Store Password on Client System

Whether to allow users to store a password on their local systems. Enable this feature only if you are certain that the local systems will be in secure sites.

Enable IPsec over UDP

UDP Port

Whether to allow a Cisco VPN client or hardware client to connect using UDP to a security appliance that is running NAT.

If you select this option, specify the UDP port number within the range of 4001-49151. In IPsec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.

IPsec Backup Servers

Servers List

Specify the backup server configuration:

• Keep Client Configuration—The security appliance sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default.

• Clear Client Configuration—The client uses no backup servers. The security appliance pushes a null server list.

• Use Specified Backup Servers—Use the backup servers you specify in the servers list. Enter the IP addresses of the servers, or the name of a network/host object. Click Select to select the object from a list or to create a new object.

You can configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.

Firewall Mode

The firewall requirements for client systems for the group:

• No Firewall—Do not use a firewall. You cannot configure any other options on the page.

• Firewall Required—All users in this group must use the designated firewall. The security appliance drops any session that attempts to connect without the designated firewall installed and running. In this case, the security appliance notifies the VPN client that its firewall configuration does not match.

• Firewall Optional—Users can use a firewall but it is not required. This option allows all users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewalls and others do not. For example, you might have clients with systems that do not run Microsoft windows, or your clients have not all had the opportunity to install firewall software.

Firewall Type

The type of firewall that you are making required or optional. The list shows all of the supported firewall software, which includes software from Cisco, Network ICE, Sygate, and Zone Labs.

• If you select Custom Firewall, you must fill in the fields in the Custom Firewall group. You also need to configure the policy source; select options only if they are supported by the vendor.

• Some firewall types require you to specify the source of the policy implemented by the firewall.

Policy Source

Some types of firewall allow you to configure where the client firewall should obtain its policies:

• Get Policy From Remote Firewall—The policy is configured in the client firewall application. This is how most client firewalls work.

• Use Specified Policy—The policy you specify should be pushed to the client firewall application, which should use your policy.

You must enter the name of an extended access control list policy object or Unified ACL, or click Select to select one from a list or to create a new one, in both in the Inbound Traffic Policy and Outbound Traffic Policy fields. Unified ACLs are supported from ASA version 9.0.

Custom Firewall

The attributes that define the required or optional firewall if you select custom firewall as the firewall type:

• Vendor ID—The number that identifies the vendor of the custom firewall. Values are 1-255.

• Product ID—The number that identifies the product or model of the custom firewall. Values are 1-32 or 255. Multiple ranges are allowed, for example, 4-12, 24-32. Use 255 for all supported products.

• Description—An optional description of the custom firewall, for example, the name of the vendor and product.

Require Interactive Client Authentication

Whether to enable secure unit authentication, which provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. The hardware client does not have a saved username and password.

Require Individual User Authentication

Whether to require that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure.

If you do not select this option, the security appliance allows inheritance of a value for user authentication from another group policy.

Enable Cisco IP Phone Bypass

Whether to allow IP phones behind hardware clients to connect without undergoing a user authentication processes. Secure unit authentication remains in effect for other users.

Enable LEAP Bypass

Whether to enable Lightweight Extensible Authentication Protocol (LEAP) packets from wireless devices behind a VPN hardware client to travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication.

Allow Network Extension Mode

Whether to enable network extension mode for hardware clients.

Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

Idle Timeout Mode

How to handle periods of inactivity from individual clients:

• Specified Timeout—If there is no communication activity by a user behind a hardware client for the number of minutes you specify, the security appliance terminates the client’s access. Values are 1-35791394 minutes.

• Unlimited Timeout—User sessions are not terminated due to inactivity.

Enable Re-Authentication on IKE Re-Key

Whether the security appliance should prompt the user to enter a username and password during initial Phase 1 IKE negotiation and also prompt for user authentication whenever an IKE rekey occurs, providing additional security. Reauthentication fails if no user is at the other end of the connection.

Enable IPsec Compression

Whether to enable data compression, which speeds up transmission rates for remote dial-in users connecting with modems.

Enable Perfect Forward Secrecy (PFS)

Whether to enable the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange. In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.

Tunnel Group Lock

Tunnel group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting.

If you do not specify a tunnel name, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.

Client Access Rules table

The access rules for clients. These rules control which types of clients are denied access, if any. You can have up to 25 rules, and combined they are limited to 255 characters.

The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.

• To add a rule, click the Add Row button to open the Add or Edit Client Access Rules Dialog Box.

• To edit a rule, select it and click the Edit Row button.

• To delete a rule, select it and click the Delete button.

Portal Page Websites

The name of the SSL VPN bookmarks policy object that includes the website URLs to display on the portal page. These websites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object.

Allow Users to Enter Websites

Whether to allow the remote user to enter website URLs directly into the browser. If you do not select this option, the user can access only those URLs included on the portal.

Enable File Server Browsing

Whether to allow the remote user to browse for file shares on the CIFS file servers.

Enable File Server Entry

Whether to allow the remote user to locate file shares on the CIFS file servers by entering the names of the file shares.

Enable Hidden Shares

Whether to make hidden CIFS shares visible, and thus accessible, to users.

HTTP Proxy

The type of access you want to allow to the external HTTP proxy server to which the security appliance forwards HTTP connections. You can enable access, disable access, or select Auto Start, which starts the proxy automatically upon user login.

Filter ACL

The name of the web type access control list policy object to use to restrict user access to the SSL VPN. Enter the name of the object or click Select to select it from a list or to create a new object. Beginning with version 4.10, you can enter IPv6 values for the web type ACL.

Enable ActiveX Relay

Whether to enable ActiveX relay, which allows users to start ActiveX programs from the portal page. This allows users to start Microsoft Office applications from the web browser and upload and download Office documents.

UNIX Authentication Group ID

The UNIX authentication group ID.

UNIX Authentication User ID

The UNIX authentication user ID.

Smart Tunnel

The name of the smart tunnel list policy object assigned to this group. Click Select to select it from a list or to create a new object.

A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site. The connection uses a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server. Thus, smart tunnels do not require users to have administrator privileges. For more information, see Configuring SSL VPN Smart Tunnels for ASA Devices.

Auto Start Smart Tunnel

Whether to start smart tunnel access automatically upon user login. If you do not select this option, the user must start the tunnel manually through the Application Access tools on the portal page.

Auto sign-on supports only applications that use HTTP and HTTPS using the Microsoft WININET library on a Microsoft Windows operating system. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers.

Smart Tunnel Network List

Choose from the following options to select the list of hosts or network for which you want to use the smart tunnel. To enable the selection, you must first create the smart tunnel network list entries. For more information, see Add and Edit A Smart Tunnel Network List Entry Dialog Box. Note that this feature is supported on devices that are running ASA software version 8.3(1) and later.

• None—If you select this option, the group policy inherits the values from the default Group Policy. This option is enabled by default.

• Tunnel All—Select this option if you want to use the smart tunnel for all network traffic.

• Include—Select this option if you want to use the smart tunnel for specific networks. Then click Select to open the Smart Tunnel Network List Selector dialog box. You can select from the available entries or add entries. To add smart tunnel network list entries, see Add and Edit A Smart Tunnel Network List Entry Dialog Box.

• Exclude—Select this option if you do not want to use the smart tunnel for specific networks. Then click Select to open the Smart Tunnel Network List Selector dialog box. You can select from the available entries or add entries. To add smart tunnel network list entries, see Add and Edit A Smart Tunnel Network List Entry Dialog Box.

