- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
- ASA Group Policies Dialog Box
- Supported CLIs in Remote Access VPN Multi-Context Mode - Group Policy
- ASA Group Policies Client Configuration Settings
- ASA Group Policies Client Firewall Attributes
- ASA Group Policies Hardware Client Attributes
- ASA Group Policies IPSec Settings
- ASA Group Policies SSL VPN Clientless Settings
- ASA Group Policies SSL VPN Full Client Settings
- ASA Group Policies SSL VPN Settings
- ASA Group Policies DNS/WINS Settings
- ASA Group Policies Split Tunneling Settings
- ASA Group Policies Connection Settings
- Add or Edit Secure Desktop Configuration Dialog Box
- Add and Edit File Object Dialog Boxes
- Add or Edit Port Forwarding List Dialog Boxes
- Add or Edit Single Sign On Server Dialog Boxes
- Add or Edit Bookmarks Dialog Boxes
- Add and Edit SSL VPN Customization Dialog Boxes
- SSL VPN Customization Dialog Box—Title Panel
- SSL VPN Customization Dialog Box—Language
- SSL VPN Customization Dialog Box—Logon Form
- SSL VPN Customization Dialog Box—Informational Panel
- SSL VPN Customization Dialog Box—Copyright Panel
- SSL VPN Customization Dialog Box—Full Customization
- SSL VPN Customization Dialog Box—Toolbar
- SSL VPN Customization Dialog Box—Applications
- SSL VPN Customization Dialog Box—Custom Panes
- SSL VPN Customization Dialog Box—Home Page
- SSL VPN Customization Dialog Box—Logout Page
- Add or Edit SSL VPN Gateway Dialog Box
- Add and Edit Smart Tunnel List Dialog Boxes
- Add and Edit Smart Tunnel Network Lists Dialog Boxes
- Add and Edit Smart Tunnel Auto Signon List Dialog Boxes
- Add or Edit User Group Dialog Box
- User Group Dialog Box—General Settings
- User Group Dialog Box—DNS/WINS Settings
- User Group Dialog Box—Split Tunneling
- User Group Dialog Box—IOS Client Settings
- User Group Dialog Box—IOS Xauth Options
- User Group Dialog Box—IOS Client VPN Software Update
- User Group Dialog Box—Advanced PIX Options
- User Group Dialog Box—Clientless Settings
- User Group Dialog Box—Thin Client Settings
- User Group Dialog Box—SSL VPN Full Tunnel Settings
- User Group Dialog Box—SSL VPN Split Tunneling
- User Group Dialog Box—Browser Proxy Settings
- User Group Dialog Box—SSL VPN Connection Settings
- Add or Edit WINS Server List Dialog Box
Configuring Policy Objects for Remote Access VPNs
There are several policy objects that you use primarily or exclusively with remote access VPNs. Some of these objects, the ASA Group Policies and User Group objects, are also used with Easy VPN site-to-site topologies. This reference explains the configuration of these policy objects.
This chapter contains the following topics:
- ASA Group Policies Dialog Box
- Add or Edit Secure Desktop Configuration Dialog Box
- Add and Edit File Object Dialog Boxes
- Add or Edit Port Forwarding List Dialog Boxes
- Add or Edit Single Sign On Server Dialog Boxes
- Add or Edit Bookmarks Dialog Boxes
- Add and Edit SSL VPN Customization Dialog Boxes
- Add or Edit SSL VPN Gateway Dialog Box
- Add and Edit Smart Tunnel List Dialog Boxes
- Add and Edit Smart Tunnel Network Lists Dialog Boxes
- Add and Edit Smart Tunnel Auto Signon List Dialog Boxes
- Add or Edit User Group Dialog Box
- Add or Edit WINS Server List Dialog Box
ASA Group Policies Dialog Box
Use the Add or Edit ASA Group Policies dialog box to create, copy, and edit an ASA user group policies object.
ASA group policies are configured on ASA security appliances in Easy VPN topologies, remote access IPSec VPNs, and remote access SSL VPNs. When you configure an Easy VPN or remote access VPN, you must create group policies to which remote clients will belong. A group policy is a set of user-oriented attribute/value pairs for VPN connections that are stored either internally (locally) on the device or externally on a AAA server. The tunnel group uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users rather than having to specify each attribute individually for each user.
Note You must select the technology for which you are creating the object. Depending on the selected technology, the appropriate settings are available for configuration. If you select the IKEv1 or IKEv2 options, the IKE Proposal and IPSec Proposal policies must also be configured to support the selected IKE version.
Select ASA Group Policies in the Policy Object Manager. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Tip You can also create objects while configuring policies that use this type of object, including Connection Profile policies for remote access and Easy VPN, or the Group Policies policy for remote access VPNs.
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right. You must first configure technology settings, then you can select items from the table of contents on the left and configure the options you require. Your selections on the Technology page control which options are available on these pages and in the table of contents. The top folders in the table of contents represent the VPN technologies or other settings that you can configure, and are explained next. |
|
These settings control what you can define in the group policy:
If you select External, the only attributes you can configure are the name of the AAA server group object that identifies the AAA server and its password. – Easy VPN/IPSec IKEv1—For Easy VPN topologies or remote access IPsec VPNs that allow IKEv1 negotiations. – Easy VPN/IPSec IKEv2—For remote access IPsec VPNs that allow IKEv2 negotiations. IKEv2 is not supported in Easy VPN topologies. – SSL Clientless—For remote access SSL VPNs of all types, not just clientless. Note To enable web-based VPN (webvpn) option in group-policy attribute, you must enable either “ssl-client” or “ssl-clientless” tunneling protocol. In other words, upon device discovery in Security Manager, if the group-policy attribute “vpn-tunnel-protocol” does not have either “ssl-client” or “ssl-clientless” in the configuration, during the next deployment of the device, Security Manager would remove the “webvpn” option under group-policy attributes.
After you select an external server group, the Password and Confirm fields become active. Enter the alphanumeric password to use for authenticating with the server in both fields. The password can be a maximum of 128 characters; spaces are not allowed. |
|
The DNS and WINS servers and the domain name that should be pushed to clients associated with the group. See ASA Group Policies DNS/WINS Settings. |
|
Settings to allow a remote client to conditionally direct encrypted packets through a secure tunnel to the central site and simultaneously allow clear text tunnels to the Internet through a network interface. See ASA Group Policies Split Tunneling Settings. |
|
Settings for Easy VPN and remote access IPSec VPNs:
|
|
|
|
The connection settings for the group, such as the session and idle timeouts, including the banner text. See ASA Group Policies Connection Settings. |
Supported CLIs in Remote Access VPN Multi-Context Mode - Group Policy
The following CLIs are supported for Group Policy in ASA version 9.5(2) for remote access VPN in multiple context mode. These CLIs are supported in Admin and User Context.
Note For the configurations that are not supported, Security Manager displays a warning message that you can ignore. No delta will be generated.
- Address-pools
- Banner
- Client-bypass-protocol
- Default-domain
- Dhcp-network-scope
- Dns-server
- Exit
- Gateway-fqdn
- Gateway-fqdn
- Ipv6-address-pools
- Ipv6-address-pools
- Msie-proxy
- No
- Security-group-tag
- Smartcard-removal-disconnect
- Periodic-authentication
- Split-dns
- Split-tunnel-all-dns
- Split-tunnel-network-list
- Split-tunnel-policy
- Vpn-access-hours
- Vpn-filter (already supported in multi-mode for S2S)
- Vpn-simultaneous-logins
- Vpn-idle-timeout (already supported in multi-mode for S2S)
- Vpn-session-timeout (already supported in multi-mode for S2S)
- Vpn-tunnel-protocol ssl-client
- Wins-server
- Webvpn
ASA Group Policies Client Configuration Settings
Use the Client Configuration settings page to configure the Cisco client parameters for the ASA group policy for Easy VPN or remote access VPN.
Client Configuration is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select Easy VPN/IPSec VPN > Client Configuration from the table of contents in the ASA Group Policies Dialog Box.
ASA Group Policies Client Firewall Attributes
Use the Client Firewall Attributes settings to configure the firewall settings for VPN clients for the ASA group policy for Easy VPN or remote access IPSec VPN. Only VPN clients running Microsoft Windows can use these firewall settings.
Client Firewall Attributes are not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select Easy VPN/IPSec VPN > Client Firewall Attributes from the table of contents in the ASA Group Policies Dialog Box.
ASA Group Policies Hardware Client Attributes
Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware Client settings for the ASA group policy in an Easy VPN or remote access IPSec VPN.
Hardware Client Attributes are not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select Easy VPN/IPSec VPN > Hardware Client Attributes from the table of contents in the ASA Group Policies Dialog Box.
