Smart Tunnel Access
The following sections describe how to enable smart tunnel access with Clientless SSL VPN sessions, specify the applications to be provided with such access, and provide notes on using it.
To configure smart tunnel access, you create a smart tunnel list containing one or more applications eligible for smart tunnel access, and the endpoint operating system associated with the list. Because each group policy or local user policy supports one smart tunnel list, you must group the nonbrowser-based applications to be supported into a smart tunnel list. After creating a list, you assign it to one or more group policies or local user policies.
The following sections describe smart tunnels and how to configure them:
About Smart Tunnels
A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the ASA as a proxy server. You can identify applications for which to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.
Lotus SameTime and Microsoft Outlook are examples of applications to which you may want to grant smart tunnel access.
Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:
-
Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom smart tunnel access is required.
-
Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the group policies or local user policies for whom smart tunnel access is required.
You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over Clientless SSL VPN sessions.
Benefits of Smart Tunnels
Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to access a service. It offers the following advantages to users, compared to plug-ins and the legacy technology, port forwarding:
-
Smart tunnel offers better performance than plug-ins.
-
Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.
-
Unlike port forwarding, smart tunnel does not require users to have administrator privileges.
The advantage of a plug-in is that it does not require the client application to be installed on the remote computer.
Prerequisites for Smart Tunnels
See the Supported VPN Platforms, Cisco ASA 5500 Series, for the platforms and browsers supported by smart tunnels.
The following requirements and limitations apply to smart tunnel access on Windows:
-
ActiveX or Oracle Java Runtime Environment (JRE 6 or later recommended) on Windows must be enabled on the browser.
-
Only Winsock 2, TCP-based applications are eligible for smart tunnel access.
-
For Mac OS X only, Java Web Start must be enabled on the browser.
-
Smart tunnel is incompatible with IE's Enhanced Protected Mode.
Guidelines for Smart Tunnels
-
Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart Tunnel uses the Internet Explorer configuration, which sets system-wide parameters in Windows. That configuration may include proxy information:
-
If a Windows computer requires a proxy to access the ASA, then there must be a static proxy entry in the client's browser, and the host to connect to must be in the client's list of proxy exceptions.
-
If a Windows computer does not require a proxy to access the ASA, but does require a proxy to access a host application, then the ASA must be in the client's list of proxy exceptions.
Proxy systems can be defined the client’s configuration of static proxy entry or automatic configuration, or by a PAC file. Only static proxy configurations are currently supported by Smart Tunnels.
-
-
Kerberos constrained delegation (KCD) is not supported for smart tunnels.
-
With Windows, to add smart tunnel access to an application started from the command prompt, you must specify “cmd.exe” in the Process Name of one entry in the smart tunnel list, and specify the path to the application itself in another entry, because “cmd.exe” is the parent of the application.
-
With HTTP-based remote access, some subnets may block user access to the VPN gateway. To fix this, place a proxy in front of the ASA to route traffic between the Web and the end user. That proxy must support the CONNECT method. For proxies that require authentication, Smart Tunnel supports only the basic digest authentication type.
-
When smart tunnel starts, the ASA by default passes all browser traffic through the VPN session if the browser process is the same. The ASA only also does this if a tunnel-all policy (the default) applies. If the user starts another instance of the browser process, it passes all traffic through the VPN session. If the browser process is the same and the security appliance does not provide access to a URL, the user cannot open it. As a workaround, assign a tunnel policy that is not tunnel-all.
-
A stateful failover does not retain smart tunnel connections. Users must reconnect following a failover.
-
The Mac version of smart tunnel does not support POST bookmarks, form-based auto sign-on, or POST macro substitution.
-
For macOS users, only those applications started from the portal page can establish smart tunnel connections. This requirement includes smart tunnel support for Firefox. Using Firefox to start another instance of Firefox during the first use of a smart tunnel requires the user profile named csco_st. If this user profile is not present, the session prompts the user to create one.
-
In macOS, applications using TCP that are dynamically linked to the SSL library can work over a smart tunnel.
-
Smart tunnel does not support the following on macOS:
-
Sandboxed applications (verify in Activity Monitor using View > Columns). For that reason, macOS 10.14 and 10.15 do not support smart tunneling.
-
Proxy services.
-
Auto sign-on.
