User Guide for Cisco Security Manager 4.18

Configuring Cluster Load Balance Policies (ASA)

Use the ASA Cluster Load Balance page to enable load balancing for an ASA device in your remote access VPN. You must explicitly enable load balancing, as it is disabled by default. All devices that participate in a cluster must share the same cluster-specific values: IP address, encryption settings, encryption key, and port. For more information on cluster load balancing, see Understanding Cluster Load Balancing (ASA).

Note Load balancing requires an active 3DES/AES license and an ASA Model 5510 with a Plus license or an ASA Model 5520 or higher. The ASA device checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the device prevents load balancing, and also prevents internal configuration of 3DES by the load balancing system unless the license permits this usage.

Step 1 Do one of the following:

• (Device View) Select an ASA device; then select Remote Access VPN > ASA Cluster Load Balance from the Policy selector.
• (Policy View) Select Remote Access VPN > ASA Cluster Load Balance from the Policy Type selector. Select an existing policy or create a new one.

The ASA Cluster Load Balance page opens.

Step 2 Select Participate in Load Balancing Cluster to indicate that the device belongs to a load-balancing cluster.

Step 3 Configure the VPN Cluster Configuration options:

• Cluster IPv4/IPv6 Address —Specify the single IP address that represents the entire virtual cluster. Choose an IP address that is in the same subnet as the external interface. Beginning with version 4.12, Security Manager supports IPv6 address for IPv6 cluster in addition to the IPv4 address. This is for ASA devices running the version 9.0 or later.
• UDP Port —Specify the UDP destination port for the virtual cluster to which the device belongs. The port is typically 9023, but if that port is in use by another application, enter the UDP destination port number that you want to use for load balancing.
• Enable IPSec Encryption, IPSec Shared Secret —If required, select Enable IPsec Encryption to ensure that all load-balancing information communicated between the devices is encrypted. If you select this option, also enter (and confirm) the shared secret password. This can be a case-sensitive value between 4 and 16 characters, without spaces. The security appliances in the virtual cluster communicate through LAN-to-LAN tunnels using IPsec. This password must match the passwords passed on by the client.

Step 4 Configure the priority of the server in the cluster. Select one of the following options:

• Accept default device value —To accept the default priority value assigned to the device.
• Configure same priority on all devices in the cluster —To configure the same priority value to all the devices in the cluster. Then enter the priority number (1-10) to indicate the likelihood of the device becoming the virtual director, either at startup or when the existing director fails.

Step 5 Specify the public and private interfaces to be used on the server:

• Public Interfaces —The public interfaces to be used on the server. Enter the name of an interface or interface role object, or click Select to select the interface or role or to create a new role.
• Private Interfaces —The private interfaces to be used on the server. Enter the name of an interface or interface role object, or click Select to select the interface or role or to create a new role.

Step 6 If required, select Send FQDN to client instead of an IP address when redirecting to enable redirection using fully-qualified domain names. This option is available only for ASA devices running 8.0(2) or later. For more information, see Understanding Cluster Load Balancing (ASA).

Connection Profiles Page

Use the Connection Profiles page to manage connection profile policies for remote access VPN or Easy VPN topologies. The Connection Profiles page lists the connection profiles that are configured, shows the group policy associated with those connection profiles, and indicates whether a connection profile is the default connection profile to use for Citrix clients when no specific tunnel group is identified during tunnel negotiation.

Use of this policy differs depending on the type of VPN you are configuring:

• Remote access SSL VPN—The policy is used only for ASA devices. You can create multiple profiles, and configure settings on all tabs of the Connection Profiles dialog box.
• Remote access IPSec VPN—The policy is used for ASA devices and PIX Firewalls running PIX 7.0+ software. You can create multiple profiles, but only the General, AAA, and IPSec tabs on the Connection Profiles dialog box apply to this configuration (in some cases, you will see only these tabs).
• Easy VPN topologies—The policy is used for Easy VPN servers (hubs) that are ASA devices or PIX Firewalls running PIX 7.0+ software. You can create a single profile, so the policy page actually imbeds the Connection Profiles dialog box, so that you have direct access to the tabs that define the profile. Only the General, AAA, and IPSec tabs apply.

For remote access IPSec and SSL VPNs:

• To add a profile, click the Add Row button and fill in the Connection Profiles dialog box.
• To edit an existing profile, select it and click the Edit Row button.
• To delete a profile, select it and click the Delete Row button.

The connection profile consists of the following tabs. Configure them as appropriate for the type of VPN you are configuring.

• General Tab (Connection Profiles)
• AAA Tab (Connection Profiles)
• Secondary AAA Tab (Connection Profiles) (SSL VPN and IKEv2 IPsec VPN only.)
• IPSec Tab (Connection Profiles) (Some of these settings apply to IKEv1 but not to IKEv2 connections.)
• SSL Tab (Connection Profiles) (SSL VPN only)

Navigation Path

Remote access VPNs:

• (Device View) Select an ASA or PIX 7+ device and select Remote Access VPN > Connection Profiles from the Policy selector.
• (Policy View) Select Remote Access VPN > Connection Profiles (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Easy VPN:

• From the Site-to-Site VPN Manager Window, select the Easy VPN topology and then select Connection Profiles (PIX7.0/ASA).
• (Device view) Select a device that participates in the Easy VPN topology and select Site to Site VPN from the Policy selector. Select the Easy VPN topology and click Edit VPN Policies to open the Site-to-Site VPN Manager Window, where you can select the policy.
• (Policy view) Select Site-to-Site VPN > Connection Profiles (PIX7.0/ASA). Select an existing policy or create a new one.

This section contains the following topics:

• General Tab (Connection Profiles)
• AAA Tab (Connection Profiles)
• Secondary AAA Tab (Connection Profiles)
• IPSec Tab (Connection Profiles)
• SSL Tab (Connection Profiles)

Supported CLIs in Remote Access VPN Multi-Context Mode - Connection Profiles

The following CLIs are supported for ASA 9.5(2) for Connection Profiles for remote access VPN in multiple context mode. These CLIs are supported in Admin and User Context for Tunnel-Group.

DefaultWEBVPNGroup is the default Connection Profile. DefaultRAGroup is not supported in ASA 9.5(2) remote access VPN Multiple Context mode.

Note For the configurations that are not supported, Security Manager displays a warning message that you can ignore. No delta will be generated.

• Type remote-access
• General-attributes

– Accounting-server-group

– Address-pool

– Annotation

– Authenticated-session-username

– Authentication-attr-from-server

– Authentication-server-group

– Authorization-required

– Authorization-server-group

– Default-group-policy

– Dhcp-server

– Exit

– Ipv6-address-pool

– Nat-assigned-to-public-ip

– Password-management

– Secondary-authentication-server-group

• Webvpn-attributes

– Authentication

– Exit

– Group-alias

– Group-url

– No

– Radius-reject-message

General Tab (Connection Profiles)

Use the General tab of the Connection Profiles dialog box to configure the basic properties for a VPN Connection Profile policy. These properties are used in remote access IPsec and SSL VPNs and site-to-site Easy VPN topologies.

The General Tab is supported in ASA 9.5(2) Remote Access VPN in Multiple Context mode.

Navigation Path

• Remote Access VPNs—From the Connection Profiles page (see Connection Profiles Page), click the Add Row (+) button, or select a profile and click the Edit Row (pencil) button, to open the Connection Profiles dialog box. Click the General tab if necessary.
• Easy VPN topologies—Select the site-to-site VPN Connection Profiles policy in either Policy view or in the Site-to-Site VPN Manager with an Easy VPN topology selected (see Connection Profiles Page). Click the General tab if necessary.

Related Topics

• Configuring Connection Profiles (ASA, PIX 7.0+)
• ASA Group Policies Dialog Box
• Understanding Networks/Hosts Objects
• Configuring a Connection Profile Policy for Easy VPN
• Understanding Easy VPN

Field Reference

Add/Edit Interface Specific Client Address Pools Dialog Box

Use the Add/Edit Interface Specific Client Address Pools dialog box to configure interface-specific client address pools for your connection profile policy.

Navigation Path

Open the General tab in the Connection Profiles dialog box (see General Tab (Connection Profiles)), then click Add Row below the Interface-Specific Address Pools table, or select a row in the table and click Edit Row.

Related Topics

• Creating Interface Role Objects
• Creating Networks/Hosts Objects

Field Reference

AAA Tab (Connection Profiles)

Use the AAA tab of the Connection Profile dialog box to configure the AAA authentication parameters for a connection profile policy.

For AAA, the Distinguished Name Authorization Settings policy is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.

However, beginning with Security Manager version 4.12, this policy is supported for ASA 9.6(2) Remote Access VPN in Multi-context mode. The supported CLIs for the Admin and User context are:

• Tunnel-group General-attributes

– Secondary-username-from-certificate

– Username-from-certificate

Navigation Path

• Remote Access VPNs—From the Connection Profiles page (see Connection Profiles Page), click the Add Row (+) button, or select a profile and click the Edit Row (pencil) button, to open the Connection Profiles dialog box. Click the AAA tab.
• Easy VPN topologies—Select the site-to-site VPN Connection Profiles policy in either Policy view or in the Site-to-Site VPN Manager with an Easy VPN topology selected (see Connection Profiles Page). Click the AAA tab.

Related Topics

• Configuring Connection Profiles (ASA, PIX 7.0+)
• Understanding AAA Server and Server Group Objects
• Configuring a Connection Profile Policy for Easy VPN
• Understanding Easy VPN

Field Reference

Add/Edit Interface Specific Authentication Server Groups Dialog Box

Use the Add/Edit Interface Specific Authentication Server Groups dialog boxes to configure interface-specific authentication for your connection profile policy. This setting overrides the global authentication server group settings if the client connects to the specified interface.

If you are configuring the secondary AAA server for an SSL VPN on an ASA device, the settings are specifically used for the secondary set of credentials that the user enters; this is reflected in the name of the dialog box.

Navigation Path

Open the AAA or Secondary AAA tabs in the Connection Profiles dialog box (see AAA Tab (Connection Profiles) or Secondary AAA Tab (Connection Profiles)), then click Add Row below the Interface-Specific Address Pools table, or select a row in the table and click Edit Row.

Related Topics

• Understanding Interface Role Objects
• Understanding AAA Server and Server Group Objects

Field Reference

Secondary AAA Tab (Connection Profiles)

Use the Secondary AAA tab to configure the secondary AAA authentication parameters for a remote access SSL VPN connection profile policy for use with ASA 8.2+ devices, or a remote access IKEv2 IPSec VPN connection profile policy for use with an ASA 8.4(1)+ device. These settings do not apply to remote access IKEv1 IPSec VPNs or Easy VPN topologies or to other device types.

Navigation Path

Remote Access VPNs only—From the Connection Profiles page (see Connection Profiles Page), click the Add Row (+) button, or select a profile and click the Edit Row (pencil) button, to open the Connection Profiles dialog box. Click the Secondary AAA tab.

Related Topics

• Configuring Connection Profiles (ASA, PIX 7.0+)

Field Reference

IPSec Tab (Connection Profiles)

Use the IPsec tab of the Connection Profiles page to specify IPsec and IKE parameters for the connection policy.

Beginning with version 4.8, Security Manager supports VPN connectivity via standards-based, third-party, IKEv2 remote-access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).

IPSec is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode. Beginning with Cisco Security Manager version 4.17, IPSec is supported from ASA 9.9(2) or later multi-context devices. However, the following attributes under Connection Profile > IPSec tab is not supported for ASA 9.9(2) or later multi-context devices:

• Enable IKEv2 Mobike RRC
• Client Software Update Table

Navigation Path

• Remote Access VPNs—From the Connection Profiles page (see Connection Profiles Page), click the Add Row (+) button, or select a profile and click the Edit Row (pencil) button, to open the Connection Profiles dialog box. Click the IPSec tab.
• Easy VPN topologies—Select the site-to-site VPN Connection Profiles policy in either Policy view or in the Site-to-Site VPN Manager with an Easy VPN topology selected (see Connection Profiles Page). Click the IPSec tab.

Related Topics

• Configuring Connection Profiles (ASA, PIX 7.0+)
• Configuring a Connection Profile Policy for Easy VPN
• Understanding Easy VPN

Field Reference

IPSec Client Software Update Dialog Box

Use the IPsec Client Software Update dialog box to configure the specific revision level and image URL of a VPN client.

Navigation Path

Open the IPSec tab in the Connection Profiles dialog box (see IPSec Tab (Connection Profiles)), select a client type from the Client Software Update table, then click Edit Row.

Field Reference

SSL Tab (Connection Profiles)

Use the SSL tab of the Connection Profile dialog box to configure the WINS servers for the connection profile policy, select a customized look and feel for the SSL VPN end-user logon web page, DHCP servers to be used for client address assignment, and to establish an association between an interface and client IP address pools. Some items, such as connection profile aliases, apply to remote access IKEv2 IPsec VPNs, but otherwise these settings do not apply to remote access IKEv1 IPSec VPNs or Easy VPN topologies.

The following profiles are supported for the SSL tab in ASA 9.5(2) Remote Access VPN in Multi-context mode.

• Radius-Reject-Message
• Connection alias
• Group-url
• Group-alias

Navigation Path

Remote Access VPNs only—From the Connection Profiles page (see Connection Profiles Page), click the Add Row (+) button, or select a profile and click the Edit Row (pencil) button, to open the Connection Profiles dialog box. Click the SSL tab.

Related Topics

• Configuring Connection Profiles (ASA, PIX 7.0+)
• Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs
• Understanding Networks/Hosts Objects
• Configuring ASA Portal Appearance Using SSL VPN Customization Objects

Field Reference

Add/Edit Connection Alias Dialog Box

Use the Add/Edit Connection Alias dialog box to create or edit a connection alias for an SSL or IKEv2 IPsec VPN connection profile. Specifying the connection alias creates one or more alternate names by which the user can refer to a tunnel group.