ASA Group Policies IPSec Settings
Use the IPsec settings to specify tunneling protocols, filters, connection settings, and servers for the ASA group policy for Easy VPN or remote access IPSec VPN. This creates security associations that govern authentication, encryption, encapsulation, and key management.
IPSec is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select Easy VPN/IPSec VPN > IPsec from the table of contents in the ASA Group Policies Dialog Box.
|
|
---|---|
Whether the security appliance should prompt the user to enter a username and password during initial Phase 1 IKE negotiation and also prompt for user authentication whenever an IKE rekey occurs, providing additional security. Reauthentication fails if no user is at the other end of the connection. |
|
Whether to enable data compression, which speeds up transmission rates for remote dial-in users connecting with modems. |
|
Whether to enable the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange. In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key. |
|
Tunnel group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not specify a tunnel name, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default. |
|
The access rules for clients. These rules control which types of clients are denied access, if any. You can have up to 25 rules, and combined they are limited to 255 characters. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.
|
Add or Edit Client Access Rules Dialog Box
Use the Client Access Rules dialog box to create or edit the priority, action, VPN client type and VPN client version for a client access rule.
From ASA Group Policies IPSec Settings, click the Add Row button beneath the Client Access Rules table, or select a rule and click the Edit Row button.
ASA Group Policies SSL VPN Clientless Settings
Use the Clientless settings to configure the clientless mode of access to the corporate network in a remote access SSL VPN for the ASA group policy object.
When a user connects to the SSL VPN in clientless mode, the user logs into the SSL VPN portal page. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers, depending on how you configure the portal.
Clientless is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select SSL VPN > Clientless from the table of contents in the ASA Group Policies Dialog Box.
|
|
---|---|
The name of the SSL VPN bookmarks policy object that includes the website URLs to display on the portal page. These websites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object. |
|
Whether to allow the remote user to enter website URLs directly into the browser. If you do not select this option, the user can access only those URLs included on the portal. |
|
Whether to allow the remote user to browse for file shares on the CIFS file servers. |
|
Whether to allow the remote user to locate file shares on the CIFS file servers by entering the names of the file shares. |
|
Whether to make hidden CIFS shares visible, and thus accessible, to users. |
|
The type of access you want to allow to the external HTTP proxy server to which the security appliance forwards HTTP connections. You can enable access, disable access, or select Auto Start, which starts the proxy automatically upon user login. |
|
The name of the web type access control list policy object to use to restrict user access to the SSL VPN. Enter the name of the object or click Select to select it from a list or to create a new object. Beginning with version 4.10, you can enter IPv6 values for the web type ACL. |
|
Whether to enable ActiveX relay, which allows users to start ActiveX programs from the portal page. This allows users to start Microsoft Office applications from the web browser and upload and download Office documents. |
|
The name of the smart tunnel list policy object assigned to this group. Click Select to select it from a list or to create a new object. A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site. The connection uses a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server. Thus, smart tunnels do not require users to have administrator privileges. For more information, see Configuring SSL VPN Smart Tunnels for ASA Devices. |
|
Whether to start smart tunnel access automatically upon user login. If you do not select this option, the user must start the tunnel manually through the Application Access tools on the portal page. Auto sign-on supports only applications that use HTTP and HTTPS using the Microsoft WININET library on a Microsoft Windows operating system. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers. |
|
Choose from the following options to select the list of hosts or network for which you want to use the smart tunnel. To enable the selection, you must first create the smart tunnel network list entries. For more information, see Add and Edit Smart Tunnel Network Lists Dialog Boxes. Note that this feature is supported on devices that are running ASA software version 8.3(1) and higher.
|
|
The name of the smart tunnel auto sign-on list policy object assigned to this group. Click Select to select it from a list or to create a new object. |
|
The Windows domain to add to the username during auto sign-on, if the universal naming convention (domain\username) is required for authentication. For example, enter CISCO to specify CISCO\qa_team when authenticating for the username qa_team. You must also check the Use Domain option when configuring associated entries in the auto sign-on server list. |
|
The name of the port forwarding list policy object assigned to this group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports. Enter the name of the object or click Select to select it from a list or to create a new object. |
|
Whether to start port forwarding automatically upon user login. |
|
The application name or short description to display on the Port Forwarding Java applet screen on the portal, up to 64 characters. This is the name of the applet users will download to act as a TCP proxy on the client machine for the services configured on the SSL VPN gateway. |
|
The Citrix XenApp or XenDesktop servers that comprise the Virtual Desktop Infrastructure.
|
Add or Edit VDI Server Dialog Box
Use the VDI Server dialog box to create or edit a Citrix XenApp or XenDesktop Server entry.
In a Virtual Desktop Infrastructure (VDI) model, administrators publish enterprise applications or desktops pre-loaded with enterprise applications, and end users remotely access these applications. These virtualized resources appear just as any other resources, such as email, so that users do not need to go through a Citrix Access Gateway to access them. Users log onto the ASA using Citrix Receiver mobile client, and the ASA connects to a pre-defined Citrix XenApp or XenDesktop Server. The administrator must configure the Citrix server’s address and logon credentials under Group Policy so that when users connect to their Citrix Virtualized resource, they enter the ASA’s SSL VPN IP address and credentials instead of pointing to the Citrix Server’s address and credentials. When the ASA has verified the credentials, the receiver client starts to retrieve entitled applications through the ASA.
- iPad—Citrix Receiver version 4.x or later
- iPhone/iTouch—Citrix Receiver version 4.x or later
- Android 2.x/3.x/4.0/4.1 phone—Citrix Receiver version 2.x or later
- Android 4.0 phone—Citrix Receiver version 2.x or later
From ASA Group Policies SSL VPN Clientless Settings, click the Add Row button beneath the VDI Servers List table, or select a rule and click the Edit Row button.
ASA Group Policies SSL VPN Full Client Settings
Use the Full Client settings to configure the full client mode of access to the corporate network in a remote access SSL VPN for the ASA group policy object.
Full client mode enables access to the corporate network completely over an SSL VPN tunnel. In full client access mode, the tunnel connection is determined by the group policy configuration. The full client software, SSL VPN Client (SVC) or AnyConnect, is downloaded to the remote client, so that a tunnel connection is established when the remote user logs in to the SSL VPN gateway.
Tip To enable full client access, you must configure the Remote Access VPN > SSL VPN > Other Settings policy on the device to identify AnyConnect image packages to install on the device. The images must be on the device so that users can download them. For more information, see Understanding SSL VPN AnyConnect Client Settings and Add and Edit File Object Dialog Boxes.
The following policies are supported for ASA 9.5(2) Remote Access VPN in Multi-context mode:
- Security Group Tag
- Periodic Certificate Verification
- Client Dead Peer Detection Timeout
- Gateway Dead Peer Detection Timeout
- Datalayer Transport layer Security Compression
- Keep AnyConnect Client on Client System
- Ignore Routing and Filter Rules
- AnyConnect Modules
- AnyConnect MTU
- AnyConnect Firewall-Client Public ACL
- AnyConnect Firewall-Client Private ACL
- Enable Datagram Transport Layer Security
Select SSL VPN > Full Client from the table of contents in the ASA Group Policies Dialog Box.
|
|
---|---|
The mode in which to operate the SSL VPN:
|
|
Whether to leave the AnyConnect client installed on the client system after the client disconnects. If you do not leave the client installed, it must be download each time the user connects to the gateway. |
|
Whether to exchange keepalive messages between peers to demonstrate that they are available to send and receive data in the tunnel. Keepalive messages transmit at set intervals, and any disruption in that interval results in the creation of a new tunnel using a backup device. If you select this option, enter the time interval (in seconds) that the remote client waits between sending IKE keepalive packets in the Interval field. |
|
Whether to enable data compression, and if so, the method of data compression to use: None, Deflate, or LZS. Data compression speeds up transmission rates for remote dial-in users connecting with modems. |
|
The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the remote user. DPD is used to send keepalive messages between peer devices only when no incoming traffic is received and outbound traffic needs to be sent. |
|
The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the gateway. |
|
The method by which the tunnel key is refreshed for the remote user group client:
Enter the time interval (in minutes) between the tunnel refresh cycles in the Interval field. |
|
Whether to enable Datagram Transport Layer Security (DTLS) connections for the group. Enabling DTLS allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels, an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. |
|
Whether to compress Datagram Transport Layer Security (DTLS) connections for the group, and if so, the method of data compression to use: None, Default, or LZS. |
|
Whether to ignore the DF bit in packets that need fragmentation. This feature allows the force fragmentation of packets that have the DF bit set, allowing them to pass through the tunnel. An example use case is for servers in your network that do not respond correctly to TCP MSS negotiations. |
|
The modules that the AnyConnect client needs to enable optional features. Click Select to select the applicable modules from the Add AnyConnect Module dialog box.