-
Applications that use two-level name spaces.
-
Console-based applications, such as Telnet, SSH, and cURL.
-
Applications using dlopen or dlsym to locate libsocket calls.
-
Statically linked applications to locate libsocket calls.
-
-
macOS requires the full path to the process and is case-sensitive. To avoid specifying a path for each username, insert a tilde (~) before the partial path (e.g., ~/bin/vnc).
Configure a Smart Tunnel (Lotus Example)
Note |
These example instructions provide the minimum instructions required to add smart tunnel support for an application. See the field descriptions in the sections that follow for more information. |
Procedure
Step 1 |
Choose Configuration > Remote Access VPN > Clientless SSL VPN Access . |
||||||||||
Step 2 |
Double-click the smart tunnel list to add an application to; or click Add to create a list of applications, enter a name for this list in the List Name field, and click Add. For example, click Add in the Smart Tunnels pane, enter Lotus in the List Name field, and click Add. |
||||||||||
Step 3 |
Click Add in the Add or Edit Smart Tunnel List dialog box. |
||||||||||
Step 4 |
Enter a string in the Application ID field to serve as a unique index to the entry within the smart tunnel list. |
||||||||||
Step 5 |
Enter the filename and extension of the application into the Process Name dialog box. The following table shows example application ID strings and the associated paths required to support Lotus.
|
||||||||||
Step 6 |
Select Windows next to OS. |
||||||||||
Step 7 |
Click OK. |
||||||||||
Step 8 |
Repeat for each application to add to the list. |
||||||||||
Step 9 |
Click OK in the Add or Edit Smart Tunnel List dialog box. |
||||||||||
Step 10 |
Assign the list to the group policies and local user policies to provide smart tunnel access to the associated applications, as follows:
|
Simplify Configuration of Applications to Tunnel
A smart tunnel application list is essentially a filter of what applications are granted access to the tunnel. The default is to allow access for all processes started by the browser. With a Smart Tunnel enabled bookmark, the clientless session grants access only to processes initiated by the Web browser. For non-browser applications, an administrator can choose to tunnel all applications and thus remove the need to know which applications an end user may invoke.
Note |
This configuration is applicable to Windows platforms only. |
The following table shows the situations in which processes are granted access.
Situation |
Smart Tunnel Enabled Bookmark |
Smart Tunnel Application Access |
||
---|---|---|---|---|
Application list specified |
Any processes that match a process name in the application list are granted access. |
Only processes that match a process name in the application list are granted access. |
||
Smart tunnel is switched off |
All processes (and their child processes) are granted access. |
No process is granted access. |
||
Smart Tunnel all Applications check box is checked. |
All processes (and their child processes) are granted access.
|
All processes owned by the user who started the browser are granted access but not child processes of those original processes. |
Procedure
Step 1 |
Choose . |
Step 2 |
In the User Account window, highlight the username to edit. |
Step 3 |
Click Edit. The Edit User Account window appears. |
Step 4 |
In the left sidebar of the Edit User Account window, click . |
Step 5 |
Perform one of the following:
|
Add Applications to Be Eligible for Smart Tunnel Access
The Clientless SSL VPN configuration of each ASA supports smart tunnel lists, each of which identifies one or more applications eligible for smart tunnel access. Because each group policy or username supports only one smart tunnel list, you must group each set of applications to be supported into a smart tunnel list.
The Add or Edit Smart Tunnel Entry dialog box lets you specify the attributes of an application in a smart tunnel list.
Procedure
Step 1 |
Navigate to , and choose a smart tunnel application list to edit, or add a new one. |
||||||||||||||||||||||||||||
Step 2 |
For a new list, enter a unique name for the list of applications or programs. Do not use spaces. Following the configuration of the smart tunnel list, the list name appears next to the Smart Tunnel List attribute in the Clientless SSL VPN group policies and local user policies. Assign a name that will help you to distinguish its contents or purpose from other lists that you are likely to configure. |
||||||||||||||||||||||||||||
Step 3 |
Click Add and add as many applications as you need to this smart tunnel list. The parameters are described below:
|
||||||||||||||||||||||||||||
Step 4 |
Click OK to save the application, and create how ever many applications you need for this smart tunnel list. |
||||||||||||||||||||||||||||
Step 5 |
When you are done creating your smart tunnel list, you must assign it to a group policy or a local user policy for it to become active, as follows:
|
About Smart Tunnel Lists
For each group policy and username, you can configure Clientless SSL VPN to do one of the following:
-
Start smart tunnel access automatically upon user login.