Navigation Path

Open the SSL tab in the Connection Profiles dialog box (see SSL Tab (Connection Profiles)), and click Add Row beneath the Connection Alias table, or select an alias from the table and click Edit Row.

Field Reference

Add/Edit Connection URL Dialog Box

Use this dialog box to specify incoming URLs for the tunnel group. If a connection URL is enabled in a tunnel group, when the user connects using that URL, the security appliance selects the associated tunnel group and presents the user with only the username and password fields in the login window.

Tips

• You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be enabled or disabled individually.
• You cannot associate the same URL or address with multiple groups. The security appliance verifies the uniqueness of the URL or address before accepting the URL or address for a tunnel group.

Navigation Path

Open the SSL tab in the Connection Profiles dialog box (see SSL Tab (Connection Profiles)), and click Add Row beneath the Group URLs table, or select a URL from the table and click Edit Row.

Field Reference

Understanding Group Policies (ASA)

When you configure a remote access IPSec or SSL VPN connection, you must create user groups to which remote clients will belong. A user group policy is a set of user-oriented attribute/value pairs for remote access VPN connections that are stored either internally (locally) on the device or externally on an AAA server. The connection profile uses a user group policy that sets terms for user connections after the connection is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user.

Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic Access policy, an ASA device checks for Group policies that specify the setting.

An ASA user group comprises the following attributes:

• Group policy source—Identifies whether the user group’s attributes and values are stored internally (locally) on the security appliance or externally on an AAA server. If the user group is an external type, no other settings need to be configured for it. For more information, see ASA Group Policies Dialog Box.
• Client Configuration settings, which specify the Cisco client parameters for the user group in an Easy VPN or remote access VPN. For more information, see ASA Group Policies Client Configuration Settings.
• Client Firewall Attributes, which configure the firewall settings for VPN clients in an Easy VPN or remote access VPN. For more information, see ASA Group Policies Client Firewall Attributes.
• Hardware Client Attributes, which configure the VPN 3002 Hardware Client settings in an Easy VPN or remote access VPN. For more information, see ASA Group Policies Hardware Client Attributes.
• IPsec settings, which specify tunneling protocols, filters, connection settings, and servers for the user group in an Easy VPN or remote access VPN. For more information, see ASA Group Policies IPSec Settings.
• Clientless settings, which configure the Clientless mode of access to the corporate network in an SSL VPN, for the ASA user group. For more information, see ASA Group Policies SSL VPN Clientless Settings.
• Full Client settings, which configure the Full Client mode of access to the corporate network in an SSL VPN, for the ASA user group. For more information, see ASA Group Policies SSL VPN Full Client Settings.
• General settings that are required for Clientless/Port Forwarding in an SSL VPN. For more information, see ASA Group Policies SSL VPN Settings.
• DNS/WINS settings that define the DNS and WINS servers and the domain name that should be pushed to remote clients associated with the ASA user group. For more information, see ASA Group Policies DNS/WINS Settings.
• Split tunneling that lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. For more information, see ASA Group Policies Split Tunneling Settings.
• Remote access or SSL VPN session connection settings for the ASA user group. For more information, see ASA Group Policies Connection Settings.

Related Topics

• Creating Group Policies (ASA, PIX 7.0+)
• Configuring Group Policies for Remote Access VPNs

Creating Group Policies (ASA, PIX 7.0+)

Note From version 4.17, though Cisco Security Manager continues to support PIX features/functionality, it does not support any enhancements.

Use the Group Policies page to create group policies for ASA or PIX 7.0+ devices used in remote access IPSec VPNs, or ASA devices used in remote access SSL VPNs. For information about group policies, see:

• Understanding Group Policies (ASA)
• Configuring Group Policies for Remote Access VPNs

Step 1 Do one of the following:

• (Device view) With an ASA or PIX 7.0+ device selected, select Remote Access VPN > Group Policies from the Policy selector.
• (Policy view) Select Remote Access VPN > Group Policies (ASA) from the Policy Type selector. Select an existing policy or create a new one.

The Group Policies page opens. The table lists the existing group policies, whether they are defined internally on the device or externally on a AAA server, and the protocol for the group: IKEv1 (IPsec), IKEv2 (IPsec), or SSL.

Step 2 Click Add Row (+) to open a dialog box from which you can select a user group from a list of predefined ASA user group objects, or create new ones if necessary. To create a new group, click the Create (+) button in the dialog box.

Step 3 Select the required ASA user group from the list and click OK. If the required group already exists, you are finished.

If the required ASA user group does not exist, create it by clicking Create (+). The Add ASA User Group dialog box appears, displaying a list of settings that you can configure for the ASA user group object. For a description of the elements on this dialog box, see ASA Group Policies Dialog Box.

Step 4 Enter a name for the object and optionally a description of the object.

Step 5 Select whether to store the ASA user group’s attributes and values locally on the device, or on an external server.

Note If you selected to store the ASA user group’s attributes on an external server, you do not need to configure any Technology settings. After you specify the AAA server group that will be used for authentication and a password to the AAA server, click OK and then select the group in the object selector and click OK to add it to the policy.

Step 6 If you selected to store the ASA user group’s attributes locally on the device, select the type of VPN for which you are creating the ASA user group from the Technology list:

• Easy VPN/IPSec IKEv1—For remote access IPsec VPNs that use IKE version 1 negotiations.
• Easy VPN/IPSec IKEv2—(ASA only.) For remote access IPsec VPNs that use IKE version 2 negotiations.
• SSL Clientless—(ASA only.) For SSL VPNs, all access modes (not just clientless).

Step 7 To configure the user group for Easy VPN/IPSec IKEv1 and Easy VPN/IPSec IKEv2, from the Easy VPN/IPSec VPN folder in the Settings pane:

a. Select Client Configuration to configure the Cisco client parameters. For a description of these settings, see ASA Group Policies Client Configuration Settings.

b. Select Client Firewall Attributes to configure the firewall settings for VPN clients. For a description of these settings, see ASA Group Policies Client Firewall Attributes.

c. Select Hardware Client Attributes to configure the VPN 3002 Hardware Client settings. For a description of these settings, see ASA Group Policies Hardware Client Attributes.

d. Select IPsec to specify tunneling protocols, filters, connection settings, and servers. For a description of these settings, see ASA Group Policies IPSec Settings.

Step 8 To configure the user group for an SSL VPN, from the SSL VPN folder in the Settings pane:

a. Select Clientless to configure the Clientless mode of access to the corporate network in an SSL VPN. For a description of these settings, see ASA Group Policies SSL VPN Clientless Settings.

b. Select Full Client to configure the Full Client mode of access to the corporate network in an SSL VPN. For a description of these settings, see ASA Group Policies SSL VPN Full Client Settings.

c. Select Settings to configure the general settings that are required for clientless and thin client (port forwarding) access modes in an SSL VPN. For a description of these settings, see ASA Group Policies SSL VPN Settings.

Step 9 Specify the following settings for an ASA user group in an Easy VPN/IPSec IKEv1 or IKEv2 VPN and SSL VPN configuration, in the Settings pane:

a. Select DNS/WINS to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA user group. For a description of these settings, see ASA Group Policies DNS/WINS Settings.

b. Select Split Tunneling to allow a remote client to conditionally direct encrypted packets through a secure tunnel to the central site and simultaneously allow clear text tunnels to the Internet through a network interface. For a description of these settings, see ASA Group Policies Split Tunneling Settings.

c. Select Connection Settings to configure the SSL VPN connection settings for the ASA user group, such as the session and idle timeouts, including the banner text. For a description of these settings, see ASA Group Policies Connection Settings.

Step 10 Click OK.

Step 11 Select the ASA user group from the list and click OK.

Configuring Trusted Pool Settings (ASA)

Use the Trusted Pool Settings page to configure options for certificate revocation. You can also launch the Trustpool Manager.

Navigation Path

(Device View only) Select an ASA device; then select Remote Access VPN > Trusted Pool from the Policy selector.

Related Topics

• Configuring SSL VPN Server Verification (ASA)
• Using the Trustpool Manager4

Field Reference

Using the Trustpool Manager

Use the Trustpool Manager to manage the certificates that are included in the trustpool. The Trustpool Manager provides the following functions:

• Updating the trustpool
• Importing a certificate bundle
• Exporting a certificate bundle
• Removing certificates from the trustpool

Navigation Path

(Device View only) Select an ASA device, select Remote Access VPN > Trusted Pool from the Policy selector, and then click Launch Trustpool Manager.

Updating the Trustpool

The trustpool should be updated if either of the following conditions exists:

• Any certificate in the trustpool is due to expire or has been re-issued.
• The published CA certificate bundle contains additional certificates that are required by a specific application.

To update the certificates in the trustpool, click Refresh Certificates.

Importing a Certificate Bundle

You can import individual certificates or bundles of certificates from a variety of locations in one of the following formats:

• x509 certificates in DER format wrapped in a pkcs7 structure
• a file of concatenated x509 certificates in PEM format (complete with PEM header)

To import a certificate or bundle:

1. Click Import Bundle.

2. Select the location of the bundle:

– Import from Cisco published signed root file distribution —Select this option to import from the published distribution site.

– Import from a URL —If the bundle is hosted on a server, select this option, select the protocol from the list, and enter the URL in the box.

– Bundle file on device —If the bundle is stored on the ASA flash file system, select this option and then enter the path to the bundle.

– Select bundle file —If the bundle is stored on your machine, click Import from a file, then click Browse Local Files and navigate to the bundle.

– Import default bundle —Select this option to import the default bundle.

3. Specify the following import options:

– Clear all certificates before import —Whether to clear the trustpool before importing the bundle.

– Continue to import the bundle if signature validation fails or can’t be performed —Whether to continue import if the signature can not be validated.

4. Click Import.

Exporting a Certificate Bundle

When you have correctly configured the Trustpool you should export the pool. This will enable you to restore the Trustpool to this point, for example if you wish to remove a certificate that was added to the trustpool after the export. You can export the pool to the Security Manager server file system or your local file system.

To export the certificate bundle:

1. Click Export Bundle.

2. Click Browse.

3. Select the tab that corresponds to the file system you want to export to (local machine or Security Manager server).

4. Navigate to the folder where you want to save the trustpool.

5. Enter a unique memorable name for the trustpool in the File name box.

6. Click Save.

Removing Certificates from the Trustpool

You can remove certificates from the trustpool using the following methods:

• To remove an individual certificate, select the certificate and click Delete.
• To remove all certificates that are not part of the default bundle, click Clear Trustpool.

Note Before clearing the trustpool you should export the current trustpool so that you can restore your current settings if needed.

Related Topics

• Configuring SSL VPN Server Verification (ASA)
• Configuring Trusted Pool Settings (ASA)

Configuring Certificate to Connection Profile Map Policies (ASA)

Certificate to connection profile map policies are used for enhanced certificate authentication on ASA devices in remote access IKEv1 IPSec VPNs. They are not used in remote access IKEv2 IPSec or SSL VPNs.

Certificate to connection profile map policies let you define rules to match a user’s certificate to a permission group based on specified fields. To establish authentication, you can use any field of the certificate, or you can have all certificate users share a permission group. You can match the group from the DN rules, the Organization Unit (OU) field, the IKE identity, or the peer IP address. You can use any or all of these methods.

To match user permission groups based on DN fields of the certificate, you define rules that specify the fields to match for a group and then enable each rule for that selected group. A connection profile must already exist in the configuration before you can create a rule for it.

This procedure describes how to configure a Certificate to Connection Profile Map policy for a remote client trying to connect to an ASA server device.

Step 1 Do one of the following:

• (Device View) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Policies from the Policy selector.
• (Policy View) Select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Policies from the Policy Type selector. Select an existing policy or create a new one.

The Certificate to Connection Profile Map Policies page opens.

Step 2 Select any, or all, of the following options to establish authentication and to determine to which connection profile (tunnel group) to map the client:

• Use Configured Rules to Match a Certificate to a Group —To use the rules defined in the Certificate to Connection Profile Maps > Rules policy. For information on configuring the rules, see Configuring Certificate to Connection Profile Map Rules (ASA).
• Use Certificate Organization Unit (OU) Field to Determine the Group —To use the organizational unit (OU) field of the client certificate.
• Use IKE Identify to Determine the Group —To use the IKE identity.
• Use Peer IP address to Determine the Group —To use the peer’s IP address.
• Use Group URL if Group URL and Certificate Map match different Connection profiles is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.

Configuring Certificate to Connection Profile Map Rules (ASA)

If you configure certificate to connection profile maps, and select the option to Use Configured Rules to Match a Certificate to a Group (as explained in Configuring Certificate to Connection Profile Map Policies (ASA)), you need to configure the rules required to match a user to a connection profile based on the user certificate.

To match user permission groups based on fields of the certificate, you define rules that specify the fields to match for a group and then enable each rule for that selected group. You must first define a connection profile (tunnel group) before you can create and map a rule to it.

This procedure describes how to configure the Certificate to Connection Profile Map rules and parameters for any remote client trying to connect to an ASA server device.

Tip Certificate to connection profile map policies apply to remote access IKEv1 IPSec VPNs only. They do not apply to IKEv2 or SSL VPNs.

Before You Begin

• Make sure the connection profiles for which you are creating mapping rules has been configured on the device. See Configuring Connection Profiles (ASA, PIX 7.0+).
• Make sure that you select Use Configured Rules to Match a Certificate to a Group in the Certificate to Connection Profile Maps Policies policy. See Configuring Certificate to Connection Profile Map Policies (ASA).

Step 1 (Device view only) With an ASA device selected, select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Rules from the Policy selector.

The Certificate to Connection Profile Map Rules page is displayed. The policy has two tables:

• Maps table (upper table) —The upper table lists all connection profiles for which you are defining certificate to connection map rules. Each row is a profile map, which includes the name of the connection profile that is being mapped, the priority of the map (lower numbers have higher priority), and the map name. You can configure more than one map for the same connection profile.