Smart Tunnel Auto Signon Server List

The name of the smart tunnel auto sign-on list policy object assigned to this group. Click Select to select it from a list or to create a new object.

Domain Name(Optional)

The Windows domain to add to the username during auto sign-on, if the universal naming convention (domain\username) is required for authentication. For example, enter CISCO to specify CISCO\qa_team when authenticating for the username qa_team. You must also check the Use Domain option when configuring associated entries in the auto sign-on server list.

Port Forwarding List

The name of the port forwarding list policy object assigned to this group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports. Enter the name of the object or click Select to select it from a list or to create a new object.

Auto Start Port Forwarding

Whether to start port forwarding automatically upon user login.

Port Forwarding Applet Name

The application name or short description to display on the Port Forwarding Java applet screen on the portal, up to 64 characters. This is the name of the applet users will download to act as a TCP proxy on the client machine for the services configured on the SSL VPN gateway.

VDI Servers List table

The Citrix XenApp or XenDesktop servers that comprise the Virtual Desktop Infrastructure.

• To add a VDI server, click the Add Row button to open the Add or Edit VDI Server Dialog Box.

• To edit a rule, select it and click the Edit Row button.

• To delete a rule, select it and click the Delete button.

Enable Full Client

Whether to enable full client mode.

Mode

The mode in which to operate the SSL VPN:

• Use Other Access Modes if Secure Client Client Download Fails—If the full client fails to download to the remote user, allow the user to make clientless or thin client access to the VPN.

• Full Client Only—Prohibit clientless or thin client access. The user must have the full client installed and functional to connect to the VPN.

Keep Secure Client on Client System

Whether to leave the Secure Client installed on the client system after the client disconnects. If you do not leave the client installed, it must be download each time the user connects to the gateway.

Enable Keepalive Messages

Whether to exchange keepalive messages between peers to demonstrate that they are available to send and receive data in the tunnel. Keepalive messages transmit at set intervals, and any disruption in that interval results in the creation of a new tunnel using a backup device.

If you select this option, enter the time interval (in seconds) that the remote client waits between sending IKE keepalive packets in the Interval field.

SSL Compression

Whether to enable data compression, and if so, the method of data compression to use: None, Deflate, or LZS. Data compression speeds up transmission rates for remote dial-in users connecting with modems.

Client Dead Peer Detection Timeout (sec)

The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the remote user.

DPD is used to send keepalive messages between peer devices only when no incoming traffic is received and outbound traffic needs to be sent.

Gateway Dead Peer Detection Timeout (sec)

The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the gateway.

Key Renegotiation Method

The method by which the tunnel key is refreshed for the remote user group client:

• Disabled—Disables the tunnel key refresh.

• Use Existing Tunnel—Renegotiates the SSL tunnel connection.

• Create New Tunnel—Initiates a new tunnel connection.

Enter the time interval (in minutes) between the tunnel refresh cycles in the Interval field.

Enable Datagram Transport Layer Security

Whether to enable Datagram Transport Layer Security (DTLS) connections for the group.

Enabling DTLS allows the Secure Client establishing an SSL VPN connection to use two simultaneous tunnels, an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

Datagram Transport Layer Security Compression

Whether to compress Datagram Transport Layer Security (DTLS) connections for the group, and if so, the method of data compression to use: None, Default, or LZS.

Ignore Don’t Fragment (DF) bit

Whether to ignore the DF bit in packets that need fragmentation. This feature allows the force fragmentation of packets that have the DF bit set, allowing them to pass through the tunnel. An example use case is for servers in your network that do not respond correctly to TCP MSS negotiations.

Secure Client Module

The modules that the Secure Client needs to enable optional features. Click Select to select the applicable modules from the Add Secure Client Module dialog box.

• Secure Client DART—Select this module to enable the Secure Client Diagnostics and Reporting Tool (DART), which bundles specified log files and diagnostic information that can be used for analyzing and debugging the client connection.

• Secure Client Network Access Manager—Select this module to enable the Network Access Manager, which enforces administratively defined end user and authentication policies and makes the pre-configured network profiles available to end users.

• Secure Client SBL—Select this module to enable Start Before Logon (SBL), which forces the user to connect to the enterprise infrastructure over a VPN connection before logging on to Windows by starting Secure Client before the Windows login dialog box appears. After authenticating to the ASA, the Windows login dialog appears, and the user logs in as usual. SBL is only available for Windows and lets you control the use of login scripts, password caching, mapping network drives to local drives, and more.

• Secure Client Web Security Module—Select this module to enable the Secure Client Web Security module, which is an endpoint component that routes HTTP traffic to a ScanSafe scanning proxy where the ScanSafe web scanning service evaluates it.

• Secure Client Telemetry Module—Select this module to enable the Secure Client telemetry module for Secure Client, which sends information about the origin of malicious content to the web filtering infrastructure of the Cisco IronPort Web Security Appliance (WSA). The web filtering infrastructure uses this data to strengthen its web security scanning algorithms, improve the accuracy of the URL categories and web reputation database, and ultimately provide better URL filtering rules.

• Secure Client ISE Network Setup Assistant—Select this module to enable the Secure Client ISE Network Setup Assistant module.

• Secure Client ISE Posture—Select this module to enable the Secure Client ISE Posture module.

• Secure Client Posture Module—Select this module to enable the Secure Client Posture Module, which provides the Secure Client the ability to identify the operating system, antivirus, antispyware, and firewall software installed on the host. The Host Scan application, which is among the components delivered by the posture module, is the application that gathers this information.

Secure Client MTU

The maximum transmission unit (MTU) size for SSL VPN connections established by the Cisco AnyConnect VPN Client.

Secure Client Always-On VPN

Always-On VPN enables AnyConnnect to automatically establish a VPN session after you log onto the system. Note that until you log off from the system, the VPN session will remain open.

Select one of these options:

• None—Secure Client service profile remains unchanged. It inherits the value from the default group policy.

• Secure Client Profile Setting—Always-On VPN option configured in the AnyConnect VPN profile is used by the Secure Client.

• Disable—disables the Always-On VPN option.

Secure Client Profile Name

The name of the Secure Client profile to use for the group. You can enter multiple profile names each separated by a comma. You must configure this name and relate it to a profile in the Remote Access VPN > SSL VPN > Other Settings policy.

• Webvpn—Secure Client profiles

Prompt User to Choose Client

Time User Has to Choose

Default Location

Whether to ask the user to download the client. Enter the number of seconds the user has to make a selection in the Time User Has to Choose field. The default is 120 seconds.

If you do not select this option, the user is immediately taken to the default location. The user is also taken to the default location after the time to choose expires.

• Web Portal—The portal page is loaded in the web browser.

• Secure Client Client—The Secure Client is downloaded.

Security Group Tag

ASA Version 9.3(1)+ supports security group tagging of VPN sessions. A Security Group Tag (SGT) can be assigned to a VPN session using an external AAA server, or by configuration of the local user database. This tag can then be propagated through the Cisco TrustSec system over Layer 2 Ethernet. Security group tags are useful on group policies and for local users when the AAA server cannot provide an SGT.

When the Default check box is selected, no Security Group Tag is assigned.

To specify a Security Group Tag, clear the Default check box and then enter the numerical value of the SGT tag that will be assigned to VPN users connecting with this group policy in the Security Group Tag field. Valid values are from 2 to 65519.