Note If other options are listed, see the release notes for the Cisco AnyConnect VPN Client for an explanation of the feature. |
|
The maximum transmission unit (MTU) size for SSL VPN connections established by the Cisco AnyConnect VPN Client. |
|
Always-On VPN enables AnyConnnect to automatically establish a VPN session after you log onto the system. Note that until you log off from the system, the VPN session will remain open. |
|
The name of the AnyConnect profile to use for the group. You can enter multiple profile names each separated by a comma. You must configure this name and relate it to a profile in the Remote Access VPN > SSL VPN > Other Settings policy. Note The AnyConnect Profile name is supported from Security Manager version 4.12 for ASA devices running version 9.6(2) in Multi-context mode. The supported CLIs are: |
|
Whether to ask the user to download the client. Enter the number of seconds the user has to make a selection in the Time User Has to Choose field. The default is 120 seconds. If you do not select this option, the user is immediately taken to the default location. The user is also taken to the default location after the time to choose expires. |
|
ASA Version 9.3(1)+ supports security group tagging of VPN sessions. A Security Group Tag (SGT) can be assigned to a VPN session using an external AAA server, or by configuration of the local user database. This tag can then be propagated through the Cisco TrustSec system over Layer 2 Ethernet. Security group tags are useful on group policies and for local users when the AAA server cannot provide an SGT. When the Default check box is selected, no Security Group Tag is assigned. To specify a Security Group Tag, clear the Default check box and then enter the numerical value of the SGT tag that will be assigned to VPN users connecting with this group policy in the Security Group Tag field. Valid values are from 2 to 65519. |
|
Whether to enable periodic validation and revocation checking of the client certificates in VPN sessions. If you select this option, enter the interval of time, in hours, between 1 to 168. This feature is supported only in devices running ASA software version 9.4(1) or higher. |
|
The name of the Extended or Unified access control list or policy object to use to restrict user access to the SSL VPN. Public rules are applied to all interfaces on the client. Enter the name of the object or click Select to select it from a list or to create a new object. Unified ACLs are supported from ASA version 9.0. The default is Extended. If the device version is higher than ASA 9.0, all the Anyconnect values are discovered as Unified ACL and deployed during deployment. |
|
The name of the Extended or Unified access control list policy object to use to restrict user access to the SSL VPN. Private rules are applied to the Virtual Adapter. Enter the name of the object or click Select to select it from a list or to create a new object. Unified ACLs are supported from ASA version 9.0. The default is Extended. If the device version is higher than ASA 9.0, all the Anyconnect values are discovered as Unified ACL and deployed during deployment. |
|
The AnyConnect Custom Attribute table lists the custom attributes, names, and the corresponding values that are assigned to this group policy. AnyConnect custom attributes that are defined on the AnyConnect Custom Attribute tab of the SSL VPN Other Settings page are listed here (see Configuring AnyConnect Custom Attributes (ASA)). Beginning with version 4.7, Security Manager enables to add a Custom Attribute Data to an existing Custom Attribute Type. You can add or remove the custom attributes for a group policy, and configure values for each attribute.
For more details, see Add/Edit AnyConnect Custom Attribute Dialog Box. |
ASA Group Policies SSL VPN Settings
Use the SSL VPN Settings to configure attributes that are required for clientless and port forwarding (thin client) access modes to work, including auto signon rules for user access to servers. Auto Signon configures the security appliance to automatically pass SSL VPN user login credentials (username and password) on to internal servers. You can configure multiple auto signon rules.
The Homepage URL policy is supported for the SSL tab in ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select SSL VPN > Settings from the table of contents in the ASA Group Policies Dialog Box.
|
|
---|---|
The URL of the SSL VPN home page. The URL is free text. The page is displayed when users log into the VPN. If you do not enter a URL, no home page is displayed. Beginning with version 4.12, Security Manager supports IPv6 address in the Home Page URL for ASA devices running the software version 9.0 or later. The format for the Home Page URL for IPv6 address is: http://[IPv6 address]/appname.The Home page URL should be prefixed with http:// (or) https:// |
|
The message to deliver to a remote user who successfully logs into the VPN but has no VPN privileges, and so can do nothing. The default message is: “Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.” |
|
The minimum size (in kilobytes) of an IKE keepalive packet that can be stored in the cache on the security appliance. |
|
The name of the single sign on (SSO) server policy object that identifies the server to use for this group, if any. An SSO server allows users to enter their username and password once and be able to access other server in the network without logging into each of them. If configure an SSO server, also configure the auto signon rules table. Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Add or Edit Single Sign On Server Dialog Boxes. |
|
Whether to allow an HTTP compressed object to be cached on the security appliance. |
|
If you configure a single sign on server, the auto signon rules table contains the rules that determine which internal servers are provided the user’s credentials. Thus, you can provide single sign on for some servers in your network but not others. Each rule is an allow rule, and indicates the IP address, subnet, or Universal Resource Identifier (URI) that identifies the server, and the type of authentication that will be sent to the server when the user tries to access it (either basic HTML, NTLM, FTP, or all of these). The rules are processed in order, top to bottom, and the first match is applied. Therefore, be sure to order the rules correctly using the up and down arrow buttons. If the user accesses a server that is not identified in one of these rules, the user must log into the server to gain access.
|
|
The name of the SSL VPN customization policy object that defines the appearance of the portal web page. The portal page allows the remote user access to all the resources available on the SSL VPN network. If you do not specify an object, the default page appearance is used. Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects. |
|
The location where personalized user information is stored between clientless SSL VPN sessions. If you do not specify a location, information is not stored between sessions. Stored information is encrypted. Enter a file system designation in the following format: protocol://username:password@host:port/path Where protocol is the protocol of the server, username and password are a valid user account on the server, and host is the name of the server. Also indicate the port number (if you do not use the default for the protocol) and directory path of the location on the server to use. For example: |
|
The storage key used to protect data stored between sessions. Spaces are not supported. |
|
The maximum size allowed for a posted object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent posting. |
|
The maximum size allowed for a uploaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent uploading. |
|
The maximum size allowed for a downloaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent downloads. |
Add or Edit Auto Signon Rules Dialog Box
Use the Add or Edit Auto Signon Rules dialog box to configure the Auto Signon rules that the security appliance uses to pass SSL VPN user login credentials on to an internal server.
Open the ASA Group Policies SSL VPN Settings, then click Create, or select an item in the table and click Edit.
ASA Group Policies Browser Proxy Settings
Use the Browser Proxy settings to configure the attributes for the browser.
Browser Proxy is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select Browser Proxy from the table of contents in the ASA Group Policies Dialog Box.
ASA Group Policies DNS/WINS Settings
Use the DNS/WINS settings to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA group policy. These settings apply to Easy VPN and remote access IPSec and SSL VPN configurations.
DNS/WINS is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select DNS/WINS from the table of contents in the ASA Group Policies Dialog Box.
ASA Group Policies Split Tunneling Settings
Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. These settings apply to Easy VPN and remote access IPSec and SSL VPN configurations.
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to specific networks.
Split Tunneling is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Tip For optimum security, we recommend that you not enable split tunneling.
Select Split Tunneling from the table of contents in the ASA Group Policies Dialog Box.
ASA Group Policies Connection Settings
Use the Connection Settings to configure the connection characteristics for the ASA group policy, including access control and session timeouts. These settings are used for Easy VPN and remote access IPsec or SSL VPN sessions.
Connection Settings is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Select Connection Settings from the table of contents in the ASA Group Policies Dialog Box.
|
|
---|---|
The name of the extended access control list (ACL) policy object to use for filtering traffic on the VPN connection. The ACL determines which traffic is permitted or denied. Enter the name of the object or click Select to select it from a list or to create a new object. Beginning with version 4.10 and ASA version 9.0, you can select from a list of Standard, Extended, or Unified ACL objects. |
|
The banner, or welcome text, to display on remote clients when they connect to the VPN. |
|
Specifies the name of one or more IPv4 address pools to use for this group policy. Enter the names of the IPv4 address pool objects separated by a comma or click Select to select the objects from a list or to create a new objects. |
|
Specifies the name of one or more IPv6 address pools to use for this group policy. Enter the names of the IPv6 address pool objects separated by a comma or click Select to select the objects from a list or to create a new objects. Beginning with version 4.12, Security Manager supports IPv6 address pools for ASA devices 9.0 or later. |
|
The name of a time range policy object that specifies the times that users are allowed to access the VPN. If you do not specify a time range, users can access the VPN at all times. Specify a time range if you want to limit access to the network to certain hours, such as the typical work days and work hours for your organization. Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring Time Range Objects. |
|
The number of simultaneous logins a single user is allowed. Values are 0-2147483647. The default is 3. Specify 0 to disable logins and prevent user access. |
|
The maximum amount of time a user is allowed to be connected to the VPN. Select one of the following: |
|
The amount of time a user is allowed to be connected to the VPN while the connection is idle, that is, there is no communication activity. Select one of the following: |
|
The VLAN ID value can be between 1 and 4094 and must correspond to a VLAN interface on the ASA. The VLAN mapping feature on the ASA allows for traffic from VPN connections to be directed to a specified VLAN interface. Beginning with Security Manager version 4.10 and ASA version 9.5(1), you can assign IPv6 addresses to remote users. |
Add or Edit Secure Desktop Configuration Dialog Box
Use the Add or Edit Cisco Secure Desktop Configuration dialog box to create, copy, and edit Cisco Secure Desktop Configuration objects for IOS routers. You can configure the settings required for Windows clients who are connecting from different location types, enable or restrict web browsing and file access for Windows CE clients, and configure the cache cleaner for Macintosh and Linux clients.