– To configure rules for a map, select it and then use the rules table to create, edit, and delete the rules.

– To add a map, click the Add Row button and fill in the Map Rule Dialog Box (Upper Table).

– To edit map properties (not rules), select it and click the Edit Row button.

– To delete an entire map, select it and click the Delete Row button.

• Rules table (lower table) —The rules for the map selected in the upper table. You must ensure that the map is actually selected in the upper table: the group title above the rules table should say “ Details for (Connection Profile Name).”

When you select a map, the table shows all rules configured for the map, including the field (subject or issuer), certificate component, matching operator, and the value that the rule is looking for. The remote user must match all configured rules in a map for the device to use the mapped connection profile.

– To add a rule, click the Add Row button and fill in the Map Rule Dialog Box (Lower Table).

– To edit a rule, select it and click the Edit Row button.

– To delete a rule, select it and click the Delete Row button.

Step 2 To add a rule to a map:

a. Select the map in the upper table.

If the map does not already exist, create it by clicking the Add Row (+) button beneath the upper table and fill in the Map Rule dialog box for creating maps. In the dialog box, you must select the connection profile for the map, assign a relative priority between 1 and 65535 (lower numbers have higher priority), and a unique map name.

b. Ensure that the map is actually selected. Highlighting the map in the table is not sufficient. The heading above the lower table should be “ Details for (Connection Profile Name),” and unless the map is new, the table should show some rules.

c. To add a new certificate to connection profile matching rule that must be satisfied in order for a remote client to connect to the device using the profile in this map, click the Add Row (+) button beneath the lower table. This opens the Map Rule dialog box with different fields.

Note If you get the error message “Missing Settings, A value ID required for Mapping field, Please select a Mapping,” it means that you have not successfully selected a map in the upper table. Click on the desired map again.

d. From the Field list, select whether the rule should examine the Subject or Issuer field of the client certificate.

e. From the Component list, select the component of the client certificate to use for the matching rule.

f. From the Operator field, select how the component should be compared to the Value field: Equals (exact match is required), Contains (the entire value must appear), Does Not Equal, Does Not Contain.

g. In the Value field, specify the value to match, then click OK to save the rule.

h. Add additional rules to the map as desired.

Step 3 In the Default Connection Profile field, select the connection profile that should be used for users who do not meet any of the map rules.

Map Rule Dialog Box (Upper Table)

Use the Map Rule dialog box, when opened for the maps table in the upper part of the Certificate to Connection Profile Maps > Rules policy, to configure maps for which you can then configure rules in the lower table of the Rules policy. For a detailed explanation of configuring these maps and their associated rules, see Configuring Certificate to Connection Profile Map Rules (ASA).

Navigation Path

(Device View only) Select an ASA device; then select Remote Access VPN > Certificate to Connection Profile Maps > Rules from the Policy selector. Click the Add Row button beneath the upper table, or select a map in the upper table and click Edit Row.

Field Reference

Map Rule Dialog Box (Lower Table)

Use the Map Rule dialog box, when opened for the rules table in the lower part of the Certificate to Connection Profile Maps > Rules policy, to configure rules for the map selected in the maps table (upper table of the Rules policy). For a detailed explanation of configuring these rules, see Configuring Certificate to Connection Profile Map Rules (ASA).

Navigation Path

(Device View only) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Rules from the Policy selector. Click the Add Row button beneath the lower table, or select a rule in the lower table and click Edit Row.

Field Reference

Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices)

Note From version 4.17, though Cisco Security Manager continues to support PIX features/functionality, it does not support any enhancements.

This procedure describes how to create or edit an IPsec proposal for your remote access VPN server when the server is an ASA or PIX 7.0+ device.

Note Beginning with Cisco Security Manager version 4.17, you can configure and deploy IPSec Proposal policy on ASA multi-context devices running the software version 9.9(2) or later.

If you are configuring an IPsec proposal for IOS or PIX 6.3 devices, including Catalyst 6500/7600 devices, see Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices).

An IPsec proposal is a collection of one or more crypto maps. A crypto map combines all the components required to set up IPsec security associations (SAs), including IPsec rules, transform sets, remote peers, and other parameters that might be necessary to define an IPsec SA.

When configuring an IPsec proposal, you must define the external interface through which the remote access clients connect to the server, the IKE version to use during IKE negotiation, and the encryption and authentication algorithms that protect the data in the VPN tunnel. You can also enable reverse route injection and NAT traversal.

For more information on IPsec tunnel concepts, see Understanding IPsec Proposals.

Related Topics

• Table Columns and Column Heading Features

Step 1 Do one of the following:

• (Device view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (ASA/PIX 7.x) from the Policy selector.
• (Policy view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (ASA/PIX 7.x) from the Policy Type selector. Select an existing policy or create a new one.

The IPsec Proposal page opens and lists the configured proposals, including the VPN endpoint, IPsec transform set, and whether reverse route injection is configured for the proposal.

Step 2 Do any of the following:

• To add a new IPsec proposal, click the Add Row (+) button and fill in the IPsec Proposal Editor dialog box. For detailed information on the available options, see IPsec Proposal Editor (ASA, PIX 7.0+ Devices).
• To edit an existing proposal, select it and click the Edit Row (pencil) button.
• To delete a proposal, select it and click the Delete Row (trash can) button.

IPsec Proposal Editor (ASA, PIX 7.0+ Devices)

Note From version 4.17, though Cisco Security Manager continues to support PIX features/functionality, it does not support any enhancements.

Use the IPsec Proposal Editor to create or edit an IPsec proposal for an ASA or PIX 7.0+ device.

The elements in this dialog box differ according to the selected device. The table below describes the elements on the General tab in the IPsec Proposal Editor dialog box when an ASA or PIX 7.0+ device is selected.

Note For a description of the elements in the dialog box when a PIX 7.0+ or ASA device is selected, see IPsec Proposal Editor (IOS, PIX 6.3 Devices).

Navigation Path

• (Device view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (ASA/PIX 7.x) from the Policy selector. Click the Add Row (+) or Edit Row (pencil) buttons.
• (Policy view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (ASA/PIX 7.x) from the Policy Type selector. Select an existing policy or create a new one. Click the Add Row (+) or Edit Row (pencil) buttons.

Related Topics

• Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices)
• Understanding IPsec Proposals
• Creating Interface Role Objects
• Creating AAA Server Group Objects

Field Reference

Understanding SSL VPN Access Policies (ASA)

An Access policy specifies the security appliance interfaces on which a remote access SSL or IKEv2 IPsec VPN connection profile can be enabled, the port to be used for the connection profile, Datagram Transport Layer Security (DTLS) settings, the SSL VPN session timeout and maximum number of sessions. You can also specify whether to use the AnyConnect VPN Client or AnyConnect Essentials Client.

For more information about the Anyconnect VPN Client, see Understanding SSL VPN AnyConnect Client Settings. The remainder of this topic explains DTLS and AnyConnect Essentials in more detail.

Datagram Transport Layer Security (DTLS)

Enabling Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of real-time applications that are sensitive to packet delays. By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS, SSL VPN connections connect with an SSL VPN tunnel only.

Note In order for DTLS to fall back to a TLS connection, you must specify a fallback trustpoint. If you do not specify a fallback trustpoint and the DTLS connection experiences a problem, the connection terminates instead of falling back to the specified trustpoint.

AnyConnect Essentials VPN Client

AnyConnect Essentials is a separately licensed VPN client for SSL or IKEv2 IPsec, entirely configured on the adaptive security appliance, that provides the full AnyConnect capability, with the following exceptions:

• No CSD (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Windows Mobile Support

The AnyConnect Essentials client provides remote end users running Microsoft Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco VPN client. If this feature is disabled, the full AnyConnect VPN client is used. This feature is disabled by default.

Note This license cannot be used at the same time as the shared license for SSL VPN.

This section contains the following topics:

• SSL VPN Access Policy Page
• Configuring an Access Policy

SSL VPN Access Policy Page

Use the SSL VPN Access Policy page to configure access parameters for your remote access SSL or IKEv2 IPsec VPN. For more information about configuring an Access policy, see Configuring an Access Policy.

Tip Any trustpoints that you specify in this policy must also be selected in the Public Key Infrastructure policy. For more information, see Configuring Public Key Infrastructure Policies for Remote Access VPNs.

Navigation Path

• (Device View) Select Remote Access VPN > SSL VPN > Access from the Policy selector.
• (Policy View) Select Remote Access VPN > SSL VPN > Access (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

• Understanding SSL VPN Access Policies (ASA)
• Understanding Interface Role Objects

Field Reference

Access Interface Configuration Dialog Box

Use the Access Interface Configuration dialog box to configure an interface on an ASA device for remote access SSL or IKEv2 IPSec VPN connections.

Navigation Path

Open the SSL VPN Access policy (see SSL VPN Access Policy Page), then click Add Row below the interface table, or select a row in the table and click Edit Row.

Related Topics

• Configuring an Access Policy
• Understanding Interface Role Objects

Field Reference

Server Name Indication Dialog Box

Beginning from version 4.8, Security Manager enables you to configure Server Name Indication mappings used by the enabled VPN interface for authentication. This capability includes the mapping of domain names to trustpoints.

Use the Server Name Indication dialog box to define or modify a domain and trustpoint for each interface.

NOTES:

• You can configure a unique domain name to a trustpoint. However, you can map a trustpoint to multiple domain names. You can configure a maximum of 16 unique trustpoints.
• Server Name Indication mapping of domain names to trustpoints is supported for devices that are running the ASA software version 9.3(2) or higher.

Navigation Path

Open the SSL VPN Access policy (see SSL VPN Access Policy Page), then click Add Row below the ServerNameIndication table, or select a row in the table and click Edit Row.

Field Reference

Configuring an Access Policy

This procedure describes how to configure an Access policy on an ASA device. Access policies are required for remote access SSL and IKEv2 IPSec VPN connections. For more information about access policies, see Understanding SSL VPN Access Policies (ASA).

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Access from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Access (ASA) from the Policy Type selector. Select an existing policy or create a new one.

The Access page opens. For a description of the elements on this page, see SSL VPN Access Policy Page.

Step 2 In the interface table at the top of the policy, configure all of the interfaces on which you will allow remote access SSL or IKEv2 IPSec VPN connections:

• To add an interface, click the Add Row (+) button beneath the table and fill in the Add Access Interface Configuration dialog box. You must specify the interface name (or an interface role object that identifies the desired interfaces) and whether to allow access on the interface.

You can also specify the PKI enrollment object that identifies the Certificate Authority (CA) server trustpoint for the interface (and a load balancing trustpoint if you use load balancing), whether to enable DTLS connections, and whether to require that the client have a valid certificate to complete a connection. For details about the options, see Access Interface Configuration Dialog Box.

• To edit the settings for an interface, select it and click the Edit Row (pencil) button.
• To delete an interface, select it and click the Delete Row button. Keep in mind that you can edit the interface settings to disable access, so you should delete an interface only if you want to permanently remove it from VPN use.

Step 3 Configure the remaining settings. The settings are described in detail in SSL VPN Access Policy Page. The following are the settings that are of particular interest:

• Fallback Trustpoint —The Certificate Authority (CA) server trustpoint to use if an interface does not have a trustpoint configured in the table. Enter the name of a PKI enrollment object, or click Select to select one or to create a new object.
• Allow Users to Select Connection Profile in Portal Page —If you have multiple tunnel groups, selecting this option allows the user to select the correct tunnel group during login. You must select this option for IKEv2 IPSec VPNs.
• Enable AnyConnect Access —The AnyConnect VPN client is a full client; you must enable AnyConnect access if you want to allow full client access to the VPN. You must select this option for IKEv2 IPSec VPNs.

For more information about AnyConnect, including AnyConnect Essentials, see Understanding SSL VPN AnyConnect Client Settings.

• Enable AnyConnect Essentials —Select this option if you are using AnyConnect Essentials clients, which you can use with remote access SSL or IKEv2 IPSec VPNs.

Step 4 Any trustpoints that you specify in this policy must also be selected in the Public Key Infrastructure policy. For more information, see Configuring Public Key Infrastructure Policies for Remote Access VPNs.

Configuring Other SSL VPN Settings (ASA)

The SSL VPN Other Settings policy for ASA devices defines settings that include caching, content rewriting, character encoding, proxy and proxy bypass definitions, browser plug-ins, AnyConnect client images and profiles, Kerberos Constrained Delegation, and some other advanced settings.

To configure the Other Settings policy, do one of the following:

• (Device View) Select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy View) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

You can then configure the settings on the following tabs:

• Performance tab—To configure caching to improve SSL VPN performance. See Configuring SSL VPN Performance Settings (ASA). This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
• Content Rewrite tab—To create rules that permit users to browse certain sites and applications without going through the security appliance itself. See Configuring SSL VPN Content Rewrite Rules (ASA). This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
• Encoding tab—To configure non-default encoding for web pages delivered from CIFS servers. Encoding is normally determined by the remote user’s browser. See Configuring SSL VPN Encoding Rules (ASA). This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
• Proxy tab—To define HTTP or HTTPS proxy servers, if your network requires them, and proxy bypass rules. See Configuring SSL VPN Proxies and Proxy Bypass (ASA). This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
• Plug In tab—To define browser plug-ins, which are separate programs that a web browser invokes to perform a dedicated function. See Configuring SSL VPN Browser Plug-ins (ASA). This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
• Client Settings tab—To configure AnyConnect client images and profiles for downloading to clients. See the following topics:

– Understanding SSL VPN AnyConnect Client Settings

– Configuring SSL VPN AnyConnect Client Settings (ASA)

This is partially supported for ASA 9.5(2) Remote Access VPN in Multi-context mode. Only the AnyConnect Client Image is supported in ASA 9.5(2) Multiple Context Mode. Beginning with version 4.12, Security Manager provides support for multi-context ASA 9.6(2) and later devices for Admin and User contexts. The CLIs supported are:

– Anyconnect image

– Anyconnect profile

During discovery, the AnyConnect Image is not discovered for ASA 9.5(2) remote access VPN Multiple Context mode. After discovery if you want to remove the AnyConnect Image configuration you must use FlexConfig.