Periodic Certificate Verification

Whether to enable periodic validation and revocation checking of the client certificates in VPN sessions. If you select this option, enter the interval of time, in hours, between 1 to 168. This feature is supported only in devices running ASA software version 9.4(1) or later.

Periodic certificate verification is disabled by default.

Secure Client Firewall-Client Public ACL

The name of the Extended or Unified access control list or policy object to use to restrict user access to the SSL VPN. Public rules are applied to all interfaces on the client. Enter the name of the object or click Select to select it from a list or to create a new object.

Unified ACLs are supported from ASA version 9.0. The default is Extended. If the device version is later than ASA 9.0, all the Secure Client values are discovered as Unified ACL and deployed during deployment.

Secure Client Firewall-Client Private ACL

The name of the Extended or Unified access control list policy object to use to restrict user access to the SSL VPN. Private rules are applied to the Virtual Adapter. Enter the name of the object or click Select to select it from a list or to create a new object.

Unified ACLs are supported from ASA version 9.0. The default is Extended. If the device version is later than ASA 9.0, all the Secure Client values are discovered as Unified ACL and deployed during deployment.

Secure Client Custom Attributes table

The Secure Client Custom Attribute table lists the custom attributes, names, and the corresponding values that are assigned to this group policy. Secure Client custom attributes that are defined on the Secure Client Custom Attribute tab of the SSL VPN Other Settings page are listed here (see Configuring Secure Client Custom Attributes (ASA)). Beginning with version 4.7, Security Manager enables to add a Custom Attribute Data to an existing Custom Attribute Type.

You can add or remove the custom attributes for a group policy, and configure values for each attribute.

• To add a custom attribute and its value click the Add Row button beneath the table and fill in the Add Secure Client Custom Attribute dialog box.

• To edit a custom attribute and its value, select it, click the Edit Row button, and make your changes in the Edit Secure Client Custom Attribute dialog box.

• To delete a custom attribute, select it and click the Delete Row button. You are asked to confirm the deletion.

For more details, see Add/Edit Secure Client Custom Attribute Dialog Box.

Home Page

The URL of the SSL VPN home page. The URL is free text. The page is displayed when users log into the VPN. If you do not enter a URL, no home page is displayed.

Beginning with version 4.12, Security Manager supports IPv6 address in the Home Page URL for ASA devices running the software version 9.0 or later. The format for the Home Page URL for IPv6 address is: http://[IPv6 address]/appname.The Home page URL should be prefixed with http:// (or) https://

Authentication Failure Message

The message to deliver to a remote user who successfully logs into the VPN but has no VPN privileges, and so can do nothing. The default message is:

“Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.”

Minimum Keepalive Object Size (kilobytes)

The minimum size (in kilobytes) of an IKE keepalive packet that can be stored in the cache on the security appliance.

Single Sign On Server

The name of the single sign on (SSO) server policy object that identifies the server to use for this group, if any. An SSO server allows users to enter their username and password once and be able to access other server in the network without logging into each of them. If configure an SSO server, also configure the auto signon rules table.

Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Add or Edit Single Sign On Server Dialog Boxes.

Enable HTTP Compression

Whether to allow an HTTP compressed object to be cached on the security appliance.

Auto Signon Rules table

If you configure a single sign on server, the auto signon rules table contains the rules that determine which internal servers are provided the user’s credentials. Thus, you can provide single sign on for some servers in your network but not others.

Each rule is an allow rule, and indicates the IP address, subnet, or Universal Resource Identifier (URI) that identifies the server, and the type of authentication that will be sent to the server when the user tries to access it (either basic HTML, NTLM, FTP, or all of these). The rules are processed in order, top to bottom, and the first match is applied. Therefore, be sure to order the rules correctly using the up and down arrow buttons.

If the user accesses a server that is not identified in one of these rules, the user must log into the server to gain access.

• To add a rule, click the Add Row button to open the Add or Edit Auto Signon Rules Dialog Box.

• To edit a rule, select it and click the Edit Row button.

• To delete a rule, select it and click the Delete Row button.

Portal Page Customization

The name of the SSL VPN customization policy object that defines the appearance of the portal web page. The portal page allows the remote user access to all the resources available on the SSL VPN network. If you do not specify an object, the default page appearance is used.

Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects.

User Storage Location

The location where personalized user information is stored between clientless SSL VPN sessions. If you do not specify a location, information is not stored between sessions. Stored information is encrypted.

Enter a file system designation in the following format:

protocol://username:password@host:port/path

Where protocol is the protocol of the server, username and password are a valid user account on the server, and host is the name of the server. Also indicate the port number (if you do not use the default for the protocol) and directory path of the location on the server to use. For example:

cifs://newuser:12345678@anyfiler02a/new_share

Storage Key

Confirm

The storage key used to protect data stored between sessions. Spaces are not supported.

Post Max Size

The maximum size allowed for a posted object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent posting.

Upload Max Size

The maximum size allowed for a uploaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent uploading.

Download Max Size

The maximum size allowed for a downloaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent downloads.

Primary IPv4 DNS Server

The IPv4 address of the primary DNS server for the group. Enter the IPv4 address or the name of a network/host object, or click Select to select an object from a list or to create a new object. Primary IPv4 DNS Server address is mandatory to be able to configure Secondary IPv4 DNS Server.

Secondary IPv4 DNS Server

The IPv4 address of the secondary DNS server for the group. Enter the IPv4 address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Primary IPv6 DNS Server

The IPv6 address of the primary DNS server for the group. Enter the IPv6 address or the name of a network/host object, or click Select to select an object from a list or to create a new object. Beginning with version 4.12, Security Manager supports IPv6 addresses for ASA devices 9.0 or later. Primary IPv6 DNS Server address is mandatory to be able to configure Secondary IPv6 DNS Server.

Secondary IPv6 DNS Server

The IPv6 address of the secondary DNS server for the group. Enter the IPv6 address or the name of a network/host object, or click Select to select an object from a list or to create a new object. Beginning with version 4.12, Security Manager supports IPv6 addresses for ASA devices 9.0 or later.

Primary WINS Server

The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Secondary WINS Server

The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

DHCP Network Scope

The scope of the DHCP network for the group. Enter the IP network address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Default Domain

The default domain name for the group. The default, blank, is none.

DNS Names

A list of domain names to be resolved through the split tunnel. All other names are resolved using the public DNS server. If you do not enter a list, the list is inherited from the default group policy.

Separate multiple entries with spaces or commas. The entire string can be a maximum of 255 characters.

Send all DNS traffic through the tunnel

Whether the Secure Client should resolve all DNS addresses through the VPN tunnel (SSL or IPsec/IKEv2). If DNS resolution through the tunnel fails, the address remains unresolved and the Secure Client does not try to resolve the address through public DNS servers.

If you do not select this option, the client sends DNS queries over the tunnel according to the split tunnel policy specified by the Tunnel Option setting.

Tunnel Option

The policy you want to enable for split tunneling:

• Disabled—(Default) No traffic goes in the clear or to any other destination than the security appliance. Remote users reach networks through the corporate network and do not have access to local networks.

• Tunnel Specified Traffic—Tunnel all traffic from or to the networks permitted in the network ACL. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider.

• Exclude Specified Traffic—Traffic goes in the clear from and to the networks permitted in the network ACL. This is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN Client.

IPv6 Tunnel Option

Beginning with version 4.10, Security Manager provides support for IPv6 traffic for Split Tunneling from ASA version 9.0.

The policy you want to enable for split tunneling:

• Disabled—(Default) No traffic goes in the clear or to any other destination than the security appliance. Remote users reach networks through the corporate network and do not have access to local networks.

