单位一直都在使用Array的***设备来给集团的下属用户来提供SSL ***服务,所有的集团下属用户的账号都建立在了设备的localDB上,以往呢,每次在创建账号之时,我都采用web登陆设备进行创建,web的响应速度真的是不敢恭维。

        目前,网上的很多关于Array的配置方法,大部分都是是用Web来进行配置,上周抽时间将web和CLI一点点的对照了一下,做了一些常规命令的解释,希望可以帮助大家。

        我直接在设备的全局模式下,show tech来抓取配置,同时也将一下文本中无用的一些配置进行了删除整理,下面对设备的配置解释下:
 
 
array Beijing ***#show tech
<<<< Version >>>>
 
ArrayOS Rel.SP.8.4.6.2 Build 13 - built on Fri Dec 30 01:31:48 2011#设备的OS的版本号
 
Host name : array Beijing ***      #主机的名字
  System Module : PDSMi+LN4                 
System RAM : 2026 MB                                           #机器的内存
  System boot time : Tue Apr 24 10:37:50 GMT (+0000) 2012  #系统时间
Current time : Mon Aug 06 11:02:00 GMT (+0000) 2012
System up time : 104 days, 24 mins,     #系统起来的时间
Platform Bld Date : Fri Dec 30 01:31:46 CST 2011
           SSL HW : HW (4D) Initialized
   Compression HW : No HW Available
Network Interface : 4 x Gigabit Ethernet copper   #接口
            Model : Array SPX4800,   RAM Limit: 2048 MB    #设备型号
    Serial Number : 0841C043890010000301103002   # 产品串号
 Maximum Sessions : 500         #允许的最大session数量
 Maximum VPortals : 2             # 最大虚拟站点数量
 Max S2S Tunnels : 1               #最大点到点***的隧道数量
Licensed Features : WebWall Clustering SLB SSL L3***
                    HostCheck CacheCleaner URLAliasing ServiceMgmt WebApps
                    ClientApp Site2Site        #已经允许的license
      License Key : QBQuiTXK- -- -44#7a9ab-cc#0fedc-ba98765
     License Date : Permanent
 
Array Networks Customer Support    #客户支持的联系方式
Telephone         : 877-992-7729 (877-99-ARRAY)
Email             : support@arraynetworks.net
Update            : Please contact support for instructions
Website           : www.arraynetworks.net
 
Other Root Version
Rel.SP.8.4.3.0 Build 11 - built on Thu Oct 29 02:26:50 2009
 
 
<<<< Running Configuration >>>>
 
 
#HSM autologin configuration
         
#hostname configuration  #主机的常规的一些配置
hostname "array Beijing ***"  #主机名“array Beijing ***
configure timeout 180               #配置超时时间“180s
 
#system timezone configuration   #系统的时区的配置
system timezone "GMT"
 
#system mail configuration
system mail from "%h<alert@log.domain>"
system mail hostname "%l.alert_pseudo_domain"
 
#rts configuration
ip rts off
ip rts expire 60
 
#IP statistics configuration     #IP 配置                              
ip statistics off
 
#ip mtu                      #各个接口的MTU的值配置,”outside”等为接口名称
ip mtu "outside" 1500
ip mtu "inside" 1500
ip mtu "dmz" 1500
ip mtu "eng" 1500
 
#ip configuration                    #以下是接口配置IP地址
ip address "outside" 121.2.8.7 255.255.255.192
ip address "inside" 10.10.31.13 255.255.255.0
 
#interface configuration           #   接口的双工状态以及速率的配置
interface "outside" auto
interface "inside" auto
interface "dmz" auto
interface "eng" auto
 
#admin access configuration   #  管理员允许接入的配置,可以限制IP
 
#ssh configuration                  #SSH管理的配置,SSH为打开状态
ssh on
ssh idletimeout 9999999
 
#support configuration
support 0.0.0.0 0.0.0.0
 
#route configuration    # 路由的配置,大家都懂的,下面配置的静态路由
ip route default 121.2.8.71
ip route static 10.10.3.128      255.255.255.128 10.10.31.1     
ip route static 10.10.5.0        255.255.255.0    10.10.31.1     
ip route static 10.10.5.106      255.255.255.255 10.10.31.1      
ip route static 10.119.40.0      255.255.255.0    10.10.31.1     
ip route static 192.168.11.0     255.255.255.0    10.10.31.1     
 
