VPN policy configured for the MotionPro portal.
Synchronization
motionpro sync sql <sql_string>
This command is used to synchronize the MotionPro database by executing the PostgreSQL
commands.

484
sql_string This parameter specifies the PostgreSQL commands. Its value

can be a string of 1 to 1024 characters.
Note:
 For now, only update/insert/delete operations are supported.
 Single quotes (') in PostgreSQL commands must be replace by the ampersand (&).

485
Appendix I System CLI Boundaries
Note: The maximum number of VPN Netpool Client IPs (per vsite) for vxAG (2G) is
2048.
AG
1000/
AG AG AG AG AG
Related AG
Module Limit Item 1100 1150 1200 1500 1600
CLI 1000-
(4G) (4G) (8G) (16G) (16G)
T
(2G)
Virtual Site Scope
Maximum number
virtual site
of virtual sites 10 256 256 256 256 256
name
(affected by license)
Maximum number virtual site
1000 2000
of virtual site IPs ip
Maximum number
virtual site
of virtual site 1000
domain
domain names
virtual site
ip;
Maximum vip-port
virtual site
pairs (including
quicklink
QuickLink port 4000
port;
mode and http
(vsite) http
redirect insecure)
redirect
Virtual
insecure
Site
virtual site
ip;
Maximum number
virtual site
of vip-port pairs
quicklink
(including 64
port;
QuickLink port
(vsite) http
mode) per vsite
redirect
insecure
virtual site
Maximum number ip;
of ports per vip virtual site
(including quicklink quicklink 1000
port mode and http port;
redirect insecure) (vsite) http
redirect

486
insecure
Maximum number
virutal site
of QuickLink
quicklink 1000
hostname mode
hostname
definitions
Maximum number
role name 2000
of roles
Maximum number role
of qualifications (per qualificati 32
role) on
Maximum number
role
of conditions (per 32
condition
qualification)
Maximum number role
Role
of QuickLink resource 1000, totally 100,000
resources (per vsite) quicklink
Maximum number role
of WRM resources resource 1000, totally 100,000
(per vsite) web
Maximum number role 1000, totally 100,000

of Fileshare resource
resources (per vsite) cifs
Maximum number
acl rule 10,000
of ACL rules
Maximum number acl
ACL of ACL resource resourcegr 1000; totally 10,000
groups (per vsite) oup
Maximum number acl 15,00 50,00 125,0 360,00 640,0
1500
of ACL resources resource 0 0 00 0 00
Maximum number
of AAA servers (per aaa server 3 for each server type
vsite)
Maximum number
aaa
of AAA methods 5
method
(per vsite)
AAA aaa
Maximum number
method
of AAA methods 4
rank
ranks (per vsite)
include
Maximum number aaa
of AAA multi-factor method 3
authentication server

487
servers (per vsite)
Maximum number
of concurrent 10,00 25,00 128,0
300 3000 72,000
sessions (affected by 0 0 00
Session license)
virtual site
Maximum number
session 128
of session groups
group
Maximum number
vpn
of VPN Netpools 1024 2048 2048 4096 8192 8192
netpool
(per vsite)
Maximum number vpn
of VPN resource resource 1024 2048 2048 4096 8192 8192
groups (per vsite) group
Maximum number vpn
of VPN Netpool IP netpool 1024 2048 2048 4096 8192 8192
ranges (per Netpool) iprange
Maximum number
1310 1310 2621 524288 52428
of VPN Netpool 2048
72 72 44 8
Client IPs (per vsite)
Maximum number vpn
of VPN Netpool netpool
1024 2048 2048 4096 8192 8192
DNS hostmaps (per dns
SSL Netpool) hostmap
VPN vpn
Client Maximum number resource
of VPN application groupitem 1024 2048 2048 4096 8192 8192
resources (per vsite) applicatio
n
vpn
Maximum number
resource
of VPN network 1024 2048 2048 4096 8192 8192
groupitem
resources (per vsite)
network
maxi maxi maxi maxi maxi

maxim
mum mum mum mum mum
Maximum number vpn um
virtua virtua virtua virtua virtua
of VPN network resource virtual
l site l site l site l site l site
resources (per groupitem site
numb numb numb numb numb
chassis) network numbe
er*10 er*20 er*20 er*40 er*81
r*8192
24 48 48 96 92
Maximum number portal