• Tunnel Specified Traffic—Tunnel all traffic from or to the networks permitted in the network ACL. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider.

• Exclude Specified Traffic—Traffic goes in the clear from and to the networks permitted in the network ACL. This is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN Client.

Networks

The name of a standard, extended, or unified access control list policy object that identifies the networks that require traffic to travel across the tunnel and those that do not require tunneling. Unified ACLs are supported from ASA version 9.0. How permit and deny are interpreted depends on your selection for Tunnel Option.

Enter the name of the object, or click Select to select it from a list or to create a new object. If you do not specify an ACL, the network list is inherited from the default group policy.

Filter ACL

The name of the extended access control list (ACL) policy object to use for filtering traffic on the VPN connection. The ACL determines which traffic is permitted or denied. Enter the name of the object or click Select to select it from a list or to create a new object. Beginning with version 4.10 and ASA version 9.0, you can select from a list of Standard, Extended, or Unified ACL objects.

This ACL does not apply to clientless SSL VPN connections.

Banner Text

The banner, or welcome text, to display on remote clients when they connect to the VPN.

• Beginning with version 4.9, Security Manager supports up to 4000 characters for the banner text for ASA devices on version 9.5(1) or later.

• For ASA version lower than 9.5(1), Security Manager allows you to enter up to 500 characters for the banner text.

IPv4 Address Pools

Specifies the name of one or more IPv4 address pools to use for this group policy. Enter the names of the IPv4 address pool objects separated by a comma or click Select to select the objects from a list or to create a new objects.

IPv6 Address Pools

Specifies the name of one or more IPv6 address pools to use for this group policy. Enter the names of the IPv6 address pool objects separated by a comma or click Select to select the objects from a list or to create a new objects. Beginning with version 4.12, Security Manager supports IPv6 address pools for ASA devices 9.0 or later.

Access hours

The name of a time range policy object that specifies the times that users are allowed to access the VPN. If you do not specify a time range, users can access the VPN at all times. Specify a time range if you want to limit access to the network to certain hours, such as the typical work days and work hours for your organization.

Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring Time Range Objects.

Max Simultaneous Logins

The number of simultaneous logins a single user is allowed. Values are 0-2147483647. The default is 3. Specify 0 to disable logins and prevent user access.

Max Connection Time

The maximum amount of time a user is allowed to be connected to the VPN. Select one of the following:

• Specified Connection time—Use the maximum time value that you enter. Values are 1-4473924 minutes. After the time is exceeded, the security appliance closes the connection.

• Unlimited Connection time—The security appliance does not close connections based on connection time.

Idle Timeout

The amount of time a user is allowed to be connected to the VPN while the connection is idle, that is, there is no communication activity. Select one of the following:

• Specified Timeout—Use the time out value you enter. Values are 1-35791394 minutes. When the idle time is exceeded, the security appliance closes the connection. The default is 30 minutes.

• Unlimited Timeout—The security appliance does not close idle connections.

VLAN Mapping

VLAN ID

The VLAN ID value can be between 1 and 4094 and must correspond to a VLAN interface on the ASA.

The VLAN mapping feature on the ASA allows for traffic from VPN connections to be directed to a specified VLAN interface.

Beginning with Cisco Security Manager version 4.10 and ASA version 9.5(1), you can assign IPv6 addresses to remote users.

Beginning with Cisco Security Manager version 4.17, you can configure VLAN on ASA 9.9(2) or later multi-context devices.

Image Repository

Lists the available files you can use for defining your file object. The available files are managed using Image Manager. For more information, see Image Manager Supported Image Types.

File selected

Shows the currently select file object.

Files of Type

Filters the list of files. Options are:

• Cisco Secure Desktop Package

• Plug-In—For browser plug-in files.

• Secure Client Image

• Hostscan Image

• All

Local TCP Port

The port number to which the local application is mapped (between 1 and 65535).

Remote Server

IPv4/IPv6 Address

Name

The IPv4 or IPv6 address or fully qualified domain name of the remote server. Select the type of entry and enter the IP address or name.

Beginning with version 4.12, Security Manager supports IPv6 addresses for ASA devices running the software version 9.0 or later.

For the IP address, you can enter the name of a network/host object that specifies the remote server’s IP address, or click Select to select it from a list or to create a new object.

Remote TCP Port

The port number of the application for which port forwarding is configured (between 1 and 65535).

Description

A description of the port forwarding entry. This information is mandatory on Cisco IOS devices.

Bookmark Option

Select whether you want to define a new SSL VPN Bookmark entry or use the entries from an existing object:

• Enter Bookmark—You want to define a bookmark entry.

• Include Existing Bookmarks—You want to include bookmark entries defined in an existing SSL VPN Bookmark object. Enter the name of the object or click Select to select it from a list or to create a new object.

• Predefined Application Templates—You want to use a predefined template that contains the pre-filled necessary values for certain well-defined applications.

Select Auto sign-on Application

If you selected Predefined Application Templates as the Bookmark Option, select the auto sign-on application whose template you want to use:

• Citrix XenApp

• Citrix XenDesktop

• Domino Web Access

• Microsoft Outlook Web Access 2010

• Microsoft Outlook Web Access 2013 (ASA 9.4(1)+ only)

• Microsoft SharePoint 2007

• Microsoft SharePoint 2010

• Microsoft SharePoint 2013 (ASA 9.5(1)+ only)

• Citrix StoreFront 2.1 (ASA 9.3(1)+ only)

• Citrix StoreFront 2.5 (ASA 9.4(1)+ only)

After selecting an auto sign-on application, the Advanced Form and URL Settings are populated based on the selected application.

Title

The text label that the user sees for the bookmark.

URL

The Universal Resource Locator address for the bookmark. Select the protocol for the bookmark and enter the rest of the URL in the edit box.

Settings

These settings are applicable only to SSL VPN portals hosted on ASA devices running software version 8.x or later. Do not configure these settings for SSL VPN Bookmark objects that you will use on other devices.

Subtitle

An additional user-visible title that describes the bookmark entry.

Thumbnail

The File object that represents an icon you want to associate with the bookmark on the Portal. Enter the name of the File object or click Select to select it from a list or to create a new object.

Authentication Access

Whether to display the thumbnail only on the Portal page. If you deselect this option, the thumbnail is also displayed on the Logon page.

Enable Favorite URL Option

Whether to display the bookmark entry on the portal home page. Deselect the check box if you want the bookmark entry to appear on the application page only.

Advanced Form and URL Settings

These settings are applicable only to SSL VPN portals hosted on ASA devices running software version 8.x or later. Do not configure these settings for SSL VPN Bookmark objects that you will use on other devices.

URL Method

Select the required URL method from the list:

• Get—Select this option if you want simple data retrieval.

• Post—Select this option when processing the data might involve changes to it, for example, storing or updating data, ordering a product, or sending e-mail. If you select this option, you must configure the Post parameters in the Post Parameters table.

• Auto Sign-on Form—Select this option if you want to use auto sign-on.

Enable Smart Tunnel Option

(Get and Post URL Method only)

Whether to open the bookmark in a new window that uses the smart tunnel functionality to pass data to and from the security appliance.

Preload Page Options

(Get and Post URL Method only)

Optionally, configure the following Preload options:

Preload URL—The URL of a page to load before the bookmark link is loaded.

Wait Time—The time to allow for loading of the page before you are forwarded to the actual POST URL.

