Rewrite Each URL
By default, the ASA allows all portal traffic to all Web resources (for example HTTPS, CIFS, RDP, and plug-ins). Clientless SSL VPN rewrites each URL to one that is meaningful only to the ASA. The user cannot use this URL to confirm that they are connected to the website they requested. To avoid placing users at risk from phishing websites, assign a Web ACL to the policies configured for clientless access—group policies, dynamic access policies, or both—to control traffic flows from the portal. We recommend switching off URL Entry on these policies to prevent user confusion over what is accessible.
Procedure
Step 1 |
Configure a group policy for all users who need Clientless SSL VPN access, and enable Clientless SSL VPN for that group policy only. |
Step 2 |
With the group policy open, choose General > More Options > Web ACL and click Manage. |
Step 3 |
Create a Web ACL to do one of the following:
|
Step 4 |
Assign the Web ACL to any policies (group policies, dynamic access policies, or both) that you have configured for Clientless SSL VPN access. To assign a Web ACL to a DAP, edit the DAP record, and choose the Web ACL on the Network ACL Filters tab. |
Step 5 |
Switch off URL Entry on the portal page, the page that opens upon the establishment of a browser-based connection. Click Disable next to URL Entry on both the group policy Portal frame and the DAP Functions tab. To switch off URL Entry on a DAP, use ASDM to edit the DAP record, click the Functions tab, and check Disable next to URL Entry. |
Step 6 |
Instruct users to enter external URLs in the native browser address field above the portal page or open a separate browser window to visit external sites. |