Portal 1000
of portal themes theme

488
WRM Maximum number rewrite 500

of custom rewrite custom
rules rule
Maximum number
of SSO POST
sso post 64
configurations (per
vsite)
Maximum number
Proxy of URL policies (per urlpolicy 3000
vsite)
Maximum number filter url 50

of URL deny rules keyword
(per vsite) deny
Maximum depth of a
9
certificate chain
Maximum number
ssl settings
of CDPs (CRL 10
crl offline
SSL distribution point)
ssl import
Maximum number
interca;
of certificates no limit
ssl import
imported on Array
rootca
Maximum number
localdb 10,00 200,0 200,0 200,0 500,00 500,0
of LocalDB
account 0 00 00 00 0 00
accounts
Maximum number localdb 10,00 10,00 10,00 50,00
1000 50,000
of LocalDB groups group 0 0 0 0
LocalD
Maximum number
B
of LocalDB groups localdb
20
that one account member
belongs to
Maximum number localdb
20
of LocalDB backups backup
Maximum number
dns host 1000
of static DNS hosts
Maximum number
of DNS name 3
DNS
servers
Maximum number
of DNS search 6
domains

489
Maximum number
System of custom write file no limit
configuration files
Global Scope
Maximum number
of NAT static 512
definitions
NAT
Maximum number
of NAT port 512
definitions
Maximum number
3
of Bonds
Bond Maximum number
of physical 12
interfaces per Bond
Maximum number
250
of VLANs
Maximum number
VLAN
of VLAN tags per 250
interface
VLAN tag range 1-4094
Maximum number
Route 1
of default routes
Maximum number
1024
of syslog line
Syslog
Maximum size of
1024*1024
syslog
Maximum number
255
of VCIDs
Maximum number
Cluster of VIPs per interface 255
of each VCID
Maximum number
64
of synconfig peers
Maximum number
of static DNS hosts
ip dns host 1000
(counted together
with vsite)
DNS Maximum number
of DNS name 3
servers
Maximum number
6
of DNS search

490
domains
Maximum number 12,00 20,00 50,00 144,00 256,0
SSL 1200
of SSL connections 0 0 0 0 00
Maximum number
Adminis admin
of administrator 100 100 100 100 100 100
trator user
accounts

491
Appendix II SNMP OID List

SNMP OID List
.1.3.6.1.4.1.7564 This file defines the private CA SNMP MIB extensions.
.1.3.6.1.4.1.7564.4.1 Current total available memory in the system.
.1.3.6.1.4.1.7564.17.1 Number of HA groups.
.1.3.6.1.4.1.7564.17.15 A table of HA units.
.1.3.6.1.4.1.7564.17.15.1 An haUnitTable entry containing HA unit information.
.1.3.6.1.4.1.7564.17.15.1.1 Reference index for each HA unit.
.1.3.6.1.4.1.7564.17.15.1.2 Name of the HA unit.
.1.3.6.1.4.1.7564.17.15.1.3 The IP address type of haUnitIpAddress.
.1.3.6.1.4.1.7564.17.15.1.4 The IP address of HA unit.
The port used for the primary link to communicate with other
.1.3.6.1.4.1.7564.17.15.1.5
HA units.
.1.3.6.1.4.1.7564.17.15.1.6 Number of HA secondary links.
.1.3.6.1.4.1.7564.17.25 A table of HA groups.
.1.3.6.1.4.1.7564.17.25.1 An haGroupTable entry containing HA group information.
.1.3.6.1.4.1.7564.17.25.1.1 The HA group table index.
.1.3.6.1.4.1.7564.17.25.1.2 The HA group ID.
.1.3.6.1.4.1.7564.17.25.1.3 The priority of the HA group on the local HA unit.
Enabling status of Preemption, which is used to control whether
.1.3.6.1.4.1.7564.17.25.1.4
a higher-priority HA unit preempts a lower-priority HA unit.
The HA group status - disabled (0), incomplete (1), init (2),
.1.3.6.1.4.1.7564.17.25.1.5
standby (3) or active (4).
.1.3.6.1.4.1.7564.17.25.1.6 Enabling status of the HA group.
.1.3.6.1.4.1.7564.17.26 A table of HA floating IP address.
An haGroupFipTable entry containing HA floating IP address
.1.3.6.1.4.1.7564.17.26.1
information.
.1.3.6.1.4.1.7564.17.26.1.1 The index of the HA floating IP address table.
.1.3.6.1.4.1.7564.17.26.1.2 The HA group that contains this HA floating IP address.
.1.3.6.1.4.1.7564.17.26.1.3 The type of the HA floating IP address.
.1.3.6.1.4.1.7564.17.26.1.4 The floating IP addresses contained in the HA group.
Current maximum possible number of entries in the vrrpTable,
.1.3.6.1.4.1.7564.18.1.1 which is 255 * (number of interfaces for which a cluster is
defined). 255 is the max number of VIPs in a cluster.
.1.3.6.1.4.1.7564.18.1.2 Current number of entries in the vrrpTable.
.1.3.6.1.4.1.7564.18.1.3 A table containing cluster configurations.
An entry in the vrrpTable. Each entry represents a cluster VIP,
not the cluster itself. If a cluster has n VIPs, then there will be n
entries for the cluster in the vrrpTable (0 <= n <= 255). All the
.1.3.6.1.4.1.7564.18.1.3.1
entries in the vrrpTable belonging to a single cluster will have
the same values for all the fields except clusterVirIndex and
clusterVirAddr.