Auto Sign-on (ASA 9.0.1+ only)

(Auto Sign-on Form URL Method only)

When Auto Sign-on Form is selected as the URL Method, configure the following options:

Login Page URL—The URL of the login page for which to auto sign-on.

Landing Page URL—The URL of the page that is loaded after a successful login. The ASA requires the Landing Page to be configured to detect a successful login to the application.

Pre-Login Page URL—The URL of the page which is loaded before the login page. This page will require user interaction to proceed to the login screen.

Control ID—The ID of the control/tag that will get a click event on the pre-login page URL to proceed to the login page.

Post Parameters

The list of the names and values of the Post parameters for the bookmark entry.

• To add a parameter, click the Add button and fill in the Add Post Parameter dialog box (see Add and Edit Post Parameter Dialog Boxes).

• To edit a parameter, select it and click the Edit button.

• To delete a parameter, select it and click the Delete button.

Post Script

An optional field for entering JavaScript required by some applications. Some Web applications, such as Microsoft Outlook Web Access, may execute a JavaScript to change the request parameters before the log-on form is submitted.

Name

The name of the post parameter exactly as defined in the corresponding HTML form. For example, param_name in <input name=“param_name ” value=“param_value ”>.

Value

The value of the post parameter exactly as defined in the corresponding HTML form. For example, param_value in <input name=“param_name ” value=“param_value ”>.

Select one of the following:

• CSCO_WEBVPN_USERNAME—SSL VPN user login ID.

• CSCO_WEBVPN_PASSWORD—SSL VPN user login password.

• CSCO_WEBVPN_INTERNAL_PASSWORD—SSL VPN user internal resource password. This is a cached credential, and not authenticated by a AAA server. If a user enters this value, it is used as the password for auto sign-on, instead of the password value.

• CSCO_WEBVPN_CONNECTION_PROFILE—SSL VPN user login group drop-down, a group alias within the connection profile.

• CSCO_WEBVPN_DYNAMIC_URL1—A single bookmark that can generate multiple bookmark links on the user’s portal. This macro takes delimiter as an option, where delimiter is an administrator-supplied string which includes the characters used to separate the LDAP-mapped string into a list of values, using one delimiter per use of the macro.

• CSCO_WEBVPN_DYNAMIC_URL2—A single bookmark that can generate multiple bookmark links on the user’s portal. This macro takes delimiter as an option, where delimiter is an administrator-supplied string which includes the characters used to separate the LDAP-mapped string into a list of values, using one delimiter per use of the macro.

• CSCO_WEBVPN_MACRO1—Set via the RADIUS/LDAP vendor-specific attribute. If you are mapping this from LDAP via an ldap-attribute-map, the Cisco attribute that uses this variable is WEBVPN-Macro-Substitution-Value1. Variable substitution via RADIUS is performed by VSA#223.

• CSCO_WEBVPN_MACRO2—Set via the RADIUS/LDAP vendor-specific attribute. If you are mapping this from LDAP via an ldap-attribute-map, the Cisco attribute that uses this variable is WEBVPN-Macro-Substitution-Value2. Variable substitution via RADIUS is performed by VSA#224.

• CSCO_WEBVPN_MACROLIST1 and CSCO_WEBVPN_MACROLIST2—Statically configured bookmarks which can use arbitrarily-sized lists provided by LDAP attribute maps.

These macros take the following three parameters:

• Delimiter—Delimiter is an administrator-supplied string which includes the characters used to separate the LDAP-mapped string into a list of values, using one delimiter per use of the macro.

• Index—Index is an administrator-supplied integer which specifies the number of the element in the list to select. The value can range between 1 and 128.

• URL Encoding—URL Encoding is the choice to apply the LDAP string before it is substituted into the ASA device’s request. You can select one of the following values:

• None—No transformation occurs on the string value before sending to the backend server.

• url-encode—Each parsed value is URL encoded, except for a list of reserved characters that make up the special characters in a URL.

• url-encode-data—Each parsed value is transformed fully with URL encoding.

• base64—Each parsed value is base 64 encoded.

• CSCO_WEBVPN_PRIMARY_USERNAME—Primary user login ID when double authentication is enabled and login ID has primary login username.

• CSCO_WEBVPN_SECONDARY_USERNAME—Secondary user login ID when double authentication is enabled.

• CSCO_WEBVPN_PRIMARY_PASSWORD—Primary user login password for double authentication.

• CSCO_WEBVPN_SECONDARY_PASSWORD—Secondary user login ID for double authentication.

Display Title Panel

Whether to display a title panel within the web page. The default is to not display a title. If you select this option, you can configure the title using the other fields on this page.

Gradient

Whether to have the background color change in a gradual progression.

Title Text

The text to display in the title panel.

Font Weight

Font Size

Font Color

The characteristics of the font used for the title text. You can select a weight, font size, and color. Click Select to choose a font color.

Background Color

The color of the background of the title panel. Click Select to choose a color.

Style (CSS)

Cascading Style Sheet (CSS) parameters that define the style characteristics of the title panel. You can include a maximum of 256 characters.

Logo Image

The File policy object that identifies the logo image you want to include in the title panel, if any. Enter the name of the File object or click Select to select it from a list or to create a new object.

For more information about File objects, see Add and Edit File Object Dialog Boxes.

Automatic Browser Language Selection

This table lists the languages you will support on the web pages for automatic browser language selection. Automatic browser language select allows the ASA device to negotiate with the user’s web browser to determine the language in which to present the web pages. You must configure a translation table on the ASA device for any language you list here. For more detailed information about automatic browser language selection, see Localizing SSL VPN Web Pages for ASA Devices.

Languages are listed by their abbreviation in the table. The languages are evaluated top to bottom until a match is found. The language that is indicated as the default language (indicated as True in the table) is used if the device is unable to negotiate a different language with the browser. If you do not specify a default, English is the default.

• To add a language, click the Add Row button below the table.

• To edit a language, select it and click the Edit Row button.

• To delete a language, select it and click the Delete Row button.

Enable Language Selector

Whether to display the Language Selector on the Logon page. The Language Selector allows users to select their preferred language. The Language Selector is complementary to the automatic browser language selection capability.

Language Selector Prompt

The text label for the Language Selector prompt.

Language Table

The list of languages included in the Language Selector drop-down list. You must configure a translation table on the ASA device for any language you list here. For more detailed information, see Localizing SSL VPN Web Pages for ASA Devices.

The table lists the languages by abbreviation and title, or the common name of the language. The title is the text displayed in the drop-down list. You can change the language title but not the abbreviation.

• To add a language, click the Add Row button below the table.

• To edit a language, select it and click the Edit Row button.

• To delete a language, select it and click the Delete Row button.

Title

The text displayed as the title of the login box.

Message

The message that appears in the login box above the username and password fields. You can enter a maximum of 256 characters.

Username Prompt

The text of the prompt for the username entry field.

Password Prompt

The text of the prompt for the password entry field.

Secondary Username Prompt

Secondary Password Prompt

The prompts for a second username and password if you require two login credentials. You can enable secondary authentication only if the Connection Profile policy is configured to require it.

The secondary username and password prompt are displayed only if you configure them. If you leave the username prompt blank, the primary username is used and the secondary password must be associated with the primary username.

Internal Password Prompt

The text of the prompt for the internal password entry field.

Show Internal Password First

Whether the prompt for the internal password should be placed above the password prompt. The internal password is required when using a clientless SSL VPN to access an internal protected website.

Group Selector Prompt

The text of the prompt for the Group Selector drop-down list.