#vlan route configuration
 
#ip link interval configuration
ip link off
ip link interval 10
 
#link load balancing configuration  #支持链路负载,但是没有用过这个功能
 
#link load balancing permit, backup ,and link configuration
 
#link load balancing DNS configuration
 
#access list and webwall configuration   # webwall的配置,我这边都是关闭状态
webwall outside off
webwall inside off
webwall dmz off
webwall eng off
webwall bond bond1 off
webwall bond bond2 off
webwall bond bond3 off
 
#session synchronization configuration  #会话同步,如果你两台设备的话,可以做双机,会用到
cluster virtual ssf off
 
#virtual cluster configuration         #主备的cluster的配置
#cluster configuration for interface outside                    
cluster virtual ifname "outside" 99               #给outside的cluster组命名一个ID
cluster virtual vip "outside" 99 121.4.8.8    #配置这个cluster 组的虚拟IP地址
cluster virtual auth "outside" 99 0               #为cluster组配置认证,0代表不需要认证,1代表认证
cluster virtual interval "outside" 99 1           #为cluster配置设备直接hello间隔时间
cluster virtual preempt "outside" 99 1         #配置抢占,0代表不抢占,1代表抢占开启
cluster virtual priority "outside" 99 200 Primary   #为该cluster组配置优先级为200
cluster virtual on 99 "outside"          #将cluster ID 99 在outside接口上开启
#cluster configuration for interface inside   #以下配置同上,为inside口的cluster的配置
cluster virtual ifname "inside" 95
cluster virtual vip "inside" 95 10.10.31.11
cluster virtual auth "inside" 95 0
cluster virtual interval "inside" 95 1
cluster virtual preempt "inside" 95 1
cluster virtual priority "inside" 95 200 Primary
cluster virtual on 95 "inside"
 
#enable password            #和cisco一样,也需要配置一个特权密码
passwd enable "XXXXXXXXXsaFLGt/QKS6yw"
 
#xmlrpc configuration
xmlrpc off
xmlrpc port 9999
xmlrpc authentication off
 
#snmp configuration                              #snmp的配置
snmp community "public"                      #配置snmp的community的名称
snmp contact ""
snmp location ""
snmp host 10.10.3.147 "public”    #配置SNMP的server以及发送的community
no snmp trap castop                     #以下都是要trap的内容,部分开了
no snmp trap coldstart
no snmp trap warmstart
snmp trap linkdown
snmp trap linkup
snmp trap syslog
no snmp trap cpuoverheat
snmp trap fanfail
snmp trap sslfail
snmp trap compressionfail
snmp trap powerfail
no snmp trap redundancy
snmp on                                            #开启SNMP
 
#log configuration                              #关于日志的配置
log facility "local0"
log level "emerg"
log http squid
log host 127.0.0.1 514 udp 514 "emerg alert crit err warning notice info debug"
log on
log site2site trafficlog off
log *** trafficlog on
log *** trafficlog timeout 300
log atf trafficlog off
log atf trafficlog timeout 300
log filter off
 
#ntp configuration              #时间同步的配置,我这边是没有启用NTP
ntp off
 
#tune configuration
system tune hwcksum on
system tune tcpidle 750
system tune keepidle 7200
system tune tcp windowsize 17520
system tune tcp retransmit timeout 1000
system tune tcp retransmit dupacks 3
system tune tcp slowstart on
system tune tcp retransmit policy adaptive 2
system tune tcp zwdefend off
system tune tcp syntimeout 60
system tune defraglimit 0
system tune memthreshold 86426 86426 6000 4096
system tune sso 10 300 50
 
#port forwarding configuration
fwd mode transparent
 
#virtual service configuration    #虚拟站点(服务)的配置,很重要,array的***的站点的数量是需要购买的,一个站点就能提供一个***服务,不同的站点是分开的
virtual site host "array***" "beijing***.array.com" 121.4.8.6 443 "exclusive"   #配置array***这个站点,域名为beijing***.array.com, 对应的IP地址为121.4.8.6
virtual site host "ehome" "ehome.array.com" 121.4.8.107 443 "exclusive  #配置ehome这个站点为ehome.array.com, 并配置IP
virtual site session reuse off "array***"
virtual site session reuse off "ehome"
 
#webui configuration                      #web 管理的配置
webui port 8888                            #web管理的端口配置为8888
webui on                                       #允许进行web 管理
 