492
SNMP OID List

.1.3.6.1.4.1.7564.18.1.3.1.1 The cluster virtual table index.
.1.3.6.1.4.1.7564.18.1.3.1.2 The cluster identifier.
.1.3.6.1.4.1.7564.18.1.3.1.3 The current state of the cluster.
.1.3.6.1.4.1.7564.18.1.3.1.4 The interface name on which the cluster is defined.
.1.3.6.1.4.1.7564.18.1.3.1.5 A virtual IP address (VIP) in the cluster.
Type of authentication being used. none(0) - no authentication;
.1.3.6.1.4.1.7564.18.1.3.1.6 simple-text-password(1) - use password specified in cluster
virtual for authentication.
.1.3.6.1.4.1.7564.18.1.3.1.7 The password for authentication.
This is for controlling whether a higher priority Backup VRRP
.1.3.6.1.4.1.7564.18.1.3.1.8
virtual preempts a low priority Master.
.1.3.6.1.4.1.7564.18.1.3.1.9 VRRP advertisement interval.
.1.3.6.1.4.1.7564.18.1.3.1.10 Priority of the local node in the cluster.
.1.3.6.1.4.1.7564.20.1.2 Number of vhosts currently configured.
.1.3.6.1.4.1.7564.20.2.1 Total number of open SSL connections (all vhosts).
.1.3.6.1.4.1.7564.20.2.2 Total number of accepted SSL connections (all vhosts).
.1.3.6.1.4.1.7564.20.2.3 Total number of requested SSL connections (all vhosts).
.1.3.6.1.4.1.7564.20.2.4 SSL vhost statistics table.
.1.3.6.1.4.1.7564.20.2.4.1 SSL table entry for one vhost.
.1.3.6.1.4.1.7564.20.2.4.1.1 The SSL table index.
.1.3.6.1.4.1.7564.20.2.4.1.2 Name of the SSL vhost.
.1.3.6.1.4.1.7564.20.2.4.1.3 Open SSL connections for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.4 Number of accepted SSL connections for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.5 Number of requested SSL connections for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.6 Number of resumed SSL sessions for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.7 Number of resumable SSL sessions for vhostName.
.1.3.6.1.4.1.7564.20.2.4.1.8 Number of session misses for vhostName.
1.3.6.1.4.1.7564.21.1 Number of sessions by the security proxy.
1.3.6.1.4.1.7564.21.2 Number of successful login by the security proxy.
1.3.6.1.4.1.7564.21.3 Number of successful logout by the security proxy.
1.3.6.1.4.1.7564.21.4 Number of failed login by the security proxy.
1.3.6.1.4.1.7564.21.5 Number of total bytes in.
1.3.6.1.4.1.7564.21.6 Number of total bytes out.
1.3.6.1.4.1.7564.21.7 Maximum number of active sessions by the security proxy.
1.3.6.1.4.1.7564.21.8 Number of login errors by the security proxy.
Number of login failures due to the user lockout login by the
1.3.6.1.4.1.7564.21.9
security proxy.
1.3.6.1.4.1.7564.21.10 Number of total backend server bytes in.
1.3.6.1.4.1.7564.21.11 Number of total backend server bytes out.
.1.3.6.1.4.1.7564.22.1 Status of VIP statistics gathering - on or off.
The hostname that the VIP is representing (hostname of the
.1.3.6.1.4.1.7564.22.2
appliance).