• Microsoft KCD Server—To configure Kerberos Constrained Delegation (KCD) for use with clientless SSL VPN connections. See the following topics:

– Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)

– Configuring Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)

This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.

• AnyConnect Custom Attributes tab—To configure AnyConnect custom attributes. See Configuring AnyConnect Custom Attributes (ASA). AnyConnect Custom Attributes tab is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
• Advanced tab—To configure the memory, on-screen keyboard, and internal password features. This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.

Note Beginning with 4.15, Cisco Security Manager supports HTTP Strict Transport Security (HSTS). HTTS is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and hijack of cookies.

You can enable or disable HSTS and also provide the timeout values in the Advanced tab. See Configuring SSL VPN Advanced Settings (ASA).

• SSL Server Verification tab—To enable HTTPS server verification for clientless SSL VPN users. See Configuring SSL VPN Server Verification (ASA). This is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.

Tip You must also configure a connection profile policy on the device. See Configuring Connection Profiles (ASA, PIX 7.0+).

Configuring SSL VPN Performance Settings (ASA)

Caching enhances SSL VPN performance. It stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between SSL VPN and both the remote servers and end-user browsers, with the result that many applications run much more efficiently.

This procedure describes how to enable caching on your ASA security appliance.

Related Topics

• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector. Click the Performance tab if it is not already selected.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one. Click the Performance tab if it is not already selected.

Step 2 Select Enable to enable caching on the security appliance.

If you deselect this option, the cache settings configured on the security appliance do not take effect.

Step 3 Configure the following options:

• Minimum Object Size —The minimum size of an HTTP object that can be stored in the cache on the security appliance, in kilobytes. The range is 0-10,000 KB. The default is 0 KB.
• Maximum Object Size —The maximum size of an HTTP object that can be stored in the cache on the security appliance, in kilobytes. The range is 0-10,000 KB. The default is 1000 KB. The maximum size must be larger than the minimum size.
• Last Modified Factor —An integer to set a revalidation policy for caching objects that have only the last-modified timestamp, and no other server-set expiration values. The range is 1-100. The default is 20.

The Expires response from the origin web server to the security appliance request, which indicates the time that the response expires, also affects caching. This response header indicates the time that the response becomes stale and should not be sent to the client without an up-to-date check (using a conditional GET operation).

The security appliance can also calculate an expiration time for each web object before it is written to disk. The algorithm to calculate an object’s cache expiration date is as follows:

Expiration date = (Today’s date - Object’s last modified date) * Freshness factor

After the expiration date has passed, the object is considered stale and subsequent requests causes a fresh retrieval of the content by the security appliance. Setting the last modified factor to zero is equivalent to forcing an immediate revalidation, while setting it to 100 results in the longest allowable time until revalidation.

• Expiration Time —The amount of time (in minutes) that the security appliance caches objects without revalidating them. The range is 0-900 minutes. The default is one minute.

Revalidation consists of rejecting the objects from the origin server before serving the requested content to the client browser when the age of the cached object has exceeded its freshness lifetime. The age of a cached object is the time that the object has been stored in the security appliance’s cache without the security appliance explicitly contacting the origin server to check if the object is still fresh.

• Cache Static Content —Whether to cache static content on the security appliance. Each web page can include static and dynamic objects. The security appliance caches individual static objects, such as image files (*.gif, *.jpeg), java applets (.js), and cascading style sheets (*.css).

Configuring SSL VPN Content Rewrite Rules (ASA)

SSL VPN processes application traffic through a content transformation/rewriting engine that includes advanced elements (such as, JavaScript, VBScript, Java, and multi-byte characters) to proxy HTTP traffic depending on whether the user is using an application within or independently of an SSL VPN device.

If you do not want some applications and web resources, such as public web sites, to go through the security appliance, you can create rewrite rules that permit users to browse certain sites and applications without going through the security appliance itself. This is similar to split tunneling in an IPsec VPN connection.

In the Content Rewrite tab of the SSL VPN Other Settings page, you can configure multiple content rewrite rules. The Content Rewrite tab lists all applications for which content rewrite is enabled or disabled.

Tip The security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches.

This procedure shows you how to create or edit content rewrite rules.

Related Topics

• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the Content Rewrite tab. The Content Rewrite tab displays all applications for which content rewrite is enabled or disabled.

The security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches. The resource mask defines the application string to which the rule is matched.

If a rule does not have a number, it is evaluated after all of the numbered rules.

Step 3 Do any of the following:

• To add a rule, click the Add Row button beneath the table and fill in the Add Content Rewrite dialog box. The options are described in detail in Add/Edit Content Rewrite Dialog Box.
• To edit a rule, select it, click the Edit Row button, and make your changes in the Edit Content Rewrite dialog box.
• To delete a rule, select it and click the Delete Row button. You are asked to confirm the deletion.

Add/Edit Content Rewrite Dialog Box

Use the Add or Edit Content Rewrite dialog box to configure the rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic over a SSL VPN connection. For more information about content rewrite rules, see Configuring SSL VPN Content Rewrite Rules (ASA).

Navigation Path

From the Content Rewrite tab of the SSL VPN Other Settings policy for ASA devices, click the Add Row button, or select a rule and click the Edit Row button. For detailed information on opening the tab, see Configuring SSL VPN Content Rewrite Rules (ASA).

Related Topics

• Configuring Other SSL VPN Settings (ASA)

Field Reference

Configuring SSL VPN Encoding Rules (ASA)

Use the Encoding tab of the SSL VPN Other Settings page to specify the character set to encode in SSL VPN portal pages to be delivered to remote users. By default, the encoding type set on the remote browser determines the character set for SSL VPN portal pages, so you need to set the character encoding only if it is necessary to ensure proper encoding on the browser.

Character encoding is the pairing of raw data (such as 0’s and 1’s) with characters to represent the data. The language determines the character encoding method to use. Some languages use the same method, while others do not. Usually, the geographic region determines the default encoding method used by the browser, but the remote user can change this. The browser can also detect the encoding specified on the page, and render the document accordingly.

The encoding attribute lets you specify the value of the character encoding method in the SSL VPN portal page to ensure that the browser renders it properly, regardless of the region in which the user is using the browser, or any changes made to the browser.

The character encoding attribute is a global setting that, by default, all SSL VPN portal pages inherit. However, you can override the file-encoding attribute for Common Internet File System (CIFS) servers that use character encoding that differs from the value of the character-encoding attribute. You can use different file-encoding values for CIFS servers that require different character encodings.

The SSL VPN portal pages downloaded from the CIFS server to the SSL VPN user encode the value of the SSL VPN file-encoding attribute identifying the server, or if one does not, they inherit the value of the character encoding attribute. The remote user’s browser maps this value to an entry in its character encoding set to determine the proper character set to use. The SSL VPN portal pages do not specify a value if SSL VPN configuration does not specify a file encoding entry for the CIFS server and the character encoding attribute is not set. The remote browser uses its own default encoding if the SSL VPN portal page does not specify the character encoding, or if it specifies a character encoding value that the browser does not support.

In the Encoding tab of the SSL VPN Global Settings page, you can view the currently configured character sets associated with the CIFS server to be encoded in the portal pages. From this tab, you can create or edit the character sets, as described in the following procedure.

Related Topics

• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the Encoding tab. The Encoding tab displays the default encoding and a list of CIFS servers for which encoding rules are configured.

Step 3 From the Global SSL VPN Encoding Type list, select the attribute that determines the character encoding that all SSL VPN portal pages inherit, except for those from the CIFS servers listed in the table.

Note If you choose none or specify a value that the browser on the SSL VPN client does not support, the browser uses its own default encoding. The default global encoding is none.

You can select from the following encoding types:

• big5
• gb2312
• ibm-850
• iso-8859-1
• shift_jis

Note If you are using Japanese Shift_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remove the font family.

• unicode
• windows-1252
• none

Step 4 Do any of the following:

• To add a rule, click the Add Row button beneath the table and configure the following settings in the Add File Encoding dialog box:

– CIFS Server IP, CIFS Server Host —Select one of these options to specify the CIFS server either by IP address or hostname. If you select IP address, you can either enter the IP address or the name of a network/host object that specifies one or more individual IP addresses.

If you specify a hostname, the security appliance retains the case you specify, although it ignores the case when matching the name to a server.

– Encoding Type —Select the encoding type. The options are the same as for the global setting described above.

• To edit a rule, select it, click the Edit Row button, and make your changes in the Edit File Encoding dialog box.
• To delete a rule, select it and click the Delete Row button. You are asked to confirm the deletion.

Configuring SSL VPN Proxies and Proxy Bypass (ASA)

Use the Proxy tab of the SSL VPN Other Settings page to configure the security appliance to terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. On this tab, you can also configure the security appliance to perform minimal content rewriting and to specify the types of content to rewrite—external links, XML, or neither.

The security appliance can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. These servers act as intermediaries between users and the Internet. Requiring all Internet access through a server you control provides another opportunity for filtering to assure secure Internet access and administrative control.

Note The HTTP/HTTPS proxy does not support connections to personal digital assistants.

You can specify a proxy auto-configuration (PAC) file to download from an HTTP proxy server; however, you cannot use proxy authentication when specifying the PAC file.

You can configure the security appliance to use proxy bypass when applications and web resources work better with the content rewriting this feature provides. Proxy bypass is an alternative method of content rewriting that makes minimal changes to the original content. It is useful with custom web applications.

You can configure multiple proxy bypass entries. The order in which you configure them is unimportant. The interface and path mask or interface and port uniquely identify a proxy bypass rule.

If you configure proxy bypass using ports rather than path masks, depending on your network configuration, you might need to change your firewall configuration to allow these ports access to the security appliance. Use path masks to avoid this restriction. Be aware, however, that path masks can change, so you might need to use multiple path mask statements to exhaust the possibilities.

This procedure shows you how to define proxies and proxy bypass rules for your SSL VPN.

Related Topics

• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the Proxy tab. The Proxy tab displays any currently defined proxies and proxy rules.

Step 3 From the Proxy Type field, select the type of external proxy server to use for SSL VPN connections:

• HTTP/HTTPS Proxy Server —To specify proxy servers to handle HTTP or HTTPS requests.
• Proxy Using PAC —To specify a proxy auto-configuration (PAC) file to download from an HTTP proxy server to the user’s browser. Once downloaded, the PAC file uses a JavaScript function to identify a proxy for each URL.

If you select this option, enter the URL for the PAC file in the Specify Proxy Auto Config file URL field. The URL must begin with http:// or the security appliance will not use the PAC file.

Step 4 If you select HTTP/HTTPS Proxy Server for the proxy type, configure the settings for the HTTP and HTTPS proxy servers. There are separate settings for the HTTP and HTTPS server, allowing you to use different servers, or to specify only one type of proxy. Configure the following options:

• Enable HTTP Proxy Server, Enable HTTPS Proxy Server —Select either or both of these options to configure the proxy server.
• HTTP Proxy Server (IPv4/IPv6), HTTPS Proxy Server (IPv4/IPv6) —Enter the IP address, or the name of a network/host object that contains the single proxy server’s IP address, for each type of proxy server you are configuring. You can click Select to select the object from a list or to create a new object.

The default ports are 80 for HTTP and 443 for HTTPS.

Beginning with version 4.12, Security Manager supports IPv6 addresses for ASA 9.0(1) or later devices. If the IPv6 address you entered is invalid, Security Manager would throw an error. Security Manager displays a warning message if the object is not available when you select the proxy server from the list.

• HTTP Proxy Port, HTTPS Proxy Port —Enter the port on the proxy server to which HTTP or HTTPS requests will be forwarded. You can also enter the name of a port list object that defines the port, or click Select to select an object or to create a new one.
• Exception Address List —A URL or a comma-delimited list of several URLs to exclude from those that should be sent to the HTTP or HTTPS proxy servers. The string does not have a character limit, but the entire command cannot exceed 512 characters. You can specify literal URLs or use the following wildcards:

– * to match any string, including slashes (/) and periods (.). You must accompany this wildcard with an alphanumeric string.

– ? to match any single character, including slashes and periods.

– [x-y] to match any single character in the range of x and y, where x represents one character and y represents another character in the ANSI character set.

– [!x-y] to match any single character that is not in the range.

• Authentication User Name, Authentication Password, Confirm —If the proxy server requires user authentication, enter a valid user name and password.

Step 5 If necessary, configure proxy bypass rules in the Proxy Bypass table at the bottom of the tab. Proxy bypass rules specify the ASA interface, port, and target URL configured for proxy bypass. Do any of the following:

• To create a proxy bypass rule, click the Add Row button and fill in the Add Proxy Bypass dialog box. For specific information on the attributes of a proxy bypass rule, see Add or Edit Proxy Bypass Dialog Box.
• To edit a proxy bypass rule, select the rule and click the Edit Row button.
• To delete a rule, select it and click the Delete Row button. You are asked to confirm the deletion.

Tip If you configure proxy bypass rules, you must also configure the SSL VPN Access policy. For more information, see Configuring an Access Policy.

Add or Edit Proxy Bypass Dialog Box

Use the Add or Edit Proxy Bypass dialog box to set proxy bypass rules when the security appliance should perform little or no content rewriting.

Navigation Path

From the Proxy tab of the SSL VPN Other Settings policy for ASA devices, click the Add Row button, or select a rule and click the Edit Row button. For detailed information on opening the tab, see Configuring SSL VPN Encoding Rules (ASA).