Cisco Secure Desktop (CSD) secures network endpoints by providing a reliable means of eliminating all traces of sensitive data by providing a single, secure location for session activity and removal on the client system.
This policy object uses the Secure Desktop Manager application to configure the settings. For an example of configuring settings, see Cisco Secure Desktop on IOS Configuration Example Using SDM at http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa7b.shtml. The first part of the configuration example explains setting up SDM, which you can ignore. Instead, look for the sections that describe setting up Windows locations midway through the example. The screen shots will help you identify when you are looking at CSD configuration.
Select Manage > Policy Objects, then select Cisco Secure Desktop (Router) from the Object Type Selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
An optional description of the object (up to 1024 characters). |
|
|
|
The names of the locations that you want to configure for Windows clients connecting from specific locations, such as Work, Home, or Insecure. When you create a location, an item for the location is added to the table of contents, where you can select the settings folders related to the location and configure its properties. The settings include a definition of how to determine if a client is connecting from that particular location. For each location you want to configure, enter its name in the Location to Add field and click Add to move it to the Locations list. You can reorder the locations using the Move Up/Move Down buttons. CSD checks locations in the order listed in this dialog box, and grants privileges to client PCs based on the first location definition they match. You can create a default location, such as Insecure, as the final location and configure the strictest security for it. For more information, see Creating Cisco Secure Desktop Configuration Objects. |
|
Whether to close all the open browser windows after installing the Secure Desktop application. |
|
Select the check boxes to enable these features if installation or location matching fails: |
|
|
|
The Windows CE options enable you to configure a VPN feature policy to enable or restrict web browsing and remote server file access for remote clients running Microsoft Windows CE. You cannot configure locations for these clients. |
|
|
|
Whether to set a global timeout after which CSD launches the cache cleaner. Select a timeout (the default is 30 minutes), and select whether to allow the user to reset the timeout value. |
|
Whether to start the cache cleaner when the user closes all web browser windows. |
|
Whether to allow the remote user to cancel the cleaning of the cache. |
|
The number of passes for CSD to perform a secure cleanup. The default is 1 pass. CSD encrypts and writes the cache to the remote client’s disk. Upon termination of the Secure Desktop, CSD converts all bits occupied by the cache to all 0’s, then to all 1’s, and then to randomized 0’s and 1’s. |
|
Whether to allow web browsing (but not other remote access features) if the cache cleaner installation fails. |
|
Whether to allow web browsing, remote server file access, and port forwarding for Macintosh and Linux clients. Port forwarding permits the use of the Secure Desktop to connect a client application installed on the local PC to the TCP/IP port of a peer application on a remote server. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
Add and Edit File Object Dialog Boxes
Use the Add and Edit File Object dialog boxes to create, copy, and edit file objects. File objects represent files that are used in device configurations, typically for remote access VPN policies and policy objects. Such files include Anyconnect client profile and image files, image (graphic) files, plug-in jar files, and Cisco Secure Desktop package files.
When you create a file object, Security Manager makes a copy of the file in its storage system. These files are backed up whenever you create a backup of the Security Manager database, and they are restored if you restore the database. When you deploy configurations that specify a file object, the associated file is download to the device in the appropriate directory.
After you create a file object, you typically should not edit it. If you need to replace the file, edit the file object to select the new file, or create a new file object. If the file is editable, you can edit the file object to identify the file’s location in the file repository, and use the desired editor to open and edit the file outside of Security Manager. The file repository is the CSCOpx\MDC\FileRepository folder in the installation directory (typically, C:\Program Files). The files are organized in subfolders named for the file type.
For all file types except Image files, you can add a file from the Security Manager server or from the local Security Manager client by selecting the appropriate tab on the Choose a file dialog box. You cannot select files from a network server. You can control the ability to add files from the Security Manager client from Tools > Security Manager Administration > Customize Desktop. For more information, see Customize Desktop Page.
Tip If you are copying a file to the Security Manager server so that it can be used in a file object, do not copy the file directly to the file repository.
When you delete a file object, the associated file is not deleted from the file repository.
Select Manage > Policy Objects, then select File Objects from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
- Understanding and Managing SSL VPN Support Files
- Configuring SSL VPN AnyConnect Client Settings (ASA)
- Configuring SSL VPN Browser Plug-ins (ASA)
- Configuring Cisco Secure Desktop Policies on ASA Devices
- SSL VPN Customization Dialog Box—Informational Panel
- SSL VPN Customization Dialog Box—Title Panel
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. If you do not enter a name, the name of the file is used for the object name. |
|
The type of file. If you create the object while configuring a policy, the correct file type is pre-selected. Options are: |
|
The name and full path of the file. Click Browse to select the file. The following file types are managed using Image Manager. For more information, see Image Manager Supported Image Types. For AnyConnect Profile and Image files, you can add a file from the Security Manager server. You cannot select files from a network server. For file objects that you are editing, the path indicates the location in the Security Manager file repository. |
|
The file name you want to use when the file is downloaded to the device when you deploy policies. The default is to use the same file name as the original file. If the object was created by discovering policies from the device, this field uses the original name of the file as it existed on the device. This might not be the same name as it exists on the Security Manager server if the original name duplicated existing file names on the server. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
File Object — Choose a file Dialog Box
Use the File Object — Choose a file dialog box to select the file to use for the file object you are adding or editing. The available files are managed using Image Manager. For more information, see Image Manager Supported Image Types.
Select Manage > Policy Objects, then select File Objects from the Object Type Selector. Add or Edit a file object and from the Add or Edit File Object dialog box, click Browse to open the File Object — Choose a file dialog box.
- Understanding and Managing SSL VPN Support Files
- Add and Edit File Object Dialog Boxes
- Configuring SSL VPN AnyConnect Client Settings (ASA)
- Configuring SSL VPN Browser Plug-ins (ASA)
- Configuring Cisco Secure Desktop Policies on ASA Devices
- SSL VPN Customization Dialog Box—Informational Panel
- SSL VPN Customization Dialog Box—Title Panel
|
|
---|---|
Lists the available files you can use for defining your file object. The available files are managed using Image Manager. For more information, see Image Manager Supported Image Types. |
|
Filters the list of files. Options are: Note You can only view all file objects or only objects filtered by the type of file object you are adding or editing. |
Add or Edit Port Forwarding List Dialog Boxes
Use the Port Forwarding List dialog box to create, copy and edit port forwarding list policy objects. You can create port forwarding list objects to use when you are configuring the thin client access mode for SSL VPN.
Port forwarding allows users to access applications (such as Telnet, e-mail, VNC, SSH, and Terminal services) inside the enterprise through an SSL VPN session. When port forwarding is enabled, the hosts file on the SSL VPN client is modified to map the application to the port number configured in the forwarding list. A port forwarding list object defines the mappings of port numbers on the remote client to the application’s IP address and port behind the SSL VPN gateway.
Select Manage > Policy Objects, then select Port Forwarding List from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
- SSL VPN Access Modes
- ASA Group Policies SSL VPN Clientless Settings
- User Group Dialog Box—Thin Client Settings
- Create Group Policy Wizard—Clientless and Thin Client Access Modes Page
- Policy Object Manager
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The port forwarding entries that are defined in the object. The entries show the mapping of the local port to the remote server and port.
|
|
The names of other port forwarding list objects to include in the object. Enter the name of the object or click Select to select it from a list or to create a new object. Separate multiple entries with commas. When you add other port forwarding lists, the entries from those lists are treated as if they were directly entered into this object, and the names of the included objects are not reflected in the device configuration commands during deployment. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add or Edit A Port Forwarding Entry Dialog Box
Use the Add or Edit A Port Forwarding Entry dialog boxes to create a new port forwarding list entry or edit an existing one.
Go to the Add or Edit Port Forwarding List Dialog Boxes and click the Add Row button or select an entry and click the Edit Row button beneath the Port Forwarding List table.
Add or Edit Single Sign On Server Dialog Boxes
Use the Add or Edit Single Sign On Server dialog box to create, copy, and edit single sign on (SSO) server objects for use with SSL VPNs (as configured in ASA group policy objects). For information on how to configure SSO servers in an ASA group policy, see ASA Group Policies SSL VPN Settings.