493
SNMP OID List

.1.3.6.1.4.1.7564.22.3 The current time in the format of MM/DD/YY HH:MM.
.1.3.6.1.4.1.7564.22.4 Total number of IP packets received on all VIPs.
.1.3.6.1.4.1.7564.22.5 Total number of IP packets sent out on all VIPs.
.1.3.6.1.4.1.7564.22.6 Total number of IP bytes received on all VIPs.
.1.3.6.1.4.1.7564.22.7 Total number of IP bytes sent out on all VIPs.
.1.3.6.1.4.1.7564.22.8 A table of VIP statistics.
.1.3.6.1.4.1.7564.22.8.1 An entry in the ipStatsTable which is created for each VIP.
.1.3.6.1.4.1.7564.22.8.1.1 The VIP statistics table index.
.1.3.6.1.4.1.7564.22.8.1.2 The VIP address.
.1.3.6.1.4.1.7564.22.8.1.3 Total number of IP packets received on the VIP.
.1.3.6.1.4.1.7564.22.8.1.4 Total number of IP bytes received on the VIP.
.1.3.6.1.4.1.7564.22.8.1.5 Total number of IP packets sent out on the VIP.
.1.3.6.1.4.1.7564.22.8.1.6 Total number of IP bytes sent out on the VIP.
.1.3.6.1.4.1.7564.22.8.1.7 The time statistics gathering was enabled for the VIP.
.1.3.6.1.4.1.7564.23.1 The number of network interfaces presented on this system.
The total accumulated number of octets received on all the
.1.3.6.1.4.1.7564.23.2
active interfaces (loopback is not included).
The total accumulated number of octets transmitted out on all
.1.3.6.1.4.1.7564.23.3
the active interfaces (loopback is not included).
A table of interface statistics. The number of entries is given by
.1.3.6.1.4.1.7564.23.4
the value of infNumber.
.1.3.6.1.4.1.7564.23.4.1 An infTable entry for one interface.
A unique value for each interface. Its value ranges between 1
and the value of infNumber. The value for each interface must
.1.3.6.1.4.1.7564.23.4.1.1
remain constant at least from one re-initialization of the entities
network management system to the next re- initialization.
.1.3.6.1.4.1.7564.23.4.1.2 Name of the interface.
.1.3.6.1.4.1.7564.23.4.1.3 The current operational state of the interface (up or down).
.1.3.6.1.4.1.7564.23.4.1.4 The interface's IP address.
The total number of octets received on the interface, including
.1.3.6.1.4.1.7564.23.4.1.5
framing characters.
The number of packets, delivered by this sub-layer to a higher
.1.3.6.1.4.1.7564.23.4.1.6 (sub-) layer, which were not addressed to a multicast or
broadcast address at this sub-layer.
The number of packets, delivered by this sub-layer to a higher
(sub-) layer, which were addressed to a multicast or broadcast
address at this sub-layer.
Discontinuities in the value of this counter can occur at
.1.3.6.1.4.1.7564.23.4.1.7
re-initialization of the management system, and at other times as
indicated by the value of ifCounterDiscontinuityTime.
This object is deprecated in favor of ifInMulticastPkts and
ifInBroadcastPkts.