-
Enable smart tunnel access upon user login, but require the user to start it manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN Portal Page.
Note
The smart tunnel logon options are mutually exclusive for each group policy and username. Use only one.
Create a Smart Tunnel Auto Sign-On Server List
The Smart Tunnel Auto Sign-on Server List dialog box lets you add or edit lists of servers which will automate the submission of login credentials during smart tunnel setup. Auto sign-on over a smart tunnel is available for Internet Explorer and Firefox.
Procedure
Step 1 |
Navigate to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels, and ensure that the Smart Tunnel Auto Sign-on Server List is expanded. |
Step 2 |
Click Add, and enter a unique name for a list of remote servers that will help you to distinguish its contents or purpose from other lists that you are likely to configure. The string can be up to 64 characters. Do not use spaces. |
What to do next
Note |
After you create a smart tunnel auto sign-on list, that list name appears next to the Auto Sign-on Server List attribute under Smart Tunnel in the Clientless SSL VPN group policy and local user policy configurations. |
Add Servers to a Smart Tunnel Auto Sign-On Server List
The following steps describe how to add servers to the list of servers for which to provide auto sign-on in smart tunnel connections, and assign that list to a group policies or a local user.
Procedure
Step 1 |
Navigate to Edit. , choose one of the lists, and click |
||
Step 2 |
Click the Add button on the Add Smart Tunnel Auto Sign-On Server List dialog to add one more smart tunnel servers. |
||
Step 3 |
Enter the hostname or IP address of the server to auto-authenticate to:
|
||
Step 4 |
Windows Domain (Optional)—Click to add the Windows domain to the username, if authentication requires it. If you do so, ensure you specify the domain name when assigning the smart tunnel list to one or more group policies or local user policies. |
||
Step 5 |
HTTP-based Auto Sign-On (Optional)
|
||
Step 6 |
Click OK. |
||
Step 7 |
Following the configuration of the smart tunnel auto sign-on server list, you must assign it to a group policy or a local user policy for it to become active, as follows:
|
Enable and Switch Off Smart Tunnel Access
By default, smart tunnels are switched off.
If you enable smart tunnel access, the user will have to start it manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN portal page.
Configure Smart Tunnel Log Off
This section describes how to ensure that the smart tunnel is properly logged off. Smart tunnel can be logged off when all browser windows have been closed, or you can right click the notification icon and confirm log out.
Note |
We strongly recommend the use of the logout button on the portal. This method pertains to Clientless SSL VPNs and logs off regardless of whether smart tunnel is used or not. The notification icon should be used only when using standalone applications without the browser. |
Configure Smart Tunnel Log Off when Its Parent Process Terminates
This practice requires the closing of all browsers to signify log off. The smart tunnel lifetime is now tied to the starting process lifetime. For example, if you started a smart tunnel from Internet Explorer, the smart tunnel is turned off when no iexplore.exe is running. Smart tunnel can determine that the VPN session has ended even if the user closed all browsers without logging out.
Note |
In some cases, a lingering browser process is unintentional and is strictly a result of an error. Also, when a Secure Desktop is used, the browser process can run in another desktop even if the user closed all browsers within the secure desktop. Therefore, smart tunnel declares all browser instances gone when no more visible windows exist in the current desktop. |
Configure Smart Tunnel Log Off with a Notification Icon
You may also choose to switch off logging off when a parent process terminates so that a session survives if you close a browser. For this practice, you use a notification icon in the system tray to log out. The icon remains until the user clicks the icon to logout. If the session has expired before the user has logged out, the icon remains until the next connection is tried. You may have to wait for the session status to update in the system tray.
Note |
This icon is an alternative way to log out of SSL VPN. It is not an indicator of VPN session status. |
Procedure
Step 1 |
Choose . |
||
Step 2 |
Enable the radio button. |
||
Step 3 |
In the Smart Tunnel Networks portion of the window, check Add and enter both the IP address and hostname of the network which should include the icon.
|