Button Text

The name of the button the user clicks to log onto the SSL VPN.

Border Color

The color of the border of the login box. Click Select to choose a color.

Title Font Color

The color of the font for the login box title. Click Select to choose a color.

Title Background Color

The background color for the Title area of the login box. Click Select to choose a color.

Font Color

The color of the font of the login form. Click Select to choose a color.

Background Color

The background color for the login form. Click Select to choose a color.

Display Informational Panel

Whether to display the Informational panel. The default is to not display the panel. If you select this option, you can configure the panel using the other fields on this page.

Panel Position

The location of the Informational panel, either to the left of the Logon box or to the right of it.

Text

The text that appears in the Informational panel. You can enter a maximum of 256 characters.

Logo Image

The File policy object that identifies the logo image you want to include in the Informational panel, if any. Enter the name of the File object or click Select to select it from a list or to create a new object.

For more information about File objects, see Add and Edit File Object Dialog Boxes.

Image Position

The position of the logo image in the panel, either above the text or below it.

Display Copyright Panel

Whether to display the Copyright panel. The default is to not display the panel. If you select this option, you can configure the panel using the other fields on this page.

Text

The text that appears in the copyright panel. You can enter a maximum of 256 characters.

Enable Full Customization

Whether you want to use your own custom Logon page. If you enable full customization, all of the other Logon page configuration settings are ignored.

Custom Page

The custom Logon page. You must copy the file to the Security Manager server before specifying it here. Click Browse to select the file. For information on selecting files, see Selecting or Specifying a File or Directory in Security Manager.

Display Toolbar

Whether to display the toolbar. The default is to not display the toolbar. If you select this option, you can configure the toolbar using the other fields on this page.

Prompt Box Title

The text of the prompt for the field where users select the protocol of the target web page and enter the URL.

Browse Button Text

The name of the button the user clicks to go to the target URL.

Logout Prompt

The text of the prompt for logging out of the SSL VPN.

User Prompt (only for ASA 9.7.1+)

The text of the prompt for a user currently logging into the remote access VPN.

No.

Move Up and Move Down buttons (below the table)

The sequential number of the application in the table. To change the order of an application, select it and click the Move Up or Move down buttons to the desired position. The applications appear on the Portal page in the order represented here.

Application

The graphic associated with an application.

Title

The name of the application. Standard applications include Home, Web Applications, Browse Networks, Application Access, and Secure Client. Also listed are the browser plug-ins that you create when you configure the SSL VPN global settings are also available for selection from this page.

Double-click a title to make it editable so that you can change the name.

Enable

Whether the application is included on the Portal page.

Show Navigation Panel

Whether to display the navigation panel in the portal page. If you deselect this option, the list of applications does not appear on the portal.

Columns table

The list of columns that the main body of the Portal page should be divided into. You define the column based on a percentage of the width of the page. The percentages should add up to 100. If they do not add up to 100, the device will adjust the column widths.

Create the columns as you want them to appear, left to right, on the Portal page.

• To add a column, click the Add Row button below the table.

• To edit a column, select it and click the Edit Row button.

• To delete a column, select it and click the Delete Row button.

Custom Panes table

The custom panes that should appear in the main body of the Portal page. The table shows whether a pane is enabled to appear, the type of pane, its characteristics, and the column and row in which it will appear on the page. The panes can display plain text or include a URL for HTML, image, or RSS links.

For more detailed information about the settings, see Add or Edit Custom Pane Dialog Boxes.

• To add a custom pane, click the Add Row button below the table.

• To edit a custom pane, select it and click the Edit Row button.

• To delete a custom pane, select it and click the Delete Row button.

Enable Custom Intranet Web Page

Whether to display a custom Intranet web page, which also enables URL bookmarks to be displayed on the Portal page. If you select this option, you can configure the panel using the other fields on this page.

URL List Mode

How you want to display URL lists on the home page. If you display URL lists, they are displayed in the column cells that are not occupied by custom panes (as configured on Portal Page > Custom Panes). The options are:

• Group By Application—Bookmarks are grouped by application type. For example, Web Bookmarks, File Bookmarks.

• No Group—URL lists are shown as separate panes.

• Do Not Display—URL lists are not shown.

Custom Intranet Web Page URL

The URL of the custom web page that you want to be loaded as the home page. This page is displayed in the main body of the Portal page.

If you specify a custom page, the settings on the Custom Panes page are ignored, and bookmark lists appear on the application pages that are accessed through the navigation panel on the left of the Portal page.

Title

The text to display in the title panel.

Text

The message to display on the Logout page. Click Preview to see the default logout message. You can enter a maximum of 256 characters.

Show Login Button

Login Button Text

Whether to display the Login button on the page. Displaying the button makes it easier for the user to log back into the portal.

If you enable the button, you can specify the name of the button in the Login Button Text field.

Border Color

The color of the border around the logout box. Click Select to choose a color.

Title Font Color

Title Background Color

The color of the font and background for the title area of the page. Click Select to choose a color.

Font Color

Background Color

The font and background color of the message that appears in the logout box. Click Select to choose a color.

App Name

The name of the application to which you are allowing smart tunnel access. The name can be up to 64 characters. Consider including the version number of the application if you are allowing more than one version smart tunnel access.

App Path

The filename and optionally, the path, of the application. This entry can be up to 128 characters. Use one of the following:

• Filename—For example, outlook.exe. By only specifying the file name, it does not matter where users install the application on their workstations. However, the file name must match exactly.

• Full path and filename—For example, C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE. This allows the application smart tunnel access only if it is installed in the specified directory, which you can use to enforce organizational standards.

Tips

• If you specify the full path, and the smart tunnel application stops working after it had been working for a while, it is likely that a product upgrade changed the installation path. Add a new entry that accounts for the new path.

• If you are granting smart tunnel access to an application that is started from the command line, create one entry for cmd.exe (the Windows command line), and another entry for the application.

Platform

Specify the host operating system of the application:

• Windows

• Mac

Hash Value

(Optional) The hash value for the application. By specifying a hash value, you can ensure that the user does not rename another application to use a supported filename and thus start an unsupported and undesired application over the smart tunnel.

To obtain the hash value, enter the checksum of the application (that is, the checksum of the executable file) into a utility that calculates a hash using the SHA-1 algorithm. One example of such a utility is the Microsoft File Checksum Integrity Verifier (FCIV), which is available at http://support.microsoft.com/kb/841290/ . Place a temporary copy of the application to be hashed on a path that contains no spaces (for example, c:\temp) and then enter fciv.exe -sha1 application at the command line (for example, fciv.exe -sha1 c:\msimn.exe) to display the SHA-1 hash. Copy and paste the value into this field.

The SHA-1 hash is always 40 hexadecimal characters. Before authorizing an application for smart tunnel access, clientless SSL VPN calculates the hash of the application matching the App Name. It qualifies the application for smart tunnel access if the result matches the value of hash.

Because the checksum varies with each version or patch of an application, the hash you enter can match only one version or patch on the remote host. To specify a hash for more than one version of an application, create a unique smart tunnel entry for each hash value.

Host

The host mask that will be part of the smart tunnel network list entry.

IP Address

The IP address of the host that will be part of the smart tunnel network list entry. Beginning with version 4.12, Security Manager supports IPv6 addresses.

Subnet Mask

The subnet mask for the specified IP address.