494
SNMP OID List

The number of inbound packets which were chosen to be
discarded even though no errors had been detected to prevent
them from being deliverable to a higher-layer protocol. One
possible reason for discarding such a packet could be to free up
.1.3.6.1.4.1.7564.23.4.1.8
buffer space.
indicated by the value of ifCounterDiscontinuityTime
For packet-oriented interfaces, the number of inbound packets
that contain errors preventing them from being deliverable to a
higher-layer protocol. For character- oriented or fixed-length
interfaces, the number of inbound transmission units that
.1.3.6.1.4.1.7564.23.4.1.9 contain errors preventing them from being deliverable to a
higher-layer protocol.
For packet-oriented interfaces, the number of packets received
via the interface which were discarded because of an unknown
or unsupported protocol. For character-oriented or fixed-length
interfaces that support protocol multiplexing the number of
transmission units received via the interface which were
.1.3.6.1.4.1.7564.23.4.1.10 discarded because of an unknown or unsupported protocol. For
any interface that does not support protocol multiplexing, this
counter will always be 0.
The total number of octets transmitted out of the interface,
including framing characters.
.1.3.6.1.4.1.7564.23.4.1.11 Discontinuities in the value of this counter can occur at
The total number of packets that higher-level protocols request
to be transmitted, and which were not addressed to a multicast
or broadcast address at this sub-layer, including those that were
.1.3.6.1.4.1.7564.23.4.1.12 discarded or not sent.
The total number of packets that higher-level protocols request
.1.3.6.1.4.1.7564.23.4.1.13 to be transmitted, and which were addressed to a multicast or
broadcast address at this sub-layer, including those that were

495
SNMP OID List

discarded or not sent.
This object is deprecated in favor of ifOutMulticastPkts and
ifOutBroadcastPkts.
For packet-oriented interfaces, the number of outbound packets
that could not be transmitted because of errors. For
character-oriented or fixed-length interfaces, the number of
outbound transmission units that could not be transmitted
.1.3.6.1.4.1.7564.23.4.1.14
because of errors.
The number of Syslog notifications that have been sent. This
number can include notifications that were prevented from being
transmitted due to reasons such as resource limitations and/or
.1.3.6.1.4.1.7564.24.1.1 non-connectivity. If one is receiving notifications, one can
periodically poll this object to determine if any notifications
were missed. If so, a poll of the logHistoryTable might be
appropriate.
Indicates whether logMessageGenerated notifications will or
will not be sent when a Syslog message is generated by the
.1.3.6.1.4.1.7564.24.1.2
device. Disabling notifications does not prevent Syslog
messages from being added to the logHistoryTable.
Indicates which Syslog severity levels will be processed. Any
Syslog message with a severity value greater than this value will
.1.3.6.1.4.1.7564.24.1.3 be ignored by the agent. Note: the severity numeric values
increase as their severity decreases, e.g. error(4) is more severe
than debug(8).
The upper limit on the number of entries that the
logHistoryTable can contain. A value of 0 will prevent any
.1.3.6.1.4.1.7564.24.2.1
history from being retained. When this table is full, the oldest
entry will be deleted and a new one will be created.
A table of Syslog messages generated by this device. All
.1.3.6.1.4.1.7564.24.2.2 'interesting' Syslog messages (i.e. severity <= logMaxSeverity)
are entered into this table.
A Syslog message that was previously generated by this device.
.1.3.6.1.4.1.7564.24.2.2.1
Each entry is indexed by a message index.
A monotonically increasing integer for the sole purpose of
.1.3.6.1.4.1.7564.24.2.2.1.1 indexing messages. When it reaches the maximum value the
agent flushes the table and wraps the value back to 1.
.1.3.6.1.4.1.7564.24.2.2.1.2 The severity of the message.