#global dns configuration               #全局的DNS配置
ip dns local 124.42.8.87
ip dns nameserver 10.10.30.2
ip dns nameserver 10.10.11.36
ip dns cache on
ip dns cache expire 60 3600
ip dns request timeout 1 0
ip dns staticttl 43200
ip wins cache on
ip wins cache expire 4
ip wins request timeout 1 0
ip dns host "jijio.array.com" 10.10.50.62
 
#global dhcp configuration                       #全局的DNS配置
ip dhcp local lease default 86400
ip dhcp local lease maximum 604800
ip dhcp local off
 
#virtual site session group configuration     #虚拟站点会话组的配置
 
#http compression configuration
http compression off
 
#http configuration
http xforwardedfor off
http xforwardedfor on "array***" HEADER "X-Forwarded-For"
http xforwardedfor on "ehome" HEADER "X-Forwarded-For"
http server persist on
http server connreuse on
http buffer nomsglen on
http mask server off
http mask via off
http useconnclose off
http shuntreset off
 
#ssl backend configuration
 
#ssl configuration  #每个站点都提供一个***接入的服务,例如array***站点对应的是beijing***.array.com
ssl host virtual "beijing***.array.com" "array***"
ssl host virtual "ehome.array.com" "ehome"
 
 
#ssl global settings
ssl globals verifycert off
ssl globals ignoreclosenotify on
 
 
         
#portal configuration            
 
#portal theme configuration
 
#localdb virtual database configuration   #本地数据库的配置,每个站点都会对应一个数据库,存在以下几个数据库
localdb database "amboedb"     
localdb database "ehomedb"
localdb database "localdb"
localdb database "newdbtest"
localdb database "tokendb"
 
 
localdb associate "ehome" "ehomedb    #将数据库和站点进行绑定
localdb associate "array***" "amboedb"
 
#user configuration        #此处的user指的是管理员,当然可以增加管理员并且授予权限
admin user "array"       "XXXXXXXXXqzYCM/mvr6mw" config global
 
#admin role configuration     #管理员的规则配置
 
#strong administrator authenticate configuration   #管理员的认证配置,可以使用AAA
admin aaa off
admin aaa method radius 1
admin aaa ldap idletimeout 600
aaa hardwareid off
aaa two level auth off
aaa two level auth share username off
 
#global TCS configuration      #瘦客户端的配置,array内嵌了关于瘦客户端的功能
tcs module "pubapp" "pubapp standard module"
tcs main "pubapp" "PubApps.cab" 800 600 activex "8689EE7F-9A80-4021-A630-57F6E49AB7B0" "8,4,6,43"
tcs module "citrix" "citrix standard module"
tcs main "citrix" "citrix.jar" 800 600 jar "Citrix.MainUI" "8,4,6,43"
 
#save monitor daemon configuration
debug monitor on
debug monitor interval 60
 
#---- Configuration matches for virtual site: array***   #不同站点是分开的哦,每个站点下面都需要进行配置
 
#virtual dns configuration          #DNS的配置
dns useglobal on                      #使用global的DNS的配置
dns cache on
dns cache expire 60 3600
dns staticttl 43200
wins cache on
wins cache expire 4
dns host "jiao.array.com" 10.10.10.10
 
#Portal interface configuration     #array的***是支持portal的,一部分单点登陆的功能,可以使用array来实现
portal title "array ***"
portal message welcome "&#20320;&#24050;&#32463;&#30331;&#24405;array ***. &#21247;&#20851;&#38381;&#27492;&#31383;&#21475;&#65292;&#24182;&#35831;&#26032;&#24320;&#31383;&#21475;&#35775;&#38382;&#20844;&#21496;&#36164;&#28304;(&#20363;&#22914;&#65306;18.array.com)&#12290;&#22914;&#26377;&#20219;&#20309;&#38382;&#39064;&#35831;&#33268;&#30005;IT&#37096;:+86 10 62068555"
portal message login "Welcome to array ***.(&#27426;&#36814;&#20351;&#29992;&#23433;&#21338;***&#31995;&#32479;)"
portal logo "file:///tmp/array***+1263390047.8012/2009330114logo.gif"
portal theme create "1"
no portal urlbar
no portal navtool
portal newwindows
portal changepassword
portal language "chinese-GB2312"
portal link "http://18.array.com/" "array 18&#27004;" 1
portal link "https://webmail.array.com/" "array Web &#37038;&#20214;&#31995;&#32479;" 2
portal link "https://bpm.array.com/" "&#38598;&#22242;&#19994;&#21153;&#27969;&#31243;&#31649;&#29702;&#31995;&#32479;&#65288;BPM&#65289;" 3
portal credentials autocomplete
portal webssh off
 