Matching Mode:

• Host

• IPv4/IPv6 Address

Identifies the server for which to automate the submission of login credentials during smart tunnel setup. Use Host to specify the server by host name or wildcard mask, and use IP Address to specify the server by IP address and netmask:

• Host—Select Host and then enter the host name or a wildcard mask in the Hostname Mask field that identifies the host for which to automate the submission of login credentials during smart tunnel setup.

• IPv4/IPv6 Address—Select the IP Address and then enter the IP address and netmask of the host or sub-network of hosts for which to automate the submission of login credentials during smart tunnel setup.

Port Number

The port that performs auto sign-on. For Firefox, if no port number is specified, auto sign-on is performed on HTTP and HTTPS, accessed by default port numbers 80 and 443 respectively.

Authentication Realm

The realm for the authentication. The Authentication Realm is associated with the protected area of the website and is passed back to the browser either in the authentication prompt or in the HTTP headers during authentication. After auto sign-on is configured and a realm string is specified, users can configure the realm string on a web application (such as Outlook Web Access) and access web applications without signing on.

Use Domain

Select this option to add the Windows domain to the username if authentication requires it. If you use this option, be sure to specify the domain name when assigning the smart tunnel list to one or more group policies.

Preshared Key

The preshared key that will be used to authenticate the clients associated to the user group.

In regular IPsec VPNs, preshared keys allow for one or more peers to use individual shared secrets to authenticate encrypted tunnels. A preshared key must be configured on each participating peer. If one of the participating peers is not configured with the same preshared key, the IKE SA cannot be established.

In Easy VPN authentication, the same Easy VPN server key is used for the spoke configuration to ensure that the server/client keys match.

In remote access IPSec VPN authentication, the same key is used to negotiate a VPN connection between the remote access VPN server and the remote clients.

IP Address Pool Subnet/Ranges

The IP address ranges for a local pool that will be used to allocate an internal IP address to a client. Remote clients are assigned IP addresses from this pool. Separate multiple entries with commas. The default is 172.16.0.1-172.16.4.254.

Backup Servers IP Address

The IP address of the servers to be used as backups for the Easy VPN or remote access IPSec VPN server. The router tries to connect to these servers if the primary connection to the Easy VPN or remote access VPN server fails. Separate multiple entries with commas.

PIX Only Attributes

These attributes apply only to PIX 6.3 devices.

• Idle Time—The timeout period for VPN connections, in seconds. If no communication occurs on the connection during this period, the device terminates the connection. The minimum is 60 seconds, and the maximum time is 35791394 minutes. The default is 30 minutes.

• Max Time—The maximum amount of time for VPN connections, in seconds. At the end of the time, the device terminates the connection. The minimum is 60 seconds, and the maximum is 35791394 minutes. There is no default.

Primary DNS Server

The IP address of the primary DNS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Secondary DNS Server

The IP address of the secondary DNS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Domain Name

The domain name of the DNS server you want to configure on the user group.

Primary WINS Server

The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Secondary WINS Server

The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object.

Split Tunneling

The networks for which you want to tunnel traffic. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider. You can identify the networks using one of these options:

• Protected Networks—Specify the networks by network addresses. Enter the addresses or network/host objects, or click Select to select the objects from a list or to create new objects. For information on specifying addresses, see Specifying IP Addresses During Policy Definition.

• ACL—Specify the networks using an extended access control list policy object. Enter the name of the object or click Select to select the object from a list or to create a new object.

Split DNS

A list of domain names that must be tunneled or resolved to the private network. All other names will be resolved through the public DNS server.

You can enter multiple domain names separated by commas.

Enable Firewall Are-You-There

(Not available on 7600 series or ASR routers.)

This feature may be used if a VPN client is running the Black Ice or Zone Alarm personal firewall.

When selected, it ensures that the personal firewall is running at connection time and throughout the connection. The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if the server prompts them to do so. If the personal firewall stops running, the connection is terminated. If this feature is enabled and there is no personal firewall running on the server, the connection is never established.

Mode

A Central Policy Push (CPP) firewall policy on a server allows or denies a tunnel on the basis of whether the remote device has a required firewall for a local AAA server.

The Mode option specifies whether the Central Policy Push (CPP) policy is optional or mandatory, as follows:

• Optional—If the CPP policy is defined as optional, and is included in the Easy VPN server configuration, the tunnel setup is continued even if the client does not confirm the defined policy.

• Required—If the CPP policy is defined as mandatory and is included in the Easy VPN server configuration, the tunnel setup is allowed only if the client confirms this policy. Otherwise, the tunnel is terminated.

Firewall Type

The type of firewall that you are making required or optional. The list shows all of the supported firewall software, which includes software from Cisco and Zone Labs.

Policy Type

Specifies the CPP firewall policy type:

• Check Presence—Instructs the server to check for the presence of the specified firewall type.

• Central Policy Push—The actual policy, such as the input and output access lists, that must be applied by the specified client firewall type. Specify the following:

  • The access control list to be used. Enter the name of the extended ACL object or click Select to select it from a list or to create a new object.

  • The direction of the access control list—Inbound or Outbound.

Include Local LAN

Whether to allow a non split-tunneling connection to access the local LAN at the same time as the client.

Perfect Forward Secrecy

Whether to enable Perfect Forward Secrecy (PFS). If PFS is enabled, the server is configured to notify the client of the central-site policy about whether PFS is required for any IPsec SA. The Diffie-Hellman (D-H) group that is proposed for PFS is the same that was negotiated in Phase 1 of the IKE negotiation.

Banner

The banner text that is displayed to Easy VPN remote clients during Xauth and web-based activation the first time the Easy VPN tunnel is brought up. A maximum of 1024 characters is allowed.

Maximum Logins Per User

The maximum number of connections a user can establish simultaneously. The maximum is 10.

Maximum Connections

The maximum number of client connections to the Easy VPN Server from this group. The maximum is 5000 per group.

Enable Group-Lock

Whether to enable group lock, which requires that the user enter the extended Xauth username in one of the following formats:

• username/groupname

• username\groupname

• username@groupname

• username%groupname

The group that is specified after the delimiter is then compared to the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.

Enable Save Password

Whether to allow users to save their Xauth password locally on the client. On subsequent authentications, users can activate the password by using the check box on the software client or by adding the username and password to the Cisco IOS hardware client profile. After users activate the password, their username and password are sent to the server automatically during Xauth.

This option is useful only if users have static passwords, that is, they are not one-time passwords such as those that are generated by a token.

User Idle Timeout (sec)

The length of time that a VPN tunnel can remain open without user activity, in seconds. Values range from 60-86400 seconds.

User Authentication Server

The AAA server to which remote devices send user authentication requests. Enter the name of the server group or click Select to select it from a list or to create a new group. See Understanding AAA Server and Server Group Objects.

Enable Device Pass-Through

Whether to use Media Access Control (MAC) addresses to bypass authentication for devices, such as Cisco IP phones, that do not support AAA authentication.

When MAC-based AAA exemption is enabled, the device bypasses the AAA server for traffic that matches both the MAC address of the device and the IP address that was dynamically assigned by a DHCP server. Authorization services are disabled automatically when you bypass authentication. Accounting records continue to be generated (if enabled), but the username is not displayed.

Enable Secure Unit Authentication

Whether to provide increased security when allowing access to the device from a remote client.

With Secure Unit Authentication (SUA), you can use one-time passwords, two-factor authentication, and similar authentication schemes to authenticate the remote device during Extended Authentication (Xauth).

SUA is specified in the VPN policy on the device and is downloaded to the remote client. This enables SUA and determines the connection behavior of the remote client.