496
SNMP OID List

The text of the message. If the text of the message exceeds 255
bytes, the message will be truncated to 254 bytes and a '*'
.1.3.6.1.4.1.7564.24.2.2.1.3
character will be appended, indicating that the message has been
truncated.
When a syslogTrap message is generated by the device a
syslogTrap notification is sent. The sending of these
.1.3.6.1.4.1.7564.24.3.1
notifications can be enabled/disabled via the
logNotificationsEnabled object.
The number of times ClickTCP connections have made a direct
.1.3.6.1.4.1.7564.25.1
transition to the SYN-SENT state from the CLOSED state.
.1.3.6.1.4.1.7564.25.2
transition to the SYN-RCVD state from the LISTEN state.
transition to the CLOSED state from either the SYN-SENT state
.1.3.6.1.4.1.7564.25.3 or the SYN-RCVD state, plus the number of times TCP
connections have made a direct transition to the LISTEN state
from the SYN-RCVD state.
.1.3.6.1.4.1.7564.25.4 transition to the CLOSED state from either the ESTABLISHED
state or the CLOSE-WAIT state.
The number of ClickTCP connections for which the current
.1.3.6.1.4.1.7564.25.5
state is either ESTABLISHED or CLOSE-WAIT.
The total number of ClickTCP segments received, including
.1.3.6.1.4.1.7564.25.6 those received in error. This count includes segments received
on currently established connections.
The total number of ClickTCP segments sent, including those on
.1.3.6.1.4.1.7564.25.7 current connections but excluding those containing only
retransmitted octets.
The total number of segments retransmitted - that is, the number
.1.3.6.1.4.1.7564.25.8 of ClickTCP segments transmitted containing one or more
previously transmitted octets.
The total number of segments received in error (for example,
.1.3.6.1.4.1.7564.25.9
bad ClickTCP checksums).
The number of ClickTCP segments sent containing the RST
.1.3.6.1.4.1.7564.25.10
flag.
.1.3.6.1.4.1.7564.25.11 A table containing ClickTCP connection-specific information.
A conceptual row of the ctcpConnTable containing information
about a particular current TCP connection. Each row of this
.1.3.6.1.4.1.7564.25.11.1
table is transient, in that it ceases to exist when (or soon after)
the connection makes the transition to the CLOSED state.
.1.3.6.1.4.1.7564.25.11.1.1 A unique value for each ClickTCP connection.
The state of this TCP connection.
.1.3.6.1.4.1.7564.25.11.1.2
The only value which can be set by a management station is

497
SNMP OID List

deleteTCB(12). Accordingly, it is appropriate for an agent to
return a 'badValue' response if a management station attempts to
set this object to any other value.
If a management station sets this object to the value
deleteTCB(12), then this has the effect of deleting the TCB (as
defined in RFC 793) of the corresponding connection on the
managed node, resulting in immediate termination of the
connection.
As an implementation-specific option, an RST segment can be
sent from the managed node to the other TCP endpoint (note
however that RST segments are not sent reliably).
The local IP address for this TCP connection. In the case of a
connection in the listen state which is willing to accept
.1.3.6.1.4.1.7564.25.11.1.3
connections for any IP interface associated with the node, the
value 0.0.0.0 is used.
.1.3.6.1.4.1.7564.25.11.1.4 The local port number for this TCP connection.
.1.3.6.1.4.1.7564.25.11.1.5 The remote IP address for this TCP connection.
.1.3.6.1.4.1.7564.25.11.1.6 The remote port number for this TCP connection.
.1.3.6.1.4.1.7564.28.1 Total number of bytes received.
.1.3.6.1.4.1.7564.28.2 Total number of bytes sent.
.1.3.6.1.4.1.7564.28.3 Number of bytes received per second.
.1.3.6.1.4.1.7564.28.4 Number of bytes sent per second.
.1.3.6.1.4.1.7564.28.5 Peak received bytes per second.
.1.3.6.1.4.1.7564.28.6 Peak sent bytes per second.
.1.3.6.1.4.1.7564.28.7 Number of currently active transaction.
.1.3.6.1.4.1.7564.30.1 Current percentage of CPU utilization.
.1.3.6.1.4.1.7564.30.2 Number of connections per second.
.1.3.6.1.4.1.7564.30.3 Number of requests per second.
The number of <Virtual Site ID, login, logout> combo pairs that
.1.3.6.1.4.1.7564.31.1.1
is involved in the virtual site.
1.3.6.1.4.1.7564.31.1.2 A table containing virtual site statistics.
1.3.6.1.4.1.7564.31.1.2.1 The entry in virtualSiteStatsTable.
Reference index for virtual site (Virtual Site ID, login, logout)
1.3.6.1.4.1.7564.31.1.2.1.1
combo.
1.3.6.1.4.1.7564.31.1.2.1.2 Virtual site name ID.
1.3.6.1.4.1.7564.31.1.2.1.3 Virtual site active sessions.
1.3.6.1.4.1.7564.31.1.2.1.4 Virtual site successful login.
1.3.6.1.4.1.7564.31.1.2.1.5 Virtual site failed login.
1.3.6.1.4.1.7564.31.1.2.1.6 Virtual site error login.
1.3.6.1.4.1.7564.31.1.2.1.7 Virtual site success logout.
1.3.6.1.4.1.7564.31.1.2.1.8 Number of bytes in per virtual site.
1.3.6.1.4.1.7564.31.1.2.1.9 Number of bytes out per virtual site.