Field Reference

Configuring SSL VPN Browser Plug-ins (ASA)

A browser plug-in is a separate program that a web browser invokes to perform a dedicated function, such as connect a client to a server within the browser window. The security appliance lets you import plug-ins for download to remote browsers in clientless SSL VPN sessions.

Cisco redistributes the following open-source, Java-based components to be accessed as plug-ins for web browsers in Clientless SSL VPN sessions. Cisco tests the plug-ins it redistributes, and in some cases, tests the connectivity of plug-ins we cannot redistribute. These files are available in the \files\vms\repository folder in the product installation folder (usually C:\Program Files\CSCOpx) on the Security Manager server. The actual file names include release numbers:

• rdp-plugin.jar—The Remote Desktop Protocol plug-in lets the remote user connect to a computer running Microsoft Terminal Services. The web site containing the source of the redistributed plug-in is http://properjavardp.sourceforge.net/.
• ssh-plugin.jar—The Secure Shell-Telnet plug-in lets the remote user establish a Secure Shell or Telnet connection to a remote computer. The web site containing the source of the redistributed plug-in is http://javassh.org/.

Note The ssh-plugin.jar provides support for both SSH and Telnet protocols. The SSH client supports SSH Version 1.0.

• vnc-plugin.jar—The Virtual Network Computing plug-in lets the remote user use a monitor, keyboard, and mouse to view and control a computer with remote desktop sharing turned on. The web site containing the source of the redistributed plug-in is http://www.tightvnc.com.

Note Per the GNU General Public License (GPL), Cisco redistributes plug-ins without having made any changes to them. Per the GPL, Cisco cannot directly enhance these plug-ins.

The security appliance does the following when you install a plug-in onto the flash device:

• (Cisco-distributed plug-ins only) Unpacks the jar file specified in the URL.
• Writes the file to the csco-config/97/plugin directory on the security appliance file system.
• Enables the plug-in for all future clientless SSL VPN sessions, and adds a main menu option and an option to the drop-down menu next to the Address field of the portal page.

When the user in a clientless SSL VPN session clicks the associated menu option on the portal page, the portal page displays a window to the interface and displays a help pane. The user can select the protocol displayed in the drop-down menu and enter the URL in the Address field to establish a connection.

Note Some Java plug-ins might report a status of connected or online even when a session to the destination service is not set up. The open-source plug-in reports the status, not the security appliance.

In the Plug-in tab of the SSL VPN Global Settings page, you can view the currently configured browser plug-ins for clientless SSL VPN browser access. From this tab, you can create or edit the plug-in files, as described in the following procedure.

Plug-in Requirements and Restrictions

Clientless SSL VPN must be enabled on the security appliance to provide remote access to the plug-ins. The minimum access rights required for remote use belong to the guest privilege mode. The plug-ins automatically install or update the Java version required on the remote computer. A stateful failover does not retain sessions established using plug-ins. Users must reconnect following a failover.

Before installing a plug-in, prepare the security appliance as follows:

• Make sure clientless SSL VPN is enabled on an interface on the security appliance.
• Install an SSL certificate onto the security appliance interface to which remote users use a fully-qualified domain name (FQDN) to connect.

Note Do not specify an IP address as the common name (CN) for the SSL certificate. The remote user attempts to use the FQDN to communicate with the security appliance. The remote PC must be able to use DNS or an entry in the System32\drivers\etc\hosts file to resolve the FQDN.

Related Topics

• Understanding and Managing SSL VPN Support Files
• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the Plug-in tab. The Plug-in tab lists all configured plug-ins, including the type of plug-in and the name of the File policy object that defines the actual plug-in file.

Step 3 Do any of the following:

• To add a plug-in, click the Add Row button beneath the table and fill in the Add Plug-In Entry dialog box as follows:

– Plug-in —Select the type of plug-in that you are adding:

– Remote Desktop (RDP) or RDP2—For Remote Desktop Protocol services.

– Secure Shell (SSH), Telnet—For Secure Shell and Telnet services.

– VNC—For Virtual Network Computing services.

– Citrix (ICA)—For Citrix MetaFrame services.

– Post—For post services.

– Plug-in File —The name of the File policy object that defines the plug-in file. Enter the name of the File object or click Select to select an object or to create a new one. For more information on creating File Objects, see Add and Edit File Object Dialog Boxes.

• To edit a plug-in, select it, click the Edit Row button, and make your changes in the Edit Plug-In Entry dialog box.
• To delete a plug-in, select it and click the Delete Row button. You are asked to confirm the deletion.

Understanding SSL VPN AnyConnect Client Settings

The Cisco AnyConnect VPN Client provides secure SSL and IKEv2 IPsec connections to the security appliance for remote users. The client gives remote users the benefits of an SSL or IKEv2 IPsec VPN client without the need for network administrators to install and configure clients on remote computers.

Tip IKEv2 IPsec connections require AnyConnect 3.0 or higher clients.

Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL or IKEv2 IPsec VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https:// <address>.

After the user enters the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.

In the case of a previously installed client, when the user authenticates, the security appliance examines the revision of the client and upgrades the client as necessary.

When the client negotiates a connection with the security appliance, it connects using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

The AnyConnect client can be downloaded from the security appliance, or it can be installed manually on the remote workstation by the system administrator. For more information about installing the client manually, see the Cisco AnyConnect Secure Mobility Client Administrator Guide. AnyConnect documentation is available at http://www.cisco.com/en/US/products/ps10884/tsd_products_support_series_home.html. You can find general information about AnyConnect at http://www.cisco.com/go/anyconnect.

The security appliance downloads the client based on the group policy or username attributes of the user establishing the connection. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the login page.

AnyConnect Client Profiles

An AnyConnect client profile is a group of configuration parameters, stored in an XML file, that the client uses to configure the connection entries that appear in the client user interface. These parameters (XML tags) include the names and addresses of host computers and settings to enable additional client features.

The AnyConnect client installation includes a profile template, named AnyConnectProfile.tmpl, that you can edit with a text editor and use as a basis to create other profile files. You can also set advanced parameters that are not available through the user interface. The installation also includes a complete XML schema file, named AnyConnectProfile.xsd.

You can add the profile to the Client Settings tab in the Other Settings policy to have it loaded onto the security appliance and subsequently downloaded to the client workstations based on group policies and username attributes.

Related Topics

• Understanding and Managing SSL VPN Support Files
• Configuring SSL VPN AnyConnect Client Settings (ASA)
• Cisco AnyConnect Profile Editor

Cisco AnyConnect Profile Editor

You can configure a profile using the AnyConnect profile editor, a convenient GUI-based configuration tool launched from Cisco Security Manager. The AnyConnect software package for Windows, version 2.5 and later, includes the editor, which activates when you launch the editor from the Add/Edit AnyConnect Client Profile dialog box as long as you have added an appropriate AnyConnect package to the AnyConnect Client Image list.

Note The Cisco AnyConnect Profile Editor is an independent program. For information about configuring AnyConnect profiles, and what AnyConnect Profile Editor can do for you, see the materials available online at http://www.cisco.com/en/US/products/ps10884/products_installation_and_configuration_guides_list.html.

Note Beginning with version 4.7, Security Manager provides support for AnyConnect version 3.2.

Navigation Path

Open the Add/Edit AnyConnect Client Profile dialog box, then click Launch Editor (you must first add an appropriate AnyConnect package to the AnyConnect Client Image list before accessing the Add/Edit AnyConnect Client Profile dialog box). The AnyConnect Profile Editor is displayed.

Related Topics

• Understanding SSL VPN AnyConnect Client Settings
• Configuring SSL VPN AnyConnect Client Settings (ASA)
• Understanding and Managing SSL VPN Support Files

Configuring SSL VPN AnyConnect Client Settings (ASA)

This procedure shows you how to define SSL and IKEv2 IPsec VPN client images and profiles. For a detailed explanation of AnyConnect images and profiles, see Understanding SSL VPN AnyConnect Client Settings.

Tip Ensure that you add AnyConnect images of the required releases. For example, if you are configuring an IKEv2 IPsec VPN, you must include an AnyConnect 3.0 or higher image. In general, the image versions must support the features you are deploying in the remote access VPN.

Related Topics

• Understanding SSL VPN AnyConnect Client Settings
• Cisco AnyConnect Profile Editor
• Understanding and Managing SSL VPN Support Files
• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the Client Settings tab. The tab has two tables listing the configured AnyConnect clients and profiles separately.

The AnyConnect images include an order number. The security appliance downloads portions of the AnyConnect images to the remote computer until it achieves a match with the operating system, starting with the highest order number. Therefore, you should give the highest number to the image used by the most commonly-encountered operating system.

Because mobile users have slower connection speeds, you should load the AnyConnect image for Windows Mobile at the top of the list. Alternatively, you can decrease the connection time by specifying the regular expression Windows CE to match the user agent on Windows Mobile devices. When the browser on the mobile device connects to the ASA, it includes the User-Agent string in the HTTP header. The ASA, receiving the string, immediately downloads AnyConnect for Windows Mobile without ascertaining whether the other AnyConnect images are appropriate.

Step 3 To add an AnyConnect client image or make changes to the existing list, do any of the following:

• To add an AnyConnect image, click the Add Row button beneath the table and fill in the Add AnyConnect Client Image dialog box. You need to specify the name of the File object that defines the image and the priority order of the image. You can also specify a regular expression for the connecting client to speed up the download. For detailed information about the options, see Add/Edit AnyConnect Client Image Dialog Box.
• To edit an image, select it, click the Edit Row button, and make your modifications in the Edit AnyConnect Client Image dialog box.
• To delete an image, select it and click the Delete Row button. You are asked to confirm the deletion.

Step 4 To add an AnyConnect profile or make changes to the existing list, do any of the following:

• To add an AnyConnect profile, click the Add Row button beneath the table and configure these options in the Add AnyConnect Client Profile dialog box:

– AnyConnect Profile Name —The name of the profile.

To use this profile, ensure that you specify the profile name in an ASA Group Policy object assigned to the security appliance (in the Full Client settings page as described in ASA Group Policies SSL VPN Full Client Settings). Configure the ASA Group Policy object through the remote access Connection Profiles policy for the device as described in Configuring Connection Profiles (ASA, PIX 7.0+).

– AnyConnect Profile Type —Select the type of AnyConnect Profile you are adding or editing: VPN, Network Access Manager, Telemetry, Web Security, ISE Posture, or Customer Experience Feedback.

– AnyConnect Profile File —The name of the File object that identifies the Anyconnect client profile XML file. Click Select to select the object or to create a new one. For more information about File objects, see Add and Edit File Object Dialog Boxes.

Note Beginning with version 4.7, Security Manager provides support for AnyConnect version 3.2. If you select ISE Posture as the AnyConnect Profile Type, the AnyConnect Profile File will have a filename extension of.isp.

Note If you are going to create a new profile using the AnyConnect Profile Editor, do not specify an AnyConnect Profile File.

– Enable Storage URL —Beginning with version 4.12, Security Manager enables you to select either Private or Shared option for ASA 9.6(2) or later Multi-Context devices.

– Launch Editor —Click Launch Editor to use the AnyConnect Profile Editor to edit the profile specified in AnyConnect Profile File or to create a new profile if no profile file is specified. For more information about File objects, see Cisco AnyConnect Profile Editor.

• To edit a profile, select it, click the Edit Row button, and make your modifications in the Edit AnyConnect Client Profile dialog box.
• To delete a profile, select it and click the Delete Row button. You are asked to confirm the deletion.

Add/Edit AnyConnect Client Image Dialog Box

Use the Add or Edit AnyConnect Client Image dialog box to create or edit a package file as the client image, and establish the order that the security appliance downloads the image to the remote workstation.

Navigation Path

From the Client Settings tab of the SSL VPN Other Settings policy for ASA devices, click the Add Row button for the AnyConnect Client Image table, or select an image and click the Edit Row button. For detailed information on opening the tab, see Configuring SSL VPN AnyConnect Client Settings (ASA).

Related Topics

• Understanding SSL VPN AnyConnect Client Settings
• Configuring SSL VPN AnyConnect Client Settings (ASA)
• Understanding and Managing SSL VPN Support Files

Field Reference

Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)

There are many ways to protect network resources through the use of authentication. Many organizations want to use Kerberos to protect certain web applications while using other authentication techniques, such as username and password, digital certificates, RSA SecureID, or SmartCards, to control access to an SSL VPN. However, a restriction in the Kerberos protocol prevents Kerberos authentication if the user has already used another technique to authenticate to the VPN.

Microsoft overcomes this limitation in Kerberos starting with Windows Server 2003. Using protocol transition and constrained delegation, the ASA can authenticate to the Kerberos Key Distribution Center (KCD) on the Windows domain controller and obtain impersonate tickets for users who have authenticated to the ASA using non-Kerberos protocols. The ASA can use the impersonate ticket to obtain other Kerberos service tickets for remote users.

To configure the domain controller so that Kerberos constrained delegation works, you must do the following:

• Each instance of a service that uses Kerberos authentication must have a service principle name (SPN) defined so that clients can identify it on the network. Register the SPN in the Active Directory Service-Principal-Name attribute of the Windows account under which the instance of the service is running. When a service needs to authenticate to another service running on a specific computer, it uses that service’s SPN to differentiate it from other services running on that computer.

The SPN syntax is service_class/host_name:port, where:

– service_class identifies the service. It can be a built-in service, such as http, or a user defined service.

– host_name identifies the fully-qualified domain name or NetBIOS name of the server that hosts the service, but it cannot be an IP address.

– port identifies the port on which the service runs. You can omit the port if you use the default service port.

• Create a service account username and password that the ASA can use. Configure the account to allow Kerberos constrained delegation to any authentication protocol. In addition, the user account must not be marked as a sensitive account that cannot be delegated.

To configure the ASA to allow KCD, once the ASA joins the domain, an entry should appear under the Users and Computers list on the domain controller for the ASA. In the Properties dialog box, on the Delegation tab, select Trust this computer for delegation to specified services only, and then select Use any authentication protocol. In the table of authorized services, add all services for which the ASA is delegated for authentication on behalf of users.