Enable User Authentication

Whether to enable Individual User Authentication (IUA), which supports individually authenticating clients on the inside network of the remote access VPN, based on the IP address of each inside client. IUA supports both static and OTP authentication mechanisms.

Portal Page Websites

The name of the SSL VPN bookmarks policy object that includes the web site URLs to display on the portal page. These web sites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object.

Allow Users to Enter Websites

Whether to allow the remote user to enter web site URLs directly into the browser. If you do not select this option, the user can access only those URLs included on the portal.

Enable Common Internet File System (CIFS)

In Clientless mode, files and directories created on Microsoft Windows servers can be accessed by the remote client through the web browser. When you enable the Common Internet File System (CIFS), a list of file server and directory links are displayed on the portal page after login.

The CIFS protocol lets you customize permissions on the SSL VPN gateway to allow shared files to be accessed or modified by the remote client, as follows:

• Enable File Browsing—Whether to allow the remote user to browse for file shares on the CIFS file servers.

• Enable File Entry—Whether to allow the remote user to locate file shares on the CIFS file servers by entering the names of the file shares.

WINS Server List

The name of the WINS server list policy object that identifies the WINS/NetBIOS servers to use for resolving file server names. You should supply an object if you enable CIFS. Enter the name of the object or click Select to select if from a list or to create a new object.

Enable Citrix

Whether to enable remote clients to run Citrix-enabled applications, such as Microsoft Word or Excel, through the SSL VPN as if the application were locally installed, without the need for client software. The Citrix software must be installed on one or more servers on a network that the router can reach.

Enable Thin Client

Whether to allow thin client access to the SSL VPN.

Port Forward List

The name of the port forwarding list policy object assigned to this group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports. Enter the name of the object or click Select to select it from a list or to create a new object.

Download Port Forwarding Applet on Client Login

Whether the port forwarding Java applet should be automatically downloaded to the client when a user logs into the SSL VPN. If you do not automatically download the applet, users must download it manually after login.

Enable Full Tunnel

Whether to enable full tunnel client access to the SSL VPN.

Use Other Access Modes if SSL VPN Client Download Fails

Full Tunnel Only

Whether to allow users to connect to the SSL VPN even if a problem prevents the client from downloading, installing, and starting correctly on the user’s system.

If you select Full Tunnel Only, a user cannot connect to the SSL VPN if the download fails, which locks the user out of the network. Select Use Other Access Modes to allow clientless or thin client access if there is a download problem.

Client IP Address Pool

The IP address ranges of the address pool that full tunnel clients will draw from when they log on. The address pool must be in the same subnet as one of the device’s interface IP addresses.

Enter the address range separating the first and last IP address with a hyphen, for example, 10.100.10.2-10.100.10.255. If you enter a single address, the pool has just one address. Do not enter subnet designations.

You can also enter the name of a network/host policy object that defines the range, or click Select to select the object from a list or to create a new object. Separate multiple ranges with commas.

Filter ACL

The name of an extended access control list (ACL) object that restricts access to the SSL VPN. Enter the name of the object or click Select to select it from a list or to create a new object.

Keep SSL VPN Client on Client Computer

Whether to leave the full client installed on the user’s workstation after the user disconnects. If you do not allow the client to remain on the user’s system, the client must be downloaded each time the user establishes a connection to the SSL VPN gateway.

Home Page URL

The web address of the login home page for the full client.

Client Dead Peer Detection Timeout

The time interval that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the remote user. Enter a value in the range 1-3600 seconds.

Gateway Dead Peer Detection Timeout

The time interval that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the gateway. Enter a value in the range 1-3600 seconds.

Key Renegotiation Method

The method by which the tunnel key is refreshed for the remote user group client:

• Disabled—Disables the tunnel key refresh.

• Create New Tunnel—Initiates a new tunnel connection. Enter the time interval (in seconds) between the tunnel refresh cycles in the Interval field.

Tunnel Option

Whether to allow split tunneling and if so, which traffic should be secured or transmitted unencrypted across the public network:

• Disabled—(Default) No traffic goes in the clear or to any other destination than the gateway. Remote users reach networks through the corporate network and do not have access to local networks.

• Tunnel Specified Traffic—Tunnel all traffic from or to the addresses listed in the Destinations field. Traffic to all other addresses travels in the clear and is routed by the remote user’s Internet service provider.

• Exclude Specified Traffic—Traffic goes in the clear from and to the addresses listed in the Destinations field. This is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel.

Destinations

The IP addresses for hosts or networks that identify the networks that require traffic to travel across the tunnel and those that do not require tunneling. Whether traffic to these addresses is encrypted and tunneled to the gateway, or sent in the clear, is determined by your selection for Tunnel Option.

Enter network addresses such as 10.100.10.0/24 or host addresses such as 10.100.10.12. You can also enter the name of a network/host policy object, or click Select to select the object from a list or to create a new object. Separate multiple addresses with commas.

Exclude Local LANs

Whether to exclude local LANs from the encrypted tunnel. This option is available only if you selected the Exclude Specified Traffic tunnel option. By selecting this option, you do not have to enter local LAN addresses into the destinations field to allow users to communicate with systems (such as printers) that are attached to their LAN.

When selected, this attribute disallows a non split-tunneling connection to access the local subnetwork at the same time as the client.

Split DNS Names

A list of domain names to be resolved through the split tunnel to the private network. All other names are resolved using the public DNS server.

Enter up to 10 entries in the list of domains, separated by commas. The entire string can be no longer than 255 characters.

Browser Proxy Option

Whether and how to configure proxy settings on the remote client’s browser:

• Blank—Do not configure proxy settings.

• Do Not Use Proxy Server—Configure the browser to not use a proxy.

• Automatically Detect Settings—Configure the browser to automatically detect proxy settings.

• Bypass Proxy Server for Local Addresses—Configure the browser to bypass proxy settings configured by the user.

Proxy Server

The address of the proxy server:

• IP address—The IP address or the name of a network/host object that specifies the address. Click Select to select the object from a list.

• Name—The fully qualified domain name, for example, proxy.example.com.

Proxy Server Port

The port number on the server that is used for proxy traffic, for example, 80. Enter a value in the range 1-65535.

Do Not Use Proxy Server for Addresses Beginning With

If you configured a proxy, you can identify specific hosts for which the proxy should be bypassed. If the user opens these hosts in the browser, the proxy is not used in the connection.

Enter full IP addresses or fully qualified domain names. For example, 10.100.10.14 or www.cisco.com.

Idle Timeout

The idle timeout period for the SSL VPN session. The session is disconnected if the client is idle longer than the specified idle timeout. Values range from 0-3600 seconds.

Session Timeout

The timeout period for the SSL VPN session. The session is disconnected when this timeout is reached even if the user is still active. Values range from 1-1209600 seconds.

Banner Text

The banner, for example, a welcome message, that is displayed to remote users when they connect to the SSL VPN.

You cannot use double quotes or new lines (carriage returns) in the banner text. However, you can include HTML tags to create the desired layout.

Server

The IP address of the WINS server used to translate Windows file server names to IP addresses. You can also enter the name of a network/host policy object that identifies the server. Click Select to choose a network/hosts object or to create a new object.

Set as Primary Browser

Whether to set the server as the primary browser. The primary browser maintains the list of computers and shared resources.

Timeout

The period of time the security appliance waits for a response to a WINS query before sending the query again to the same server (if it is the only one), or to the next server (if there is more than one).

The default timeout is 2 seconds. The range is between 1