37-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 37 Configuring WebVPN
Getting Started with WebVPN
WebVPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security to provide the
secure connection between remote users and specific, supported internal resources that you configure at
a central site. The security appliance recognizes connections that need to be proxied, and the HTTP
server interacts with the authentication subsystem to authenticate users.
The network administrator provides access to WebVPN resources to users on a group basis. Users have
no direct access to resources on the internal network.
The following sections address getting started with the configuration of WebVPN access:
• Observing WebVPN Security Precautions
• Understanding Features Not Supported for WebVPN
• Using SSL to Access the Central Site
• Authenticating with Digital Certificates
• Enabling Cookies on Browsers for WebVPN
• Managing Passwords
• Using Single Sign-on with WebVPN
• Authenticating with Digital Certificates
Observing WebVPN Security Precautions
WebVPN connections on the security appliance are very different from remote access IPSec
connections, particularly with respect to how they interact with SSL-enabled servers, and precautions to
reduce security risks.
In a WebVPN connection, the security appliance acts as a proxy between the end user web browser and
target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance
establishes a secure connection and validates the server SSL certificate. The end user browser never
receives the presented certificate, so therefore cannot examine and validate the certificate.
The current implementation of WebVPN on the security appliance does not permit communication with
sites that present expired certificates. Nor does the security appliance perform trusted CA certificate
validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents
before communicating with it.
To minimize the risks involved with SSL certificates:
1. Configure a group policy that consists of all users who need WebVPN access and enable the
WebVPN feature only for that group policy.
2. Limit Internet access for WebVPN users. One way to do this is to disable URL entry. Then configure
links to specific targets within the private network that you want WebVPN users to be able to access.
3. Educate users. If an SSL-enabled site is not inside the private network, users should not visit this
site over a WebVPN connection. They should open a separate browser window to visit such sites,
and use that browser to view the presented certificate.
Understanding Features Not Supported for WebVPN
The security appliance does not support the following features for WebVPN connections:
• Inspection features under the Modular Policy Framework, inspecting configuration control.
• Functionality the filter configuration commands provide, including the vpn-filter command.
To Next Page
Loading...
Need help?
General