498
SNMP OID List

1.3.6.1.4.1.7564.31.1.2.1.10 Virtual site maximum active sessions.
1.3.6.1.4.1.7564.31.1.2.1.15 Virtual site user locked out upon login.
1.3.6.1.4.1.7564.31.1.2.1.16 Virtual site user rejected upon login.
1.3.6.1.4.1.7564.31.1.2.1.17 Virtual site IP list.
1.3.6.1.4.1.7564.31.1.2.1.18 Virtual site domain list.
1.3.6.1.4.1.7564.31.1.2.1.19 Number of backend server bytes in per virtual site.
1.3.6.1.4.1.7564.31.1.2.1.20 Number of backend server bytes out per virtual site.
The number of <Virtual Site ID, login, logout> combo pairs that
1.3.6.1.4.1.7564.32.1.1
is involved in the virtual site.
1.3.6.1.4.1.7564.32.1.2.1 The entry in vpnStatsTable.
1.3.6.1.4.1.7564.32.1.2.1.1 Reference index for VPN (Virtual Site ID, login, logout) combo.
1.3.6.1.4.1.7564.32.1.2.1.2 Virtual site ID.
1.3.6.1.4.1.7564.32.1.2.1.3 VPN tunnels open.
1.3.6.1.4.1.7564.32.1.2.1.4 VPN tunnels established.
1.3.6.1.4.1.7564.32.1.2.1.5 VPN tunnels rejected.
1.3.6.1.4.1.7564.32.1.2.1.6 VPN tunnels terminated.
1.3.6.1.4.1.7564.32.1.2.1.7 Number of bytes coming in.
1.3.6.1.4.1.7564.32.1.2.1.8 Number of bytes going out.
1.3.6.1.4.1.7564.32.1.2.1.9 Number of unauthorized packets in.
1.3.6.1.4.1.7564.32.1.2.1.10 Number of bytes of application inbound traffic.
1.3.6.1.4.1.7564.32.1.2.1.11 Number of bytes of application outbound traffic.
The number of <Virtual Site ID, AuthorizedReq,
1.3.6.1.4.1.7564.33.1.1 webUnauthorizedReq> combo pairs that is involved in the
virtual site.
1.3.6.1.4.1.7564.33.1.2.1 The entry in webStatsTable.
Reference index for Web (Virtual Site ID, AuthorizedReq,
1.3.6.1.4.1.7564.33.1.2.1.1
webUnauthorizedReq) combo.
1.3.6.1.4.1.7564.33.1.2.1.2 Virtual site name ID.
1.3.6.1.4.1.7564.33.1.2.1.3 Web authorized requests.
1.3.6.1.4.1.7564.33.1.2.1.4 Web unauthorized requests.
1.3.6.1.4.1.7564.33.1.2.1.5 Number of bytes in by web.
1.3.6.1.4.1.7564.33.1.2.1.6 Number of bytes out by web.
1.3.6.1.4.1.7564.33.1.2.1.7 Number of backend server bytes in by web.
1.3.6.1.4.1.7564.33.1.2.1.8 Number of backend server bytes out by web.
The number of <Group ID, session count, max session count>
1.3.6.1.4.1.7564.36.1.1
combo pairs that is involved in the virtualSiteGroup.
1.3.6.1.4.1.7564.36.1.2 A table containing virtual site group statistics.
1.3.6.1.4.1.7564.36.1.2.1 The entry in virtualSiteStatsTable.
Reference index for virtual site group (Group ID, session count,
1.3.6.1.4.1.7564.36.1.2.1.1
max session count) combo.