Single sign-on lets users access different secure services on different servers without entering a username and password more than once. In the authentication, the security appliance acts as a proxy for the SSL VPN user to the SSO server. You can configure this object to identify either a Computer Associates SiteMinder SSO server or a Security Assertion Markup Language (SAML) Browser Post Profile version 1.1 server.
The SSO mechanism starts as part of the AAA process or just after successful user authentication to an AAA server. The SSL VPN server running on the security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the SSL VPN server sends an SSO authentication request, including username and password, to the authenticating server. If the server approves the authentication request, it returns an SSO authentication cookie to the SSL VPN server. The security appliance keeps this cookie on behalf of the user and uses it to authenticate the user to secure web sites within the domain protected by the SSO server.
If you want to configure SSO for an SSL VPN group, you must also configure a AAA server, such as a RADIUS or LDAP server.
Note The SAML Browser Artifact profile method of exchanging assertions is not supported.
Select Single Sign On Servers in the Policy Object Manager. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
You can also create the object when configuring an ASA user group object for SSL VPN (see ASA Group Policies SSL VPN Settings).
|
|
---|---|
The object name, which must be 4 to 31 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The type of SSO server to use with clientless SSL VPN connections. The other attributes on the page change based on your selection. |
|
The URL of the SiteMinder SSO server to which the security appliance makes authentication requests. Select whether to use HTTP or HTTPS and enter the URL. |
|
The key used to encrypt authentication communications with the SiteMinder server, if any. The key can contain any alphanumeric characters. There is no minimum or maximum number of characters. Enter the same key in both fields. |
|
The URL for the SAML-type SSO assertion consumer service. Select whether to use HTTP or HTTPS and enter the URL, which must be fewer than 255 characters. |
|
The name of the security device that is sending assertions to a SAML-type SSO server. This is usually the name of the security appliance, for example, asa.example.com. The name must be fewer than 65 characters. |
|
The name of the PKI enrollment policy object that identifies the certificate authority (CA) server that acts as the trustpoint that contains the certificate to use to sign the SAML-type browser assertion. Enter the name or click Select to select it from a list or to create a new object. |
|
The number of times the security appliance retries a failed SSO authentication attempt before the authentication times out. The range is 1 to 5 retries, and the default is 3 retries. |
|
The number of seconds before a failed SSO authentication attempt times out. The range is 1 to 30 seconds, and the default is 5 seconds. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add or Edit Bookmarks Dialog Boxes
Use the Add or Edit Bookmarks dialog boxes to configure browser-based clientless SSL VPN bookmarks (URL lists) for an SSL VPN Bookmark object. From this dialog box, you can change the order of the bookmark entries within the table, create, copy, edit, and delete SSL VPN Bookmark objects.
An SSL VPN Bookmark object defines the URLs that are displayed on the portal page after a successful login.
Select Manage > Policy Objects, then select SSL VPN Bookmarks from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
- Configuring SSL VPN Bookmark Lists for ASA and IOS Devices
- Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks
- Localizing SSL VPN Web Pages for ASA Devices
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The heading that is displayed above the URLs listed on the portal page of an SSL†VPN hosted on an IOS device. |
|
The list of bookmark entries for the object.
|
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add or Edit Bookmark Entry Dialog Boxes
Use the Add or Edit Bookmark Entry dialog boxes to create or edit a bookmark to be included in an SSL VPN Bookmark object.
You can use non-English, non-ASCII languages for the text to display for bookmarks if you are configuring the object for use on an ASA device. For more information about how you can configure the SSL VPN portal in local languages, see Localizing SSL VPN Web Pages for ASA Devices.
In the Policy Object Manager, from the Add or Edit Bookmarks Dialog Boxes, right-click inside the Bookmarks table, then select Add Row or right-click a row, then select Edit Row.
- Configuring SSL VPN Bookmark Lists for ASA and IOS Devices
- Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks
|
|
---|---|
Select whether you want to define a new SSL VPN Bookmark entry or use the entries from an existing object:
|
|
If you selected Predefined Application Templates as the Bookmark Option, select the auto sign-on application whose template you want to use:
After selecting an auto sign-on application, the Advanced Form and URL Settings are populated based on the selected application. |
|
The Universal Resource Locator address for the bookmark. Select the protocol for the bookmark and enter the rest of the URL in the edit box. |
|
These settings are applicable only to SSL VPN portals hosted on ASA devices running software version 8.x or later. Do not configure these settings for SSL VPN Bookmark objects that you will use on other devices. |
|
An additional user-visible title that describes the bookmark entry. |
|
The File object that represents an icon you want to associate with the bookmark on the Portal. Enter the name of the File object or click Select to select it from a list or to create a new object. |
|
Whether to display the thumbnail only on the Portal page. If you deselect this option, the thumbnail is also displayed on the Logon page. |
|
Whether to display the bookmark entry on the portal home page. Deselect the check box if you want the bookmark entry to appear on the application page only. |
|
Advanced Form and URL Settings These settings are applicable only to SSL VPN portals hosted on ASA devices running software version 8.x or later. Do not configure these settings for SSL VPN Bookmark objects that you will use on other devices. |
|
Select the required URL method from the list:
|
|
Whether to open the bookmark in a new window that uses the smart tunnel functionality to pass data to and from the security appliance. |
|
Optionally, configure the following Preload options: Preload URL —The URL of a page to load before the bookmark link is loaded. Wait Time —The time to allow for loading of the page before you are forwarded to the actual POST URL. |
|
When Auto Sign-on Form is selected as the URL Method, configure the following options: Note Wildcards can be used in the URLs you enter for the following fields. For example, you can enter http*://www.example.com/myurl*. Login Page URL —The URL of the login page for which to auto sign-on. Landing Page URL —The URL of the page that is loaded after a successful login. The ASA requires the Landing Page to be configured to detect a successful login to the application. Pre-Login Page URL —The URL of the page which is loaded before the login page. This page will require user interaction to proceed to the login screen. Control ID —The ID of the control/tag that will get a click event on the pre-login page URL to proceed to the login page. |
|
The list of the names and values of the Post parameters for the bookmark entry.
|
|
An optional field for entering JavaScript required by some applications. Some Web applications, such as Microsoft Outlook Web Access, may execute a JavaScript to change the request parameters before the log-on form is submitted. |
Add and Edit Post Parameter Dialog Boxes
Use the Add and Edit Post Parameter dialog boxes to create a new Post parameter entry or edit an existing one in the table. For a detailed discussion of Post parameters, see Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks.
In the Policy Object Manager, from the Add or Edit Bookmark Entry Dialog Boxes, right-click inside the Post Parameters table, then select Add Row or right-click a row, then select Edit Row.
- Configuring SSL VPN Bookmark Lists for ASA and IOS Devices
- Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks
Add and Edit SSL VPN Customization Dialog Boxes
Use the Add and Edit SSL VPN Customization dialog boxes to create, copy, and edit SSL VPN Customization objects. An SSL VPN Customization policy object describes how to customize web pages for a browser-based clientless SSL VPN hosted on an ASA 8.x device. For more information, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects.
You can use non-English, non-ASCII languages for the text to display on these pages. For more information about how you can configure the SSL VPN portal in local languages, see Localizing SSL VPN Web Pages for ASA Devices.
Select Manage > Policy Objects, then select SSL VPN Customization from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
- Configuring ASA Portal Appearance Using SSL VPN Customization Objects
- Localizing SSL VPN Web Pages for ASA Devices
- Creating Your Own SSL VPN Logon Page for ASA Devices
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right. Before configuring settings, click the Preview button to see the default settings to help you determine what, if anything, you want to change. The top folders in the table of contents represent the SSL VPN web pages that you can customize, and are explained next. |
|
The Logon web page is the one users see first when connecting to the SSL VPN portal. It is used for logging into the VPN. Select the following items in the Logon Page folder in the table of contents to view and change the settings:
|
|
The Portal web page is the one users see after logging into the SSL VPN; it is the home page. Select the following items in the Portal Page folder in the table of contents to view and change the settings:
|
|
The Logout web page is the one users see after logging out of the SSL VPN. For more information about the settings, see SSL VPN Customization Dialog Box—Logout Page. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
SSL VPN Customization Dialog Box—Title Panel
Use the Title Panel page of the SSL VPN Customization dialog box to determine whether the Logon page or Portal page will have a title displayed in the web page itself. If you enable the title panel, you can specify the title, font, font size and weight, styles, and colors used. You can also select a File object that identifies a logo graphic.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Title Panel in the table of contents to configure the title of the Logon page, or Portal Page > Title Panel to configure the title of the Portal page.
