Clientless SSL VPN Remote Users
Note |
Cisco announces the feature deprecation for Clientless SSL VPN effective with ASA version 9.17(1). Limited support will continue on releases prior to 9.17(1). Further guidance will be provided regarding migration options to more robust and modern solutions (for example, remote Duo Network Gateway, AnyConnect, remote browser isolation capabilities, and so on). |
This chapter summarizes configuration requirements and tasks for the user remote system. It also helps users get started with Clientless SSL VPN. It includes the following sections:
Note |
Make sure that the ASA has been configured for Clientless SSL VPN. |
Usernames and Passwords
Depending on your network, during a remote session users may have to log on to any or all of the following: the computer itself, an Internet service provider, Clientless SSL VPN, mail or file servers, or corporate applications. Users may have to authenticate in many different contexts, requiring different information, such as a unique username, password, or PIN. Ensure users have the required access.
The following table lists the type of usernames and passwords that Clientless SSL VPN users may need to know.
Login Username/ Password Type |
Entered When |
|
---|---|---|
Computer |
Access the computer |
Starting the computer |
Internet Service Provider |
Access the Internet |
Connecting to an Internet service provider |
Clientless SSL VPN |
Access remote network |
Starting a Clientless SSL VPN session |
File Server |
Access remote file server |
Using the Clientless SSL VPN file browsing feature to access a remote file server |
Corporate Application Login |
Access firewall-protected internal server |
Using the Clientless SSL VPN Web browsing feature to access an internal protected website |
Mail Server |
Access remote mail server via Clientless SSL VPN |
Sending or receiving email messages |
Communicate Security Tips
Communicate the following security tips:
-
Always log out from a Clientless SSL VPN session, click the logout icon on the Clientless SSL VPN toolbar or close the browser.
-
Using Clientless SSL VPN does not ensure that communication with every site is secure. Clientless SSL VPN ensures the security of data transmission between the remote computer or workstation and the ASA on the corporate network. If a user then accesses a non-HTTPS Web resource (located on the Internet or on the internal network), the communication from the corporate ASA to the destination Web server is not secure.
Configure Remote Systems to Use Clientless SSL VPN Features
The following table includes the tasks involved in setting up remote systems to use Clientless SSL VPN, requirements/prerequisites for the task and recommended usage:
You may have configured user accounts differently, and different features maybe available to each Clientless SSL VPN user. This table also organizes information by user activity.
Task |
Remote System or End User Requirements |
Specifications or Use Suggestions |
||
---|---|---|---|---|
Starting Clientless SSL VPN |
Connection to the Internet |
Any Internet connection is supported, including:
|
||
Clientless SSL VPN-supported browser |
We recommend the following browsers for Clientless SSL VPN. Other browsers may not fully support Clientless SSL VPN features. On Microsoft Windows:
On Linux:
On Mac OS X:
|
|||
Cookies enabled on browser |
Cookies must be enabled on the browser in order to access applications via port forwarding. |
|||
URL for Clientless SSL VPN |
An HTTPS address in the following form: https://address where address is the IP address or DNS hostname of an interface of the ASA (or load balancing cluster) on which Clientless SSL VPN is enabled. For example: https://10.89.192.163 or https://cisco.example.com. |
|||
Clientless SSL VPN username and password |
||||
[Optional] Local printer |
Clientless SSL VPN does not support printing from a Web browser to a network printer. Printing to a local printer is supported. |
|||
Using the Floating Toolbar in a Clientless SSL VPN Connection |
A floating toolbar is available to simplify the use of Clientless SSL VPN. The toolbar lets you enter URLs, browse file locations, and choose preconfigured Web connections without interfering with the main browser window. If you configure your browser to block popups, the floating toolbar cannot display. The floating toolbar represents the current Clientless SSL VPN session. If you click the Close button, the ASA prompts you to close the Clientless SSL VPN session.
|
|||
Web Browsing |
Usernames and passwords for protected websites |
Using Clientless SSL VPN does not ensure that communication with every site is secure. See “Communicate Security Tips.” |
||
The look and feel of Web browsing with Clientless SSL VPN may be different from what users are accustomed to. For example:
|
||||
Network Browsing and File Management |
File permissions configured for shared remote access |
Only shared folders and files are accessible via Clientless SSL VPN. |
||
Server name and passwords for protected file servers |
— |
|||
Domain, workgroup, and server names where folders and files reside |
Users may not be familiar with how to locate their files through your organization network. |
|||
— |
Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress. Interrupting the operation can cause an incomplete file to be saved on the server. |
|||
Using Applications (called Port Forwarding or Application Access) |
|
|||
|
||||
Users should always close the Application Access window when they finish using applications by clicking the Close icon. Failure to close the window properly can cause Application Access or the applications themselves to be inaccessible. |
||||
Client applications installed |
— |
|||
Cookies enabled on browser |
— |
|||
Administrator privileges |
User must have administrator access on the computer if you use DNS names to specify servers because modifying the hosts file requires it. |
|||
Oracle Java Runtime Environment (JRE) installed. JavaScript must be enabled on the browser. By default, it is enabled. |
If JRE is not installed, a pop-up window displays, directing users to a site where it is available. On rare occasions, the port forwarding applet fails with Java exception errors. If this happens, do the following:
|
|||
Client applications configured, if necessary.
|
To configure the client application, use the server’s locally mapped IP address and port number. To find this information:
|
|||
|
||||
Using email via Application Access |
Fulfill requirements for Application Access (See Using Applications) |
To use mail, start Application Access from the Clientless SSL VPN Home page. The mail client is then available for use. |
||
|
||||
Other email clients |
We have tested Microsoft Outlook Express versions 5.5 and 6.0. |
|||
Using email via Web Access |
Web-based email product installed |
Supported products include:
Other web-based email products should also work, but we have not verified them. |
||
Using email via email Proxy |
SSL-enabled mail application installed Do not set the ASA SSL version to TLSv1 Only. Outlook and Outlook Express do not support TLS. |
Supported mail applications:
Other SSL-enabled mail clients should also work, but we have not verified them. |
||
Mail application configured |
Capture Clientless SSL VPN Data
The CLI capture command lets you log information about websites that do not display correctly over a Clientless SSL VPN connection. This data can help your Cisco customer support engineer troubleshoot problems. The following sections describe how to use the capture command:
-
Use a Browser to Display Capture Data
Note
Enabling Clientless SSL VPN capture affects the performance of the ASA. Ensure that you switch off the capture after you generate the capture files needed for troubleshooting.
Create a Capture File
Procedure
Step 1 |
Start the Clientless SSL VPN capture utility, to capture packets capture capture-name type webvpn user csslvpn-username
Example:
|
Step 2 |
Stop the capture by using the no version of the command: no capture capture-name Example:
The capture utility creates a capture-name .zip file, which is encrypted with the password koleso |
Step 3 |
Send the .zip file to Cisco, or attach it to a Cisco TAC service request. |
Step 4 |
To look at the contents of the .zip file, unzip it using the password koleso. |
Use a Browser to Display Capture Data
Procedure
Step 1 |
Start the Clientless SSL VPN capture utility: capture capture-name type webvpn user csslvpn-username
Example:
|
Step 2 |
Open a browser and in the address box enter: https://IP address or hostname of the ASA/webvpn_capture.html The captured content displays in a sniffer format. |
Step 3 |
Stop the capture by using the no version of the command: no capture capture-name Example:
|