#single sign-on configuration    #单点登陆,对这些我也不太了解,只知道如果要使用array的这个功能,需要web应用的开发人员提供一部分页面的一部分参数,例如post等。
sso on
sso post "jijiao201.array.com" "/jsp/front_hy/login.jsp" "username" "password" "jijiao201.array.com" "/user/userManagerAction!login.action" "service=http%3A%2Fjijiao201.array.com%2Fuser%2FuserManagerAction%21passprot_login.action&fromsite=JJZ&accountName=arrayHY&type=1&viewcode=3059&isCheckviewCode=1" "disable"
sso post "jijiao201.array.com" "loginAdmin.jsp" "username " "password" "jijiao201.array.com" "/user/userManagerAction!loginAdmin.action" "service=http%3A%2Fjijiao201.array.com%2Fuser%2FuserManagerAction%21passprot_login.action&fromsite=JJZ&accountName=arrayHY&type=1" "disable"
 
#Web Resource Mapping configuration
rewrite on
rewrite relative
rewrite etags
rewrite matchparam substring
rewrite custom on
rewrite custom rules 1 pre "http://www.google-analytics.com/ga.js" "s/return/return /g" ""
dualmode off
rewrite applet off
rewrite applet cache off
 
#Backend server configuration
 
#HTTP settings
http redirect insecure
http xclientcert rdnsep "," "post"
 
#Session settings
session timeout lifetime 86400
session timeout idle 3600
 
#ssl configuration
ssl settings ciphersuite "AES256-SHA:AES128-SHA:RC4-MD5:RC4-SHA:DES-CBC3-SHA:!SSLv2:"
ssl settings protocol "SSLv3:TLSv1"
ssl settings reuse
no ssl settings clientauth
ssl settings acceptchain
ssl start
 
 
 
#Legacy Application configuration
clientapp winredir off
clientapp client java
clientapp winredir sdseparation off
clientapp winredir clientdns on
clientapp winredir nonuserprocess on
clientapp off
 
#Thin Client Support configuration         #又是瘦客户端
tcs off
 
#SSL *** virtual configuration              #SSL ***服务的一些配置,很重要
*** on
*** client active                                      #***客户端需要加载客户端插件
*** autolaunch
*** preinstall off
*** clientupgrade on
*** clientisolate off
*** forward off
no *** proxyoptimize
*** speedtunnel encryption off
*** netpool name "arraypool" "split"       #***能提供的内网访问的资源池,以POOL来定义
*** netpool iprange dynamic "arraypool" 10.10.31.50 10.10.31.250    #***的pool提供的客户端的获取ip的地址池
*** netpool zone "arraypool" 10.10.30.0 255.255.255.0     #arraypool这个资源池实际包含的可使用的网段资源
*** netpool zone "arraypool" 10.10.20.0 255.255.255.0
*** netpool zone "arraypool" 10.119.40.0 255.255.255.0
*** netpool broadcast "arraypool" off            #是否允许组播或广播
*** netpool multicast "arraypool" off
*** netpool launchcmd "arraypool" "http://18.array.com"
*** netpool default "arraypool"
*** netpool keepalive "arraypool"
 
#Application Filtering configuration
 
#Client Security configuration
client security off
client security default "none"
 
#aaa configuration             #用户接入的认证、授权、审计的配置
aaa on
aaa radius accounting off
aaa method ad 1 ldap        #排在第一位是ldap的AD域认证
aaa method localdb 2        #localdb其次
aaa method radius 3          #如果依次进行两种认证方式无法通过,则使用radius
aaa radius host 16.21.74.93 1812 "XXXXXZGtleXNlcnZlcg==" 10 10 #配置radius认证服务器
aaa ldap idletimeout 600
aaa ldap authorize host 10.10.30.2 389 "cn=administrator,cn=users,dc=array,dc=com" "XXXXXQTc5YiNKeSFAaW4z" "dc=array,dc=com" 10   #配置要认证的AD服务器 ,以及相关参数
aaa ad host 10.10.30.2 389 "@array.com" 5
aaa ldap authorize search filter "sAMAccountName=<USER>"
aaa ldap group "memberOf"     # array和AD域映射时,使用”memberOF”字段
aaa hardwareid off
aaa two level auth off               #AAA的双认证关闭
aaa two level auth share username off
aaa ldap methodgroup Default  #默认组是 Default这个组,当你账号不属于任何组的时候,则匹配Default的权限
aaa map group "***-DC" "***-DC" ""   #前面说过使用memberof这个字段来映射,域的***-DC与本地组 ***-DC做mapping
aaa map group "***-IT" "10-02IT" ""            #同上
 