- Configuring ASA Portal Appearance Using SSL VPN Customization Objects
- Localizing SSL VPN Web Pages for ASA Devices
|
|
---|---|
Whether to display a title panel within the web page. The default is to not display a title. If you select this option, you can configure the title using the other fields on this page. |
|
Whether to have the background color change in a gradual progression. |
|
The characteristics of the font used for the title text. You can select a weight, font size, and color. Click Select to choose a font color. |
|
The color of the background of the title panel. Click Select to choose a color. |
|
Cascading Style Sheet (CSS) parameters that define the style characteristics of the title panel. You can include a maximum of 256 characters. |
|
The File policy object that identifies the logo image you want to include in the title panel, if any. Enter the name of the File object or click Select to select it from a list or to create a new object. For more information about File objects, see Add and Edit File Object Dialog Boxes. |
SSL VPN Customization Dialog Box—Language
Use the Language page of the SSL VPN Customization dialog box identify the languages you will support on the browser-based clientless SSL VPN portal. If you want to configure translation tables for other languages on the ASA device and use them, you can configure the supported languages and allow users to choose their language. Before you configure these settings, read Localizing SSL VPN Web Pages for ASA Devices.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Language in the table of contents.
- Localizing SSL VPN Web Pages for ASA Devices
- Add and Edit SSL VPN Customization Dialog Boxes
- Configuring ASA Portal Appearance Using SSL VPN Customization Objects
|
|
---|---|
This table lists the languages you will support on the web pages for automatic browser language selection. Automatic browser language select allows the ASA device to negotiate with the user’s web browser to determine the language in which to present the web pages. You must configure a translation table on the ASA device for any language you list here. For more detailed information about automatic browser language selection, see Localizing SSL VPN Web Pages for ASA Devices. Languages are listed by their abbreviation in the table. The languages are evaluated top to bottom until a match is found. The language that is indicated as the default language (indicated as True in the table) is used if the device is unable to negotiate a different language with the browser. If you do not specify a default, English is the default. |
|
Whether to display the Language Selector on the Logon page. The Language Selector allows users to select their preferred language. The Language Selector is complementary to the automatic browser language selection capability. |
|
The list of languages included in the Language Selector drop-down list. You must configure a translation table on the ASA device for any language you list here. For more detailed information, see Localizing SSL VPN Web Pages for ASA Devices. The table lists the languages by abbreviation and title, or the common name of the language. The title is the text displayed in the drop-down list. You can change the language title but not the abbreviation. |
Add and Edit Language Dialog Boxes
Use the Add and Edit Language dialog boxes to add or edit an entry for a language you will support for automatic browser language selection or in the Language Selector drop-down list.
From the SSL VPN Customization Dialog Box—Language page, click the Add Row button for either the Automatic Browser Language Selection table or the Language Selector table, or select a row and click the Edit Row button.
- Localizing SSL VPN Web Pages for ASA Devices
- Configuring ASA Portal Appearance Using SSL VPN Customization Objects
SSL VPN Customization Dialog Box—Logon Form
Use the Logon Form settings of the SSL VPN Customization dialog box to customize the title of the login box, login prompts of the SSL VPN page (including username, password, and group prompts), login buttons, and style elements of the login box that appears to browser-based clientless SSL VPN users when they initially connect to the security appliance.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Logon Form in the table of contents.
SSL VPN Customization Dialog Box—Informational Panel
Use the Informational Panel page of the SSL VPN Customization dialog box to customize the appearance of the Informational panel in the Logon page. The Informational panel is an area where you can provide extra information to the user, and is optional.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Informational Panel in the table of contents.
- Add and Edit SSL VPN Customization Dialog Boxes
- Configuring ASA Portal Appearance Using SSL VPN Customization Objects
|
|
---|---|
Whether to display the Informational panel. The default is to not display the panel. If you select this option, you can configure the panel using the other fields on this page. |
|
The location of the Informational panel, either to the left of the Logon box or to the right of it. |
|
The text that appears in the Informational panel. You can enter a maximum of 256 characters. |
|
The File policy object that identifies the logo image you want to include in the Informational panel, if any. Enter the name of the File object or click Select to select it from a list or to create a new object. For more information about File objects, see Add and Edit File Object Dialog Boxes. |
|
The position of the logo image in the panel, either above the text or below it. |
SSL VPN Customization Dialog Box—Copyright Panel
Use the Copyright Panel page of the SSL VPN Customization dialog box to customize the appearance of the Copyright panel in the Logon page. The Copyright panel provides your copyright information, appears at the bottom of the page, and is optional.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Copyright Panel in the table of contents.
- Add and Edit SSL VPN Customization Dialog Boxes
- Configuring ASA Portal Appearance Using SSL VPN Customization Objects
SSL VPN Customization Dialog Box—Full Customization
Use the Full Customization page of the SSL VPN Customization dialog box to identify your own custom Logon page. The custom page replaces the Logon page settings available on the dialog box. For information on creating a custom Logon page, see Creating Your Own SSL VPN Logon Page for ASA Devices.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logon Page > Full Customization in the table of contents.
|
|
---|---|
Whether you want to use your own custom Logon page. If you enable full customization, all of the other Logon page configuration settings are ignored. |
|
The custom Logon page. You must copy the file to the Security Manager server before specifying it here. Click Browse to select the file. For information on selecting files, see Selecting or Specifying a File or Directory in Security Manager. |
SSL VPN Customization Dialog Box—Toolbar
Use the Toolbar page of the SSL VPN Customization dialog box to customize the appearance of the toolbar in the Portal page. The toolbar appears above the main body of the Portal page and includes a field to allow users to enter URLs to browse. The toolbar is optional.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Toolbar in the table of contents.
SSL VPN Customization Dialog Box—Applications
Use the Applications page of the SSL VPN Customization dialog box to customize the application links that appear in the Portal page. This page lists all the application links that you can display in the navigational panel on the left side of the SSL VPN portal page.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Applications in the table of contents.
SSL VPN Customization Dialog Box—Custom Panes
Use the Custom Panes page of the SSL VPN Customization dialog box to customize the appearance of the main body of the Portal page. By creating custom panes and specifying a column layout, you can create a grid of information that can help you present portal information effectively to your end users.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Custom Panes in the table of contents.
|
|
---|---|
The list of columns that the main body of the Portal page should be divided into. You define the column based on a percentage of the width of the page. The percentages should add up to 100. If they do not add up to 100, the device will adjust the column widths. Create the columns as you want them to appear, left to right, on the Portal page. |
|
The custom panes that should appear in the main body of the Portal page. The table shows whether a pane is enabled to appear, the type of pane, its characteristics, and the column and row in which it will appear on the page. The panes can display plain text or include a URL for HTML, image, or RSS links. For more detailed information about the settings, see Add or Edit Custom Pane Dialog Boxes. |
Add and Edit Column Dialog Boxes
Use the Add or Edit Column dialog box to create or edit columns in the main body of the Portal page for browser-based clientless SSL VPNs. Enter the desired width of the column as a percentage of the total area in the Percentage field.
From the SSL VPN Customization Dialog Box—Custom Panes page, click the Add Row button in the Column table, or select a column and click the Edit Row button.
Add or Edit Custom Pane Dialog Boxes
Use the Add or Edit Custom Pane dialog box to create or edit a pane to display in the main body or the Portal page of a browser-based clientless SSL VPN.
From the SSL VPN Customization Dialog Box—Custom Panes page, click the Add Row button in the Custom Pane table, or select a pane and click the Edit Row button.
SSL VPN Customization Dialog Box—Home Page
Use the Home Page page in the SSL VPN Customization dialog box to customize the appearance of the URL and file lists on the Portal page and the content of the main body of the Portal page. URL lists are considered to be default elements on the portal home page unless they are explicitly disabled.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Portal Page > Home Page in the table of contents.
SSL VPN Customization Dialog Box—Logout Page
Use the Logout Page page of the SSL VPN Customization dialog box to customize the appearance of the Logout page for browser-based clientless SSL VPNs. The Logout page appears after the user logs out of the VPN.
From the Add and Edit SSL VPN Customization Dialog Boxes, select Logout Page in the table of contents.
Add or Edit SSL VPN Gateway Dialog Box
Use the Add or Edit SSL VPN Gateway dialog box to create, copy and edit SSL VPN gateway objects. You use these objects when you are configuring an SSL VPN connection on an IOS device. For more information, see SSL VPN Configuration Wizard—Gateway and Context Page (IOS).
An SSL VPN gateway acts as a proxy for connections to protected resources that are accessed through an SSL-encrypted connection between the gateway and a web-enabled browser on a remote device. You can configure only one gateway per SSL VPN.