Tip For definitive information on configuring this feature on the Windows domain controller, refer to the Microsoft documentation.

For the ASA to use Kerberos constrained delegation, you must configure the ASA as described in Configuring Kerberos Constrained Delegation (KCD) for SSL VPN (ASA). The feature is available on ASA Software release 8.4 and higher only.

Following is an example that explains how Kerberos constrained delegation works with a clientless SSL VPN hosted on an ASA.

Figure 31-1 Kerberos Constrained Delegation Example

After verifying the identity of an SSL VPN user with the configured authentication mechanism, the ASA uses protocol transition to switch to the Kerberos protocol for authentication on behalf of the user and then sends a Kerberos service ticket instead of the user’s credentials to a published Web server that accepts Kerberos for authentication. Following are the steps:

1. An SSL VPN user session is authenticated by the ASA using the authentication mechanism configured for the user. For example, in case of Smartcard credentials, the ASA extracts the required information (the user’s principle name) from the digital certificate and performs LDAP authorization against Windows Active Directory.

2. After successful authentication, the user logs into the ASA SSL VPN portal page. The VPN user accesses a web service by entering a URL in the portal page or by clicking on a bookmark. If the access requires authentication, the server challenges the ASA for credentials and along with the challenge sends a list of authentication mechanisms supported by the server. Based on the HTTP headers in the challenge, the ASA deduces whether the server requires Kerberos authentication. If connecting to a backend server requires Kerberos authentication, then the ASA requests an impersonate ticket, for itself on behalf the user, from the KDC.

3. The KDC returns the requested tickets to the ASA. Even though these tickets are passed to the ASA, they contain the user’s authorization data.

Note These first steps comprise protocol transition; after these steps, a user who authenticated to the ASA using a non-Kerberos authentication protocol is transparently authenticated to the KDC using Kerberos.

4. The ASA now requests a service ticket from the KDC for the specific service that the user wants to access. The service ticket request contains the SPN (the unique identifier) of the service.

5. The KDC returns a service ticket for the specific service to the ASA.

6. The ASA uses the service ticket to request access to the web service, in the above scenario this is sent to the web server in a HTTP GET request.

7. The web server authenticates the Kerberos service ticket and grants access to the service. An authentication failure will display an appropriate error message after acknowledgment of which the portal will be displayed.

Configuring Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)

Use the Microsoft KCD Server tab of the SSL VPN Other Settings page to configure Kerberos Constrained Delegation (KCD) for clientless SSL VPNs hosted on an ASA.

KCD addresses a limitation of Kerberos. If a user authenticates to the SSL VPN using a method other than Kerberos, the user cannot access Kerberos-protected resources. This prevents a remote access device, such as ASA, from authenticating users using non- Kerberos methods and still provide single sign-on access to Kerberos-authenticated web applications in the enterprise.

If this limitation applies to your network, you can configure KCD to get around the limitation. KCD offloads the Kerberos authentication to the ASA. Users log into the corporate network using the SSL VPN portal, and from then on, access Kerberos-protected services in a transparent fashion.

Tips

• KCD requires ASA release 8.4+. If you configure KCD for other releases, the configuration is ignored.
• The feature is used with clientless SSL VPN access only.
• Microsoft Windows Server (2003 or 2008), configured as domain controllers, are required for KCD.
• If you use SSL VPN Bookmark policy objects to define bookmarks to include on the SSL VPN portal page, you might need to add explicit service principle name (SPN) parameters to bookmarks if a service uses a non-default port. For services that use Kerberos authentication, an SPN must be defined in the Service-Principle-Name attribute of the account under which the service runs.

Bookmarks need to reflect this configuration. The SPN is a parameter on the URL: http://<url>?SPN=<spn> or http://<url>?SPN=<spn>. For example, http://owa.example.com?SPN=http/owa:444. For more details about the SPN syntax, see Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA).

• To configure this feature, you must also configure the Hostname, DNS, and NTP policies. Configure both hostname and domain name in the Hostname policy.
• Kerberos authentication requires that the clock between the hosts to be synchronized with a maximum drift of 5 minutes (this is the default setting). This restriction is applicable to the clocks on the ASA, the domain controller, and the application servers. Configuring the same NTP server for all servers should address the requirement.

Related Topics

• Configuring Other SSL VPN Settings (ASA)
• Understanding AAA Server and Server Group Objects

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the Microsoft KCD Server tab.

Step 3 Select Configure KCD and configure the following options:

• KCD Server —The AAA server group object that identifies the Microsoft KCD server (the domain controller) to use for Kerberos Constrained Delegation. Enter the name of the object or click Select to select it from a list or to create a new object. The object must use a Kerberos AAA server policy object to identify the domain controller.
• Username, Password, Confirm —A user account that the ASA can use to join the Active Directory domain.

For the ASA to use Kerberos protocol transition and constrained delegation, and obtain service tickets on behalf of the remote access users, the account used by the ASA to authenticate with the domain controller must be configured in Active Directory and configured to allow Kerberos constrained delegation to any authentication protocol. In addition, the user account must not be marked as a sensitive account that cannot be delegated. For more information about Active Directory configuration requirements, see Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA).

Configuring AnyConnect Custom Attributes (ASA)

AnyConnect custom attributes allow for a more expeditious delivery and deployment of new endpoint features by giving the ASA the ability to generically support the addition of new client controls without the need for an ASA software upgrade.

In the AnyConnect Custom Attribute tab of the SSL VPN Other Settings page, you can view configured AnyConnect custom attributes, add new attributes, and modify or delete existing attributes.

Related Topics

• Understanding and Managing SSL VPN Support Files
• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the AnyConnect Custom Attribute tab. The AnyConnect Custom Attribute tab lists all defined custom attributes.

Step 3 Do any of the following:

• To add a custom attribute, click the Add Row button beneath the table and fill in the Add AnyConnect Custom Attribute dialog box. The options are described in detail in Add/Edit AnyConnect Custom Attribute Dialog Box.
• To edit a custom attribute, select it, click the Edit Row button, and make your changes in the Edit Plug-In Entry dialog box.
• To delete a custom attribute, select it and click the Delete Row button. You are asked to confirm the deletion.

Add/Edit AnyConnect Custom Attribute Dialog Box

Use the Add or Edit AnyConnect Custom Attribute dialog box to add or modify an AnyConnect custom attribute. AnyConnect custom attributes allow for a more expeditious delivery and deployment of new endpoint features by giving the ASA the ability to generically support the addition of new client controls without the need for an ASA software upgrade.

Beginning with version 4.7, Security Manager enables to add Custom Attribute Data to an existing Custom Attribute Type for ASA devices running the software version 9.3(1) or higher. Use the Add or Edit AnyConnect Custom Attribute Data dialog box to add or modify the attribute name and attribute value for an existing AnyConnect custom attribute type. For more information see Add/Edit AnyConnect Custom Attribute Data Dialog Box.

Navigation Path

From the AnyConnect Custom Attribute tab of the SSL VPN Other Settings policy for ASA devices, click the Add Row button for the AnyConnect Custom Attributes table, or select an attribute and click the Edit Row button. For detailed information on opening the tab, see Configuring AnyConnect Custom Attributes (ASA).

Related Topics

• Understanding SSL VPN AnyConnect Client Settings
• Configuring SSL VPN AnyConnect Client Settings (ASA)
• Understanding and Managing SSL VPN Support Files

Field Reference

Add/Edit AnyConnect Custom Attribute Data Dialog Box

Beginning with Security Manager version 4.7, you can use the Add or Edit AnyConnect Custom Attribute Data dialog box to add or modify the attribute name and attribute value for an existing AnyConnect custom attribute type.

Navigation Path

Click the AnyConnect Custom Attribute tab of the SSL VPN Other Settings policy for ASA devices. On the Custom Attribute table, select an attribute type and then click the Add Row button for the Custom Attribute Data table. Or on the Custom Attribute Data table select an existing Custom Attribute Data and click the Edit Row button.

For each attribute type, you can define multiple attribute names with corresponding values.

For information on adding or modifying an attribute type, see Understanding SSL VPN AnyConnect Client Settings.

Related Topics

• Understanding SSL VPN AnyConnect Client Settings
• Add/Edit AnyConnect Custom Attribute Dialog Box
• Configuring SSL VPN AnyConnect Client Settings (ASA)
• Understanding and Managing SSL VPN Support Files

Field Reference

Configuring SSL VPN Advanced Settings (ASA)

Use the Advanced tab of the SSL VPN Other Settings page to configure the memory, on-screen keyboard, and internal password features on ASA devices. Beginning with Cisco Security Manager 4.15, you can also enable the HSTS support and specify the timeout values. All of these settings are optional.

Related Topics

• Configuring Other SSL VPN Settings (ASA)

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Step 2 On the Other Settings page, click the Advanced Tab.

Step 3 In the Memory Size field, specify the amount of memory you want to allocate to SSL VPN sessions. The default is 50%.

To change the setting, select one of the following options and enter the desired number:

• % of Total Physical Memory —As a percentage of total memory. Default is 50%.
• Kilobytes —In kilobytes. 20KB is the minimum setting allowed. Cisco recommends that you do not specify memory in terms of KB because different ASA models have different total amounts of memory, for example:

Note When you change the memory size, the new setting takes effect only after the system reboots.

Step 4 In the Enable On-Screen Keyboard field, select one of the following options:

• Disabled —The on-screen keyboard is not displayed. Users must input their credentials using the standard keyboard. This is the default.
• On All Pages —Allows a user to input credentials using an on-screen keyboard, which is displayed whenever logon credentials are required.
• On Logon Page Only —Allows a user to input credentials using an on-screen keyboard, which is displayed on the logon page but not on any other pages that require credentials.

Step 5 Select Allow Users to Enter Internal Password to require an additional password when accessing internal sites. This feature is useful if you require that the internal password be different from the SSL VPN password. For example, you can use a one-time password for authentication to ASA and another password for internal sites.

Note The HSTS option is available for ASA 9.8.2 devices only.

Step 6 In the HTTP Strict Transport Security (HSTS) area, do the following:

• To enable HSTS support, select the Enable HSTS Header check box. HSTS feature can be enabled by sending header to clients. To disable the support, clear this check box.
• If you have selected the Enable HSTS Header check box, in HSTS Header Timeout enter the timeout value. If you leave this field blank, Cisco Security Manager will use the default Timeout value of 10886400.

Configuring SSL VPN Server Verification (ASA)

When connecting to a remote SSL-enabled server through clientless SSL VPN, it is important to know that you can trust the remote server, and that it is in fact the server you are trying to connect to. ASA 9.0 introduces support for SSL server certificate verification against a list of trusted certificate authority (CA) certificates for clientless SSL VPN.

When you connect to a remote server via a web browser using the HTTPS protocol, the server will provide a digital certificate signed by a CA to identify itself. Web browsers ship with a collection of CA certificates which are used to verify the validity of the server certificate. This is a form of public key infrastructure (PKI).

Just as browsers provide certificate management facilities, so does the ASA in the form of trusted certificate pool management facility: trustpools. This can be thought of as a special case of trustpoint representing multiple known CA certificates. The ASA includes a default bundle of certificates, similar to that provided with web browsers, but it is inactive until activated by the administrator.

Note If you are already familiar with trustpools from Cisco IOS then you should be aware that the ASA version is similar, but not identical.

This procedure describes how to enable HTTPS server verification for clientless SSL VPN users.

Related Topics

• Configuring Other SSL VPN Settings (ASA)
• Configuring Trusted Pool Settings (ASA)
• Using the Trustpool Manager

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other Settings from the Policy selector. Click the SSL Server Verification tab.
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one. Click the SSL Server Verification tab.

Step 2 Select Enable to enable HTTPS Server Verification for Clientless SSL VPN users.

Step 3 Specify the action you want to be taken if server certificate verification fails:

• Disconnect user from Https page – Disconnect if the server could not be verified.
• Allow user to continue to Https page – Allow the user to continue the connection, even if the check failed.

Configuring SSL VPN Shared Licenses (ASA 8.2+)

Use the SSL VPN Shared License page to configure your SSL VPN Shared License.

You can purchase a shared license with a large number of SSL or remote access IKEv2 IPsec VPN sessions and share the sessions as needed among a group of ASA devices by configuring one of the ASA devices as a shared license server, and the rest as clients. For the server license, you can share 500-50,000 licenses in increments of 500 and 50,000-1,040,000 licenses in increments of 1000.

A license is consumed by each remote access user that makes an SSL or IKEv2 IPsec connection.

Note The shared license cannot be used at the same time as the AnyConnect Essentials license.

The following topics explain the procedure for configuring shared licenses:

• Configuring an ASA Device as a Shared License Client
• Configuring an ASA Device as a Shared License Server

Navigation Path

• (Device View) Select an ASA device using version 8.2 or higher, and select Remote Access VPN > SSL VPN > Shared License from the Policy selector.
• (Policy View) Select Remote Access VPN > SSL VPN > Shared License (ASA 8.2+) from the Policy Type selector. Select an existing policy or create a new one.

Field Reference

This section contains the following topics:

• Configuring an ASA Device as a Shared License Client
• Configuring an ASA Device as a Shared License Server

Configuring an ASA Device as a Shared License Client

This procedures describes how to configure an ASA device as a shared license client.

Tip You must ensure that the SSL VPN Shared License Client activation key is present on the device.

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Shared License from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN >Shared License (ASA 8.2+) from the Policy Type selector. Select an existing policy or create a new one.

The SSL VPN Shared License page appears (see Configuring SSL VPN Shared Licenses (ASA 8.2+)).

Step 2 Select Shared License Client as the role of the device.

Step 3 In the Shared Secret field, enter and confirm a case-sensitive string (4-128 characters) used for communicating with the shared license server.

Step 4 In the License Server field, enter the IP address or the name of a network/host object that identifies the ASA device configured as the license server.