499
SNMP OID List

1.3.6.1.4.1.7564.36.1.2.1.2 Virtual site group ID.
virtual Site Group Active
Virtual site group active sessions.
Sessions
1.3.6.1.4.1.7564.36.1.2.1.4 Virtual site group maximum active sessions.
.1.3.6.1.4.1.7564.251.1 This trap is sent when the agent starts.
.1.3.6.1.4.1.7564.251.2 This trap is sent when the agent terminates.
This trap is automatically sent to remind you of the license
.1.3.6.1.4.1.7564.251.3
remaining days.
A single precision floating-point number. The semantics and
encoding are identical for type 'single' defined in IEEE Standard
for Binary Floating-Point, ANSI/IEEE Std 754-1985. The value
is restricted to the BER serialization of the following ASN.1
type: FLOATTYPE ::= [120] IMPLICIT FloatType (note: the
value 120 is the sum of '30'h and '48'h) The BER serialization of
Float the length for values of this type must use the definite length,
short encoding form. For example, the BER serialization of
value 123 of type FLOATTYPE is '9f780442f60000'h. (The tag
is '9f78'h; the length is '04'h; and the value is '42f60000'h.) The
BER serialization of value '9f780442f60000'h of data type
Opaque is '44079f780442f60000'h. (The tag is '44'h; the length
is '07'h; and the value is '9f780442f60000'h.
The severity of a Syslog message. The enumeration values are
Synlogseverity equal to the values that Syslog uses + 1. For example, with
Syslog, emergency=0.

500

Array Networks

Uploaded by

Copyright:

Available Formats

Array Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Array Networks

Uploaded by

Copyright:

Available Formats

Array AG 9.

2000-2018 Array Networks, Inc.

About Array Networks

Contacting Array Networks

Toll Free: 1-866-692-7729 (1-866-MY-ARRAY)

Support: 1-877-992-7729 (1-877-99-ARRAY)

1371 McCarthy Boulevard

Milpitas, California 95035, USA

2000-2018 Array Networks, Inc.

2000-2018 Array Networks, Inc.

Declaration of Conformity ................................................................................................................ I

About Array Networks ..................................................................................................................... II

Contacting Array Networks ............................................................................................................. II

Revision History ............................................................................................................................. III

Table of Contents ............................................................................................................................IV

Chapter 1 CLI Basics ........................................................................................................................ 1

Login to the AG Appliance ....................................................................................................... 2

Levels of Global Access Control .............................................................................................. 2

Levels of Virtual Site Access Control ....................................................................................... 4

Switching Between Global and Virtual Site ............................................................................. 4

Chapter 2 Basic System Operations .................................................................................................. 6

Basic Network Settings ........................................................................................................... 12

DNS Settings ........................................................................................................................... 21

System Tune Settings .............................................................................................................. 26

System Time Settings.............................................................................................................. 29

Chapter 3 Virtual Site ..................................................................................................................... 31

Virtual Site .............................................................................................................................. 31

Chapter 4 AAA ............................................................................................................................... 57

General Settings ...................................................................................................................... 57

Certificate ...................................................................................................................... 101

2000-2018 Array Networks, Inc.

SMX .............................................................................................................................. 120

SAML ................................................................................................................................... 133

OAuth Authentication ........................................................................................................... 136

Method .................................................................................................................................. 142

Rank ...................................................................................................................................... 144

Accounting ............................................................................................................................ 145

Group Mapping ..................................................................................................................... 146

Hardware ID.......................................................................................................................... 147

Chapter 5 User Policy ................................................................................................................... 158

Role Configuration ................................................................................................................ 158

ACL Configuration ............................................................................................................... 172

Session Management............................................................................................................. 176

Global Settings .............................................................................................................. 176

Per-VS Settings ............................................................................................................. 180

Chapter 6 Access Method ............................................................................................................. 188

Web Access ........................................................................................................................... 188

QuickLink ..................................................................................................................... 188

Custom Rewrite............................................................................................................. 194

URL Policy ................................................................................................................... 195

SSO ............................................................................................................................... 198

Proxy ............................................................................................................................. 202

URL Filter ..................................................................................................................... 204

Statistics ........................................................................................................................ 204

Network Access and Array Client......................................................................................... 205

General Settings ............................................................................................................ 205

Netpool .......................................................................................................................... 206

VPN Resourse/VPN Resource Group ........................................................................... 225

2000-2018 Array Networks, Inc.