Select Manage > Policy Objects, then select SSL VPN Gateway from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
An optional description of the object (up to 1024 characters). |
|
The IP address for the gateway, which is the address to which remote users connect:
|
|
The number of the port that will carry the HTTPS traffic. You can also enter the name of a port list object that specifies the single port number, or click Select to select the object from a list. The default is the HTTPS object, which specifies port 443. If you do not use port 443, you can enter another port number between 1025 and 65535. |
|
The digital certificate required to establish the secure connection. A self-signed certificate is generated when an SSL VPN gateway is activated. |
|
Whether to restrict the encryption algorithms used for the connection, or to specify a different order of use. The default is to make all algorithms available in this order of preference: 3DES and SHA1, AES and SHA1, RC4 and MD5. Select the priority order for the algorithms. Select None to eliminate one or two algorithms. |
|
Whether to have the gateway redirect HTTP traffic over secure HTTP (HTTPS). Traffic that comes to this port is redirected to the port you specify in the Port field. Enter the port number for HTTP traffic in the HTTP Port field. You can enter a number or the name of a port list object, or click Select to select an object from a list or to create a new object. The HTTP port is normally 80. However, you can enter any other number that is used in your network between 1025-65535. |
|
|
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add and Edit Smart Tunnel List Dialog Boxes
Use the Add and Edit Smart Tunnel Lists dialog boxes to create, copy, and edit SSL VPN smart tunnel objects.
An SSL VPN smart tunnel list object lists the applications that are eligible for smart tunnel access to a private site. You can configure the clientless settings of an ASA group policy with a smart tunnel list to allow users to access the specified applications through the SSL VPN portal. For an explanation of the types of applications that support smart tunnel access, see Configuring SSL VPN Smart Tunnels for ASA Devices.
You can include other SSL VPN smart tunnel list objects in an object. Thus, you can create a smaller set of objects that identify your basic list of applications, then create other objects that create the required combination of applications. For example, you might want all three of your ASA group policies to allow smart tunnel access to applications A and B, but the remaining applications are unique for each group. By creating a single object that specifies A and B, you can include that object in each of the SSL VPN smart tunnel list objects for the group policies, and these objects need only specify their unique applications in the applications table.
Select Manage > Policy Objects, then select SSL VPN Smart Tunnel Lists from the Object Type selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
- ASA Group Policies SSL VPN Clientless Settings
- Configuring SSL VPN Smart Tunnels for ASA Devices
- Policy Object Manager
|
|
---|---|
The object name, which can be up to 64 characters. Spaces are not allowed. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The applications to which users will be allowed smart tunnel access through the SSL VPN, including the name of the application and its location on client workstations.
|
|
The other SSL VPN smart tunnel list objects that you want to include in this object, if any. Enter the names of the objects or click Select to select them from a list or to create new objects. Separate multiple entries with commas. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add and Edit A Smart Tunnel Entry Dialog Boxes
Use the Add and Edit A Smart Tunnel Entry dialog boxes to create a new smart tunnel entry or edit an existing entry in the table in the SSL VPN Smart Tunnel Lists dialog box.
From Add and Edit Smart Tunnel List Dialog Boxes, click the Add Row button beneath the Smart Tunnel Entries table, or select an entry and click the Edit Row button.
|
|
---|---|
The name of the application to which you are allowing smart tunnel access. The name can be up to 64 characters. Consider including the version number of the application if you are allowing more than one version smart tunnel access. |
|
The filename and optionally, the path, of the application. This entry can be up to 128 characters. Use one of the following:
|
|
(Optional) The hash value for the application. By specifying a hash value, you can ensure that the user does not rename another application to use a supported filename and thus start an unsupported and undesired application over the smart tunnel. To obtain the hash value, enter the checksum of the application (that is, the checksum of the executable file) into a utility that calculates a hash using the SHA-1 algorithm. One example of such a utility is the Microsoft File Checksum Integrity Verifier (FCIV), which is available at http://support.microsoft.com/kb/841290/. Place a temporary copy of the application to be hashed on a path that contains no spaces (for example, c:\temp) and then enter fciv.exe -sha1 application at the command line (for example, fciv.exe -sha1 c:\msimn.exe) to display the SHA-1 hash. Copy and paste the value into this field. The SHA-1 hash is always 40 hexadecimal characters. Before authorizing an application for smart tunnel access, clientless SSL VPN calculates the hash of the application matching the App Name. It qualifies the application for smart tunnel access if the result matches the value of hash. Because the checksum varies with each version or patch of an application, the hash you enter can match only one version or patch on the remote host. To specify a hash for more than one version of an application, create a unique smart tunnel entry for each hash value. |
Add and Edit Smart Tunnel Network Lists Dialog Boxes
Beginning from Security Manager version 4.7, you can use the Add and Edit Smart Tunnel Network Lists dialog boxes to create and edit a list of hosts that you can use for configuring smart tunnel policies.
Select Manage > Policy Objects, then select SSL VPN Smart Tunnel Network Lists from the Object Type selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object. Alternatively, you can click the Add (+) button to add a new object, or click the Edit (pencil) button to edit an object.
- ASA Group Policies SSL VPN Clientless Settings
- Configuring SSL VPN Smart Tunnels for ASA Devices
- Policy Object Manager
- Add and Edit A Smart Tunnel Network List Entry Dialog Box
|
|
---|---|
The smart tunnel network list object name that you use to apply to the tunnel policy. The name can be up to 64 characters. Spaces are not allowed. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The host mask or IP address of the network to which applications will be allowed smart tunnel access through the SSL VPN.
|
|
The other SSL VPN smart tunnel network list objects that you want to include in this object, if any. Enter the names of the objects or click Select to select them from a list or to create new objects. Separate multiple entries with commas. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add and Edit A Smart Tunnel Network List Entry Dialog Box
Use the Add and Edit A Smart Tunnel Network List Entry dialog box to create a new smart tunnel network list entry or edit an existing entry in the table in the SSL VPN Smart Tunnel Network Lists dialog box.
From Add and Edit Smart Tunnel List Dialog Boxes, click the Add Row button beneath the Smart Tunnel Network List Entries table, or select an entry and click the Edit Row button.
- Add and Edit Smart Tunnel Network Lists Dialog Boxes
- ASA Group Policies SSL VPN Clientless Settings
- Configuring SSL VPN Smart Tunnels for ASA Devices
- Policy Object Manager
Add and Edit Smart Tunnel Auto Signon List Dialog Boxes
Use the Add and Edit Smart Tunnel Auto Signon Lists dialog boxes to create, copy, and edit SSL VPN smart tunnel auto sign-on objects.
Smart Tunnel Auto Sign-on is a single sign-on method for Clientless SSL VPN users. It passes the login credentials (username and password) to internal servers for authentication using NTLM authentication, HTTP Basic authentication, or both. Smart Tunnel Auto Sign-on is supported on ASA 5500 devices running software version 7.1(1) and later.
An SSL VPN smart tunnel auto sign-on list object identifies the servers for which to automate the submission of login credentials during smart tunnel setup. You can configure the clientless settings of an ASA group policy with a smart tunnel auto sign-on list if you want to reissue the user credentials when the user establishes a smart tunnel connection to a server. For an explanation of the types of applications that support smart tunnel access, see Configuring SSL VPN Smart Tunnels for ASA Devices.
You can include other SSL VPN smart tunnel auto sign-on list objects in an object. Thus, you can create a set of objects that identify your basic list of servers and include those objects in another object that expands upon that list of servers.
Select Manage > Policy Objects, then select SSL VPN Smart Tunnel Auto Signon Lists from the Object Type selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
- ASA Group Policies SSL VPN Clientless Settings
- Configuring SSL VPN Smart Tunnels for ASA Devices
- Policy Object Manager
|
|
---|---|
The object name, which can be up to 64 characters. Spaces are not allowed. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The servers for which to automate the submission of login credentials during smart tunnel setup.
|
|
The other smart tunnel auto sign-on list objects that you want to include in this object, if any. Enter the names of the objects or click Select to select them from a list or to create new objects. Separate multiple entries with commas. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add and Edit Smart Tunnel Auto Signon Entry Dialog Boxes
Use the Add and Edit Smart Tunnel Auto Signon Entry dialog boxes to create a new smart tunnel entry or edit an existing entry in the table in the SSL VPN Smart Tunnel Auto Signon List dialog box.
From Add and Edit Smart Tunnel Auto Signon List Dialog Boxes, click the Add Row button beneath the Smart Tunnel Auto Signon Entries table, or select an entry and click the Edit Row button.
Add or Edit User Group Dialog Box
Use the Add or Edit User Group dialog box to create or edit a user group object. User group objects are used in Easy VPN topologies, remote access VPNs, and SSL VPNs for IOS devices.
When you configure a remote access VPN, SSL VPN, or Easy VPN server, you can create user groups to which remote clients belong. The remote clients must be configured with the same group name as the user group on the VPN server in order to connect to the server; otherwise, no connection is established. When the remote client connects to the VPN server successfully, the group policies for that particular user group are pushed to all remote clients belonging to the user group.