Step 5 In the License Server Port field, enter the number of the TCP port on which the license server communicates.

Step 6 Select the role of the client:

• Client Only —When selected, the client acts only as the client. In this case, you can specify another device as a backup server.
• Backup Server —When selected, the client also acts as the backup server. In this case, you must also specify the interfaces to be used for this purpose.

Configuring an ASA Device as a Shared License Server

This procedures describe how to configure an ASA device as a shared license server.

Tip You must ensure that the SSL VPN Shared License Server activation key is present on the device.

Step 1 Do one of the following:

• (Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Shared License from the Policy selector.
• (Policy view) Select Remote Access VPN > SSL VPN >Shared License (ASA 8.2+) from the Policy Type selector. Select an existing policy or create a new one.

The SSL VPN Shared License page appears (see Configuring SSL VPN Shared Licenses (ASA 8.2+)).

Step 2 Select Shared License Server as the role of the device.

Step 3 In the Shared Secret field, enter and confirm a case-sensitive string (4-128 characters) used for communicating with the shared license server.

Step 4 In the License Server Port field, enter the number of the TCP port on which the license server communicates.

Step 5 In the Refresh Interval field, enter a value between 10-300 seconds to be used as the refresh interval. Default is 30 seconds.

Step 6 In the Interfaces field, enter or select the interfaces to be used for communicating with clients.

Step 7 (Optional.) Select Configure Backup shared SSL VPN License Server to configure a backup server for the shared license server, then configure the following:

• Backup License Server —The IP address, or network/host object that contains the address, of the server to act as a backup license server if the current one is unavailable.
• Backup Server Serial Number —The serial number of the backup license server.
• HA Peer Serial Number —(Optional) The serial number of the backup server of a failover pair.

Configuring ASA Portal Appearance Using SSL VPN Customization Objects

An SSL VPN Customization object describes the appearance of browser-based clientless SSL VPN web pages displayed to users. This includes the Logon page displayed when they connect to the ASA security appliance, the Home page displayed after authentication, and the Logout page displayed when users log out of the SSL VPN service.

You use SSL VPN Customization objects when defining ASA group objects or Remote Access VPN Connection policies for ASA devices. You can create several customization objects and define multiple ASA group or connection profiles so that each user group sees web pages designed specifically for their use. Customization can include localizing the web pages in the languages appropriate for each group. For more information about localization, see Localizing SSL VPN Web Pages for ASA Devices.

Initially, when a user first connects, the default customization object identified in the connection profile determines how the logon screen appears. If the user selects a different group from the connection profile list on the logon page, and that group has its own customization, the screen changes to reflect the customization object for the selected group. After the remote user is authenticated, the screen appearance is determined by the customization object that has been assigned to the group policy.

After you create the SSL VPN customization object as described in this procedure, you can use the object to specify the portal characteristics in these policies:

• On the SSL VPN > Settings page in an ASA group policy object (see ASA Group Policies SSL VPN Settings), which you then select in one of these policies:

– Remote Access VPN > Group Policies

– Remote Access VPN > Connection Profiles on the General tab

• In the Remote Access VPN > Connection Profiles policy, you can also specify the SSL VPN customization object on the SSL tab (see SSL Tab (Connection Profiles)).

Related Topics

• Localizing SSL VPN Web Pages for ASA Devices
• Creating Policy Objects
• Add and Edit SSL VPN Customization Dialog Boxes

Step 1 Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager).

Tip You can also create SSL VPN Customization objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.

Step 2 Select SSL VPN Customization from the Object Type selector. The SSL VPN Customization page opens, displaying a list of the existing SSL VPN Customization objects.

Step 3 Right-click in the work area and select New Object.

The Add SSL VPN Customization dialog box appears (see Add and Edit SSL VPN Customization Dialog Boxes).

Step 4 Enter a name for the object and optionally a description of the object.

Step 5 Before you configure settings for the various pages, use the Preview button to view the default settings. Clicking Preview opens a browser window to display the current settings for the Logon page, Portal page, or Logout page, whichever one is selected in the table of contents (selecting a page within one of these folders is the same as selecting the parent folder).

Tip Click Preview after making any changes to settings to verify that the changes are what you desire.

Step 6 Configure the settings for the Logon page. This web page is the one users see first when connecting to the SSL VPN portal. It is used for logging into the VPN. Select the following items in the Logon Page folder in the table of contents on the left of the dialog box to view and change the settings:

• Logon Page —Specify the title of the web page, which is displayed in the browser’s title bar.
• Title Panel —Determine whether the Logon page will have a title displayed in the web page itself. If you enable the title panel, you can specify the title, font, font size and weight, styles, and colors used. You can also select a File object that identifies a logo graphic. For more information about the settings, see SSL VPN Customization Dialog Box—Title Panel.
• Language —If you want to configure translation tables for other languages on the ASA device and use them, you can configure the supported languages and allow users to choose their language. For information about translation tables and localization support, see Localizing SSL VPN Web Pages for ASA Devices. For more information about the settings, see SSL VPN Customization Dialog Box—Language.
• Logon Form —Configure the labels and colors used in the form that accepts user logon information. For more information about the settings, see SSL VPN Customization Dialog Box—Logon Form.
• Informational Panel —If you want to provide extra information to the user, you can enable an informational panel and add text and a logo graphic. For more information about the settings, see SSL VPN Customization Dialog Box—Informational Panel.
• Copyright Panel —If you want to include copyright information on the logon page, you can enable the copyright panel and enter your copyright statement. For more information about the settings, see SSL VPN Customization Dialog Box—Copyright Panel.
• Full Customization —If you do not want to use the security appliance’s built-in logon page, even customized, you can instead enable full customization and supply your own web page. For information on creating the required file, see Creating Your Own SSL VPN Logon Page for ASA Devices. For more information about the settings, see SSL VPN Customization Dialog Box—Full Customization.

Step 7 Configure the settings for the Portal page. This is the home page for the SSL VPN portal, and is displayed after the users log in. Select the following items in the Portal Page folder in the table of contents on the left of the dialog box to view and change the settings:

• Portal Page —Specify the title of the web page, which is displayed in the browser’s title bar.
• Title Panel —Determine whether the Portal page will have a title displayed in the web page itself. If you enable the title panel, you can specify the title, font, font size and weight, styles, and colors used. You can also select a File object that identifies a logo graphic. For more information about the settings, see SSL VPN Customization Dialog Box—Title Panel.
• Toolbar —Determine whether the Portal page will have a toolbar, which contains a field for entering a URL to browse. For more information about the settings, see SSL VPN Customization Dialog Box—Toolbar.
• Applications —Determine which application buttons will appear on the page. For more information about the settings, see SSL VPN Customization Dialog Box—Applications.
• Custom Panes —Determine how you want to organize the body of the Portal page. The default is a single column with no internal panes. You can create a multiple-column layout, create internal panes that display text or references to URLs, and determine in which column and row to place the panes. For more information about the settings, see SSL VPN Customization Dialog Box—Custom Panes.
• Home Page —Determine how and whether to display URL lists on the home page, and whether to use your own web page for the main body of the Portal page. For more information about the settings, see SSL VPN Customization Dialog Box—Home Page.

Step 8 Select Logout Page to configure the settings of the page displayed when a user logs out of the SSL VPN. You can configure the title, message text, fonts, and colors. For more information about the settings, see SSL VPN Customization Dialog Box—Logout Page.

Step 9 (Optional) Under Category, select a category to help you identify this object in the Objects table. See Using Category Objects.

Step 10 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined on individual devices. See Allowing a Policy Object to Be Overridden.

Step 11 Click OK to save the object.

Localizing SSL VPN Web Pages for ASA Devices

Localization is the process of providing text in a language that is appropriate for the target users. When you create an SSL VPN Customization object for defining the look of browser-based clientless SSL VPN web pages hosted on an ASA device, you can configure the pages to use the desired language.

To see localized web pages correctly, users must configure their browsers to use UTF-8 encoding (for example, in Internet Explorer, select View > Encoding > Unicode (UTF-8). They also must install the required fonts or language support files for their language using the Regional and Language Options control panel. On the Languages tab, click Details to install the desired languages, and select the appropriate supplemental language settings for East Asian, complex scripting, and right-left languages. On the Advanced tab, select the desired code page conversion tables. If users do not configure the browser correctly, they might see boxes instead of characters.

There are two techniques you can use to localize SSL VPN web pages that are hosted on an ASA device. These techniques are not mutually exclusive; you can use both of them. These are the techniques:

• Configure the SSL VPN Customization object using the desired language —When you create the SSL VPN Customization object, you can enter text for labels and messages in non-English, non-ASCII languages in UTF-8 encoding. To enter non-ASCII languages in UTF-8 encoding, you must configure Windows with the correct locale setting and have the required fonts installed. Use the Regional and Language Options control panel to configure your system and install files required for complex script or East Asian languages. If you want to type in text directly, you also need to install an appropriate keyboard; otherwise, you can use a text editor that supports the language’s characters and copy and paste text from a document that contains the text you want to use.

You can also enter non-ASCII languages into SSL VPN Bookmarks objects.

• Configure translation tables on the ASA device to support the languages you want to make available —To enable the security appliance to provide language translation for the portal and screens displayed to users, you must define the necessary languages in a translation table and import the table into the security appliance. The software image package for the security appliance includes a translation table template. Every language you list in an SSL VPN Customization object must have a corresponding translation table on the device. Conversely, translation tables for languages that are not listed in the SSL VPN Customization object are ignored.

If you use this technique, you must use the ASA CLI or ASDM to configure and upload the translation tables. You cannot manage the translation tables with Security Manager. However, the SSL VPN Customization object includes settings that allow you to configure automatic browser language selection and to enable users to select their desired language. Thus, if you install translation tables for ten languages, the pages defined in the SSL VPN Customization object will be available to users in all of those languages. For more information on these settings, see SSL VPN Customization Dialog Box—Language.

Although both of the following features require translation tables, they are separate and complementary:

– Automatic Browser Language Selection —Automatic browser language selection attempts to select the appropriate language based on the user’s browser settings. This technique does not ask for user input. In the SSL VPN Customization object, you create a list of languages that will be used in the negotiation with the browser. During a connection, the security appliance receives a list of languages (and their priorities) from the browser, and looks through your list of languages top to bottom until a match is found. If there is no match, then the language you defined in the list as the default language is used. If you do not specify a default language, English is used.

The languages on the security appliance are labels for the translation tables. The languages must mirror those of the browser, and can consist of groups of up to 8 alphanumeric characters (starting from alpha characters), separated by hyphens. For example, fr-FR-paris-univ8. However, when you add a language to the list in Security Manager, only the first two characters are available.

When looking for a match, the security appliance starts with the longest language name, and if it does not match, it discards the rightmost group of the name. For example, if the preferred language on the browser is fr-FR-paris-univ8, and the security appliance supports fr-FR-paris-univ8, fr-FR-paris, fr-FR, and fr, it matches fr-FR-paris-univ8 and uses the translated strings from that translation table. If fr is the only language on the security appliance, the security appliance considers it a match also, and uses that translation table.

For more information about setting up translation tables, see the user documentation for the ASA device and operating system or the ASDM online help.

– Language Selector —By enabling the language selector, you provide the user with the ability to actively select the desired language from a list of languages that you support. This technique does not rely on the browser language settings being configured correctly. The language selector is displayed on the logon page.

Related Topics

• Configuring ASA Portal Appearance Using SSL VPN Customization Objects
• Creating Policy Objects
• Add and Edit SSL VPN Customization Dialog Boxes

Creating Your Own SSL VPN Logon Page for ASA Devices

You can create your own custom SSL VPN Logon page rather than use the page provided by the security appliance for browser-based clientless SSL VPNs. This is called full customization, and replaces the settings you can configure in the SSL VPN Customization policy object.

To provide your own Logon page, you must create the page, copy it to the Security Manager server, and identify the page on the Full Customization page of the SSL VPN Customization object dialog box. For information on creating SSL VPN Customization objects, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects.

When you enable full customization, all other settings for the Logon page configured in the policy object are ignored. When you deploy your configuration to the ASA device, Security Manager copies your custom page to the device.

The Logon page you create must include all of the HTML code required to present the page correctly, and include special Cisco HTML code that provides the functions for the login form and the Language Selector drop-down list. Keep the following in mind when you create the HTML file:

• The file extension must be .inc.
• All images in the custom Logon page must be present on the security appliance. Replace the file path with the keyword /+CSCOU+/, which is an internal directory on the ASA device. When you upload an image to the device, it is saved in this directory.
• Use the csco_ShowLoginForm(’lform’) Javascript function to add the login form to the page. This form prompts for the username, passwords, and group information. You must include this function somewhere on the page.
• Use the csco_ShowLanguageSelector(’selector’) Javascript function to add the Language Selector drop-down list to the page. You do not have to use this function if you are not supporting the use of more than one language.

Related Topics

• Configuring ASA Portal Appearance Using SSL VPN Customization Objects
• Add and Edit SSL VPN Customization Dialog Boxes
• SSL VPN Customization Dialog Box—Full Customization

Configuring SSL VPN Bookmark Lists for ASA and IOS Devices

When you configure a browser-based clientless SSL VPN, you can define a list of bookmarks, or URLS, to include on the SSL VPN portal page. Use SSL VPN bookmarks policy objects to define bookmark lists.

You can create SSL VPN bookmark objects for SSL VPNs hosted on IOS devices or ASA devices. However, these device types allow different bookmark configurations, the ASA device allowing more configuration options than IOS devices. Besides allowing more configuration options, you can also create bookmarks for ASA devices in non-English, non-ASCII languages. For more information on localizing the bookmarks and portal for ASA devices, see Localizing SSL VPN Web Pages for ASA Devices.

