37-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 37 Configuring WebVPN
Getting Started with WebVPN
Setting WebVPN HTTP/HTTPS Proxy
The security appliance can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP
and HTTPS proxy servers. These servers act as intermediaries between users and the Internet. Requiring
all Internet access via a server that the organization controls provides another opportunity for filtering
to assure secure Internet access and administrative control.
To set values for HTTP and HTTPS proxy, use the http-proxy and https-proxy commands in webvpn
mode. These commands let you identify HTTP and HTTPS proxy servers and ports.
Configuring SSL/TLS Encryption Protocols
When you set SSL/TLS encryption protocols, be aware of the following:
• Make sure that the security appliance and the browser you use allow the same SSL/TLS encryption
protocols.
• If you configure e-mail proxy, do not set the security appliance SSL version to TLSv1 Only.
MS Outlook and MS Outlook Express do not support TLS.
• TCP Port Forwarding requires Sun Microsystems Java Runtime Environment (JRE) version 1.4.x
and 1.5.x. Port forwarding does not work when a WebVPN user connects with some SSL versions,
as follows:
Authenticating with Digital Certificates
SSL uses digital certificates for authentication. The security appliance creates a self-signed SSL server
certificate when it boots; or you can install in the security appliance an SSL certificate that has been
issued in a PKI context. For HTTPS, this certificate must then be installed on the client. You need to
install the certificate from a given security appliance only once.
Restrictions for authenticating users with digital certificates include the following:
• Application Access does not work for WebVPN users who authenticate using digital certificates.
JRE does not have the ability to access the web browser keystore. Therefore JAVA cannot use a
certificate that the browser uses to authenticate a user, so it cannot start.
• E-mail proxy supports certificate authentication with Netscape 7.x e-mail clients only. Other e-mail
clients such as MS Outlook, MS Outlook Express, and Eudora lack the ability to access the
certificate store.
For more information on authentication and authorization using digital certificates, see “Using
Certificates and User Login Credentials” in the “Configuring AAA Servers and the Local Database”
chapter.
Negotiate SSLv3 Java downloads
Negotiate SSLv3/TLSv1 Java downloads
Negotiate TLSv1 Java does NOT download
TLSv1Only Java does NOT download
SSLv3Only Java does NOT download
To Next Page
Loading...
Need help?
General