1-5
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Clientless SSL VPN
Observing Clientless SSL VPN Security Precautions
• The ASA does not support clientless access to Windows Shares (CIFS) Web Folders from Windows
7, Vista, Internet Explorer 8-9, Mac OS X, and Linux.
• Certificate authentication, including the DoD Common Access Card and SmartCard, works with the
Safari keychain only.
• The ASA does not support DSA or RSA certificates for clientless SSL VPN connections.
• Some domain-based security products have requirements above those requests that originate from
the ASA.
• Inspecting configuration control and other inspection features under the Modular Policy Framework
are not supported.
• The vpn-filter command under group policy is for client-based access and is thus not supported.
Filter under webvpn mode in group policy is for clientless-based access.
• Neither NAT or PAT is applicable to the client.
• The ASA does not support the use of the QoS rate limiting commands, such as police or
priority-queue.
• The ASA does not support the use of connection limits, checking either via the static or the Modular
Policy Framework set connection command.
• Some components of Clientless SSL VPN require the Java Runtime Environment (JRE).With Mac
OS X v10.7 and later Java is not installed by default. For details of how to install Java on Mac OS
X see http://java.com/en/download/faq/java_mac.xml.
• If you have several group policies configured for the clientless portal, they are displayed in a
drop-down on the logon page. If the top of the list of group policies is one that requires a certificate,
then as soon as the user gets to the logon page, they must have a matching certificate. If not all your
group policies use certificates, then configure the list to display a non-certificate policy first. Name
your group polices to sort alphabetically, or prefix them with numbers so an AAA policy shows up
first. For example, 1-AAA, 2-Certificate. Or, create a "dummy" group policy named Select-a-Group,
and make sure that shows up first.
Observing Clientless SSL VPN Security Precautions
By default, the ASA permits all portal traffic to all web resources (e.g., HTTPS, CIFS, RDP, and
plug-ins). The ASA clientless service rewrites each URL to one that is meaningful only to itself; the user
cannot use the rewritten URL displayed on the page accessed to confirm that they are on the site they
requested. To avoid placing users at risk, assign a web ACL to the policies configured for clientless
access – group-policies, dynamic access policies, or both – to control traffic flows from the portal. For
example, without such an ACL, users could receive an authentication request from an outside fraudulent
banking or commerce site. Also, we recommend disabling URL Entry on these policies to prevent user
confusion over what is accessible.
Figure 1-1 Example URL Typed by User
To Next Page
Loading...
Need help?
General