After you create the SSL VPN bookmark object as described in this procedure, you can use the object to specify the bookmark object in the Portal Web Pages or Bookmarks fields in these policies:

• ASA devices—On the SSL VPN > Clientless page in an ASA group policy object (see ASA Group Policies SSL VPN Clientless Settings), which you then select in one of these policies:

– Remote Access VPN > Group Policies

– Remote Access VPN > Connection Profiles on the General tab

• ASA devices—In the Remote Access VPN > Dynamic Access policy, you can specify the SSL VPN bookmark object on the Main > Bookmarks tab (see Main Tab).
• IOS devices—On the Clientless page in a user group policy object configured for SSL VPN (see User Group Dialog Box—Clientless Settings), which you then select in the Remote Access VPN > SSL VPN policy on the General tab.

Related Topics

• Creating Group Policies (ASA, PIX 7.0+)
• Configuring Dynamic Access Policies
• Configuring Connection Profiles (ASA, PIX 7.0+)
• Configuring an SSL VPN Policy (IOS)
• Creating Policy Objects
• Policy Object Manager

Step 1 Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager).

Tip You can also create SSL VPN bookmark objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.

Step 2 Select SSL VPN Bookmarks from the Object Type selector. The SSL VPN Bookmarks page opens, displaying a list of the existing SSL VPN bookmark objects.

Step 3 Right-click in the work area, then select New Object.

The Add SSL VPN Bookmark dialog box appears (see Add or Edit Bookmarks Dialog Boxes).

Step 4 Enter a name for the object and optionally a description of the object.

Step 5 If you are creating the object for an SSL VPN hosted on an IOS device, you can enter a name for the heading that is displayed above the bookmarks list in the Bookmarks Heading (IOS) field.

Step 6 The Bookmarks table displays any URLs that are defined for the object. To add a bookmark, click the Add Row button below the table; to edit an existing bookmark, select it and click the Edit Row button.

The Add/Edit SSL VPN Bookmark Entry dialog box opens. For more information about the fields on this dialog box, see Add or Edit Bookmark Entry Dialog Boxes.

• In the Bookmark Option field, select whether you are defining a bookmark (Enter Bookmark) or adding bookmarks from another SSL VPN bookmark object (Include Existing Bookmarks). If you are including an existing object, enter the object’s name or click Select to select it from a list of existing objects.
• If you are creating the object for use on an IOS device, enter the title of the bookmark, which is displayed to users, and the URL. Be careful to select the correct protocol for the URL. Click OK to add the bookmark to the table of bookmarks.
• If you are creating the object for use on an ASA device, you have many more options. Besides the title and the URL, you can define a subtitle and image icon for the bookmark plus other options.

Tip If you choose the protocols RDP, SSH, Telnet, VNC, or ICA, you must configure the plug-in for the protocol in the Remote Access VPN > SSL VPN > Other Settings policy (see Configuring SSL VPN Browser Plug-ins (ASA)).

You can also configure the bookmark to use the Post method rather than the Get method. If you use Post, you must configure the post parameters by clicking Add Row beneath the Post Parameters table. For more information on Post parameters, see these topics:

– Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks

– Add and Edit Post Parameter Dialog Boxes

Click OK to add the bookmark to the table of bookmarks.

Step 7 (Optional) Under Category, select a category to help you identify this object in the Objects table. See Using Category Objects.

Step 8 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined on individual devices. See Allowing a Policy Object to Be Overridden.

Step 9 Click OK to save the object.

Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks

One of the options you have for configuring bookmarks on an SSL VPN hosted on an ASA device is the method used by a URL, either Get or Post. The Get method is the standard method; a user clicks the URL and is taken to the web page. The Post method is useful when processing the data might involve changes to it, for example, storing or updating data, ordering a product, or sending e-mail.

If you choose the Post URL method, you must configure Post parameters for bookmark entries. Because these are often personalized resources that contain the user ID and password or other input parameters, you might need to define clientless SSL VPN macro substitutions.

Clientless SSL VPN macro substitutions let you configure users for access to personalized resources that contain the user ID and password or other input parameters. Examples of such resources include bookmark entries, URL lists, and file shares.

Note For security reasons, password substitutions are disabled for file access URLs (cifs://). Also for security reasons, use caution when introducing password substitutions for web links, especially for non-SSL instances.

You can use the following macro substitutions:

• Logon Information Substitutions — The security appliance obtains values for these substitutions from the SSL VPN Logon page. It recognizes these strings in user requests, and replaces them with the value specific to the user before it passes the request on to a remote server.

These are the available macro substitutions:

– CSCO_WEBVPN_USERNAME

The username used to log into the SSL VPN.

– CSCO_WEBVPN_PASSWORD

The password used to log into the SSL VPN.

– CSCO_WEBVPN_INTERNAL_PASSWORD

The internal resource password entered when logging into the SSL VPN.

– CSCO_WEBVPN_CONNECTION_PROFILE

The connection profile associated with the user group selected when logging into the SSL VPN.

For example, if a URL list contains the link http://someserver/homepage/CSCO_WEBVPN_USERNAME.html, the security appliance translates it to the following unique links:

– For USER1 the link becomes http://someserver/homepage/USER1.html

– For USER2 the link is http://someserver/homepage/USER2.html

In the following example, cifs://server/users/CSCO_WEBVPN_USERNAME lets the security appliance map a file drive to specific users:

– For USER1 the link becomes cifs://server/users/USER1

– For USER2 the link is cifs://server/users/USER2

• RADIUS/LDAP Vendor-Specific Attributes (VSAs) —These substitutions let you set substitutions configured on either a RADIUS or an LDAP server. These are the available macro substitutions:

– CSCO_WEBVPN_MACRO1

– CSCO_WEBVPN_MACRO2

For information on configuring bookmarks, see Configuring SSL VPN Bookmark Lists for ASA and IOS Devices.

Configuring SSL VPN Smart Tunnels for ASA Devices

A smart tunnel is a connection between an application running on a user’s workstation and a private site. The connection uses a clientless (browser-based) SSL VPN session with the security appliance as the pathway and proxy server. Smart tunnels do not require the user to connect the application to the local port, so the application can gain access to the network without giving the user administrative privileges, as is required for full tunnel support. If you do not otherwise configure the network to allow access to an application, you can create a smart tunnel for those applications that you want to support.

You can configure smart tunnel access to an application under the following conditions:

• The application is a Winsock 2, TCP-based application and there is a browser plug-in for the application. Cisco distributes plug-ins for some applications for use in clientless SSL VPN, including SSH (for both SSH and Telnet sessions), RDP, and VNC. You must supply or obtain plug-ins for any other applications. Configure plug-ins in the Remote Access VPN > SSL VPN > Other Settings policy on the Plug-Ins tab.
• The user’s workstation is a supported platform. See the Cisco ASA 5500 Series Adaptive Security Appliances documentation that corresponds with your ASA version for supported platforms, http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html.

Users of Microsoft Windows Vista who use smart tunnels (or port forwarding) must add the URL of the ASA device to the Trusted Site zone. Configure the Trusted Site zone in Internet Explorer (Tools > Internet Options, Security tab).

• The user’s browser must be enabled with Java, Microsoft ActiveX, or both.
• If the user’s workstation requires a proxy server to reach the security appliance, the URL of the terminating end of the connection must be in the list of URLs excluded from proxy services. In this configuration, smart tunnels support only basic authentication.

Tip A stateful failover does not retain smart tunnel connections. Users must reconnect following a failover.

You configure smart tunnel access for an application by creating an SSL VPN smart tunnel list policy object and including that object in an ASA group policy object. You then assign the ASA group policy object to a device in the Remote Access VPN > Group Policies policy.

Related Topics

• Understanding Group Policies (ASA)
• Creating Policy Objects
• Policy Object Manager

Step 1 Create an SSL VPN smart tunnel list policy object:

a. Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager), and select SSL VPN Smart Tunnel Lists from the table of contents.

Tip You can also create SSL VPN smart tunnel list objects when you create or edit the ASA group policy object. For more information, see Selecting Objects for Policies.

b. Click the Add Object button to open the Add and Edit Smart Tunnel List Dialog Boxes.

c. Enter a name for the object, up to 64 characters.

d. To the table of applications, add those applications for which you are granting smart tunnel access (click the Add Row button to open the Add and Edit A Smart Tunnel Entry Dialog Boxes). Consider the following:

• Enter an application name that is easy to understand and include version numbers if you support more than one version. For example, Microsoft Outlook.
• For the application path, entering only the filename, for example, outlook.exe, is the simplest and most maintainable option. This allows the user to install the application in any folder. Enter the full path if you want to enforce a specific installation structure.
• Hash values are optional, but you can use them to prevent spoofing. Without hash values, a user can rename an application to a supported filename; the security appliance checks only the filename and path (if specified). However, if you enter hash values, you must maintain them as users apply patches or application upgrades. For specific information on determining hash values, see Add and Edit A Smart Tunnel Entry Dialog Boxes.

Click OK to save the entry.

e. You can also incorporate other SSL VPN smart list objects into the object. This allows you to create a core set of smart list objects that you can use repeatedly in other objects.

f. Click OK to save the object.

Step 2 (Optional) Create an SSL VPN smart tunnel auto sign-on list policy object:

a. Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager), and select SSL VPN Smart Tunnel Auto Signon Lists from the table of contents.

Tip You can also create SSL VPN smart tunnel auto sign-on list objects when you create or edit the ASA group policy object. For more information, see Selecting Objects for Policies.

b. Click the Add Object button to open the Add and Edit Smart Tunnel Auto Signon List Dialog Boxes.

c. Enter a name for the object, up to 64 characters.

d. To the table of smart tunnel auto sign-on entries, add the servers for which to automate the submission of login credentials during smart tunnel setup (click the Add Row button to open the Add and Edit Smart Tunnel Auto Signon Entry Dialog Boxes).

e. You can also incorporate other SSL VPN smart tunnel auto sign-on list objects into the object. This allows you to create a core set of smart tunnel auto sign-on list objects that you can use repeatedly in other objects.

f. Click OK to save the object.

Step 3 Configure the ASA group policy object to use the SSL VPN smart tunnel list object:

a. Edit (or create) the ASA group policy object either from the Policy Object Manager or the Remote Access VPN > Group Policies policy. The object must be configured to support SSL VPNs. (You can also edit these objects from the Remote Access VPN > Connection Profiles policy from an individual profile.)

b. Select the SSL VPN > Clientless folder from the table of contents to open ASA Group Policies SSL VPN Clientless Settings.

c. Enter the name of the SSL VPN smart tunnel list object in the Smart Tunnel field.

d. Select Auto Start Smart Tunnel to automatically start smart tunnels for the applications when the user connects to the SSL VPN portal.

If you do not select this option, users must start smart tunnel access using the Application Access > Start Smart Tunnels button on the clientless SSL VPN portal page.

e. Enter the name of the SSL VPN smart tunnel auto sign-on list object in the Smart Tunnel Auto Signon Server List field.

f. If the universal naming convention (domain\username) is required for authentication, specify the Windows domain to add it to the username during auto sign-on in the Domain Name field. For example, enter CISCO to specify CISCO\qa_team when authenticating for the username qa_team. You must also check the Use Domain option when configuring associated entries in the auto sign-on server list.

Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs

Note From version 4.17, though Cisco Security Manager continues to support IOS features/functionality, it does not support any enhancements.

Clientless SSL VPN uses WINS and the Common Internet File System (CIFS) protocol to access or share files, printers, and other machine resources on remote systems. The ASA or IOS device uses a proxy CIFS client to provide this access transparently; users appear to have direct access to the file systems (subject to individual file and user permissions).

When users attempt a file-sharing connection to a Windows computer by using its computer name, the file server they specify corresponds to a specific WINS name that identifies a resource on the network. The security appliance queries WINS or NetBIOS name servers to map WINS names to IP addresses. SSL VPN requires NetBIOS to access or share files on remote systems.

You use WINS server list policy objects to configure the list of WINS servers that are used to resolve these Microsoft file-directory share names. The WINS server list objects define the NetBIOS Name Service (NBNS) server list on the device (using the nbns-list and nbns-server commands) for Common Internet File System (CIFS) name resolution.

After creating the WINS server list policy object, you can configure it in the following policies and policy objects, and also select the file access services that you want to allow:

• ASA devices—In the Remote Access VPN > Connection Profiles policy, specify the WINS server list object on the SSL tab (see SSL Tab (Connection Profiles)).

Select the file access options on the SSL VPN > Clientless page in an ASA group policy object (see ASA Group Policies SSL VPN Clientless Settings), which you then select in one of these policies:

– Remote Access VPN > Group Policies

– Remote Access VPN > Connection Profiles on the General tab

• IOS devices—On the Clientless page in a user group policy object configured for SSL VPN (see User Group Dialog Box—Clientless Settings), which you then select in the Remote Access VPN > SSL VPN policy on the General tab.

Related Topics

• Creating Policy Objects

Step 1 Select Manage > Policy Objects to open the Policy Object Manager.

Tip You can also create WINS server list objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.

Step 2 Select WINS Server Lists from the Object Type selector.

The WINS Server List page opens, displaying the currently defined WINS server list objects.

Step 3 Right-click in the work area and select New Object to open the Add or Edit WINS Server List Dialog Box.

Step 4 Enter a name for the object and optionally a description of the object.

Step 5 Click the Add Row button below the table, or select a server in the table and click Edit Row, to configure the WINS servers defined in the object. Configure these settings:

• Server —The IP address of the WINS server. You can select a network/host object or enter the address directly.
• Set as Master Browser —Select this option if the server is a primary browser, which maintains the list of computers and shared resources.

Other fields are optional; change them if you want non-default values. For more information, see Add or Edit WINS Server Dialog Box.

Click OK to save your changes.

Step 6 (Optional) Under Category, select a category to help you identify this object in the Objects table. See Using Category Objects.

Step 7 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined on individual devices. See Allowing a Policy Object to Be Overridden.

Step 8 Click OK to save the object.