#user lockout settings
         
#fileshare configuration
fileshare cifs off
fileshare nfs off
 
#URL policy configuration    #***的页面上提供web-access的快捷链接,以下是对url 配置的policy,默认是internal,即所有的链接默认都HTTPS的代理,external代表不走***的https代理。
urlpolicy default internal
urlpolicy external 102 "zhijiao.array.com"
urlpolicy external 110 "bpm.array.com"
 
#URL property configuration
 
#Filter settings
filter off
filter controlcodes
filter mode active
filter default permit
filter length url 1024
filter length queryvariable 128
filter length querydata 512
filter length query 1024
filter length request 10000
filter length header 1024
 
#MailProxy service settings
 
#Site2Site configuration      #点到点***的配置
site2site on
site2site id "bjidc"              #给自己的站点起个名字
site2site proxy off
site2site resource host "10.10.50.166" 10.10.50.166 "10.10.50.166"   #本站点可以向对端提供的网络资源 ,需要对资源进行命名、描述、以及具体资源的网络号或主机
site2site resource host "EHR" 10.10.45.101 "EHR"
site2site resource host "10.10.20.143" 10.10.20.143 "10.10.20.143"
 
site2site peer "kunshan" 6.17.54.27 443 alwayson   #和对端的昆山建立site2site的关系,需要配置对端IP地址
 
site2site authenticate credentials "kunshan" "test" "XXXXXXXXXb9ab035c5b9c4be7" #为建立site2site ***配置用户名以及密钥进行认证
site2site resource export "20" "kunshan" transparent transparent   #如果想让对方访问自己的网络资源,则要export给对方
site2site resource export "11" "kunshan" transparent transparent
site2site resource export "20.33" "kunshan" transparent transparent
site2site resource export "20.80" "kunshan" transparent transparent
" "kunshan" transparent transparent
site2site connection timeout 300
site2site connect "kunshan"
 
#virtual ATF configuration
atf off
atf clientid ipmac
atf client off
 
#resource group based ACL configuration      #***的acl的配置,即授权
acl resourcegroup network "it"             #定义资源名称为it
acl resource "it" "10.10.51.0/24"           # 资源it具体包含哪些网段、主机或者是web
acl resource "it" "10.10.53.0/24"
acl resource "it" "10.10.107.0/24"
acl rule group "10-02IT" "it" PERMIT 200     #将名称为it的资源使用到”10-02IT”这个组中,动作为permit,优先级为200,当然你也可以配置deny,或者是调整优先级的数值,数值越大,越优先。也可以一个组被匹配多个ACL
 
 
 
localdb account "amboedb" "SVNfeijiuling" "XXXXXXXXX.tlCf3AtWqyEQ##1284658147"   #在”amboedb”这个数据库下,创建账号SVNfeijuling,以及设置密码
localdb account "amboedb" "SVNliuxun" "XXXXXXXXXCC51FV0GQQN62##1284657982"
localdb group "amboedb" "SVN"   #在”amboedb”这个数据库下创建group名称为”SVN”
localdb group "amboedb" "group1-test"
localdb group "amboedb" "group2-test"
localdb member "amboedb" "SVN" "SVNfeijiuling"  #将用户关联到用户组,和上面的配置一起看,你懂的
localdb member "amboedb" "SVN" "SVNhuangjindong"
localdb member "amboedb" "SVN" "SVNliuxun
 
 
localdb netpool group "amboedb" "***-UI" arraypool     #本地的group属于的资源池,即***-UI 属于arraypoo
localdb netpool group "amboedb" "***-Vender" arraypool
localdb netpool group "amboedb" "***-YCH" arraypool
localdb netpool group "amboedb" "***-YUNWEI" arraypool
localdb netpool group "amboedb" "***-ZHIJIAO&JIJIAO" arraypool