For more information about user groups, see:
- Configuring User Group Policies
- Configuring a User Group Policy for Easy VPN
- Configuring an SSL VPN Policy (IOS)
Note You must select the technology (Easy VPN/Remote Access VPN, or SSL VPN) for which you are creating the user group object. If you are editing an existing user group object, the technology is already selected and you cannot change it. Depending on the selected technology, the appropriate settings are available for configuration.
Select Manage > Policy Objects, then select User Groups from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Tip You can also access this dialog box from the Remote Access VPN > IPSec VPN > User Groups or the Remote Access VPN > SSL VPN policies.
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right. You must first configure technology settings, then you can select items from the table of contents on the left and configure the options you require. Your selections on the Technology page control which options are available on these pages and in the table of contents. The top folders in the table of contents represent the VPN technologies or other settings that you can configure, and are explained next. |
|
These settings control what you can define in the group policy:
|
|
When you select Easy VPN/Remote Access IPSec VPN as the technology, you can configure settings on the following pages: |
|
When you select SSL VPN as the technology, you can configure settings on the following pages:
|
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
User Group Dialog Box—General Settings
The general settings you configure for your user group include the authentication method, IP address pool information, and connection attributes for PIX 6.3 Firewalls.
Note These settings apply in Easy VPN and remote access IPSec VPN configurations.
Select General from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—DNS/WINS Settings
Configure the DNS/WINS settings for your user group to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the user group.
Note The DNS/WINS settings you configure for a user group apply in Easy VPN, remote access VPN, and SSL VPN configurations.
Select DNS/WINS from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—Split Tunneling
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.
The split tunneling policy is applied to a specific network. When you configure split tunneling, you can transmit both secured and unsecured traffic on the same interface. You must specify which traffic will be secured and what the destination of that traffic is, so that you have a secure tunnel to the central site, while the clear (unsecured) traffic is transmitted across the public network.
Tip For optimum security, we recommend that you not enable split tunneling.
Note Split tunneling can be applied in Easy VPN, remote access VPN, and SSL VPN configurations. For information about configuring split tunneling for SSL VPN, see User Group Dialog Box—SSL VPN Split Tunneling.
Select Split Tunneling from the table of contents in the Add or Edit User Group Dialog Box when configuring Easy VPN/Remote Access IPSec VPN.
|
|
---|---|
The networks for which you want to tunnel traffic. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider. You can identify the networks using one of these options:
|
|
A list of domain names that must be tunneled or resolved to the private network. All other names will be resolved through the public DNS server. |
User Group Dialog Box—IOS Client Settings
Configure IOS client settings to define Cisco IOS specific options for your user group, including firewall settings for VPN clients.
Note These settings apply in Easy VPN and remote access IPSec VPN configurations.
Select Client Settings (IOS) from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—IOS Xauth Options
IOS Xauth options configure IKE Extended Authentication (Xauth) user authentication and connection parameters for the user group, including the banner text.
Note These settings apply in Easy VPN and remote access VPN configurations.
Select Xauth Options (IOS) from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—IOS Client VPN Software Update
Client VPN Software Update (IOS) settings configure, for an IOS VPN client, the platform type, VPN Client revisions, and image URL for each client VPN software package installed, for your user group.
The Client Update feature is supported on IOS routers version 12.4(2)T and later, and Catalyst 6500/7600 devices version 12.2(33)SRA and later.
- To add a client, click the Add Row button to open the Add/Edit Client Update Dialog Box.
- To edit a client, select it and click the Edit Row button.
- To delete a client, select it and click the Delete Row button.
Note These settings apply in Easy VPN and remote access VPN configurations.
Select Client VPN Software Update (IOS) from the table of contents in the Add or Edit User Group Dialog Box.
Add/Edit Client Update Dialog Box
Use the Add or Edit Client Update dialog box to configure the platform type, image URL, and VPN Client revisions for a client VPN software package.
Open the User Group Dialog Box—IOS Client VPN Software Update, then click Add Row, or select an item in the table and click Edit Row.
User Group Dialog Box—Advanced PIX Options
The Advanced PIX Options are specifically for PIX 6.3 Firewalls in your user group.
Note These settings apply in Easy VPN and remote access VPN configurations.
Select Advanced Options (PIX) from the table of contents in the Add or Edit User Group Dialog Box.
|
|
---|---|
The length of time that a VPN tunnel can remain open without user activity, in seconds. Values range from 60-86400 seconds. |
|
The AAA server to which remote devices send user authentication requests. Enter the name of the server group or click Select to select it from a list or to create a new group. See Understanding AAA Server and Server Group Objects. |
|
Whether to use Media Access Control (MAC) addresses to bypass authentication for devices, such as Cisco IP phones, that do not support AAA authentication. When MAC-based AAA exemption is enabled, the device bypasses the AAA server for traffic that matches both the MAC address of the device and the IP address that was dynamically assigned by a DHCP server. Authorization services are disabled automatically when you bypass authentication. Accounting records continue to be generated (if enabled), but the username is not displayed. |
|
Whether to provide increased security when allowing access to the device from a remote client. With Secure Unit Authentication (SUA), you can use one-time passwords, two-factor authentication, and similar authentication schemes to authenticate the remote device during Extended Authentication (Xauth). SUA is specified in the VPN policy on the device and is downloaded to the remote client. This enables SUA and determines the connection behavior of the remote client. |
|
Whether to enable Individual User Authentication (IUA), which supports individually authenticating clients on the inside network of the remote access VPN, based on the IP address of each inside client. IUA supports both static and OTP authentication mechanisms. |
User Group Dialog Box—Clientless Settings
Use the Clientless settings to configure the clientless mode of access to the corporate network in an SSL VPN.
In clientless access mode, once a user is authenticated and a session is established, an SSL VPN portal page and toolbar is displayed on the user’s web browser. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers.
Select Clientless from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—Thin Client Settings
Use the Thin Client settings to enable the thin client, or port forwarding, mode of access to the corporate network in an SSL VPN. Port forwarding allows users to access applications (such as Telnet, e-mail, VNC, SSH, and Terminal services) inside the enterprise through an SSL VPN session. A port forwarding list object defines the mappings of port numbers on the remote client to the application’s IP address and port behind the SSL VPN gateway.
In thin client access mode, the remote user downloads a Java applet that acts as a TCP proxy on the client machine for the services configured on the SSL VPN gateway. The proxy provides the port forwarding services.
Select Thin Client from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—SSL VPN Full Tunnel Settings
Use the SSL VPN Full Tunnel settings to enable the full tunnel client access mode in your SSL VPN. When you enable full tunnel access, you should also define DNS/WINS server settings, browser proxy settings, and split tunneling for the user group.
In full tunnel client access mode, the tunnel connection is determined by the group policy configuration. The full tunnel client software, SSL VPN Client (SVC), must be downloaded to the remote client so that a tunnel connection can be established when the remote user logs in to the SSL VPN gateway.
Tip For full tunnel client access to work, you must install the client software on the gateway. The user downloads the client when connecting to the gateway.
Select Full Tunnel > Settings from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—SSL VPN Split Tunneling
Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear text tunnels to the Internet for SSL VPNs.
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to specific networks.
Tip For optimum security, we recommend that you not enable split tunneling.
Select Full Tunnel > Split Tunneling from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—Browser Proxy Settings
Use the Browser Proxy settings to configure proxy bypass for full tunnel access in an SSL VPN.
A security appliance can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers, which act as intermediaries between users and the Internet. Proxy bypass is an alternative method of content rewriting that makes minimal changes to the original content. It is useful with custom web applications.
Tip The browser proxy settings work only for Microsoft Internet Explorer; they do not work for other types of browsers.
Select Full Tunnel > Browser Proxy Settings from the table of contents in the Add or Edit User Group Dialog Box.
User Group Dialog Box—SSL VPN Connection Settings
Use this SSL VPN Connection Settings page to configure the SSL VPN session connection settings for the user group, including the banner text. An SSL VPN session is disconnected if the client is connected longer than the session timeout or if it is idle longer than the idle timeout.
Select Connection Settings from the table of contents in the Add or Edit User Group Dialog Box.
Add or Edit WINS Server List Dialog Box
Use the WINS Server Lists dialog box to create, copy, and edit WINS server list objects. A WINS Server List object defines a list of Windows Internet Naming Server (WINS) servers, which are used to translate Windows file server names to IP addresses.
Select Manage > Policy Objects, then select WINS Server Lists from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
- Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs
- Policy Object Manager
|
|
---|---|
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The WINS servers that are defined for the object.
|
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Add or Edit WINS Server Dialog Box
Use the Add/Edit WINS Server dialog box to create a new WINS server entry or edit an existing entry in the table in the WINS Server Lists dialog box.
From the Add or Edit WINS Server List Dialog Box, click the Add button beneath the WINS Server List table, or select a server in the table and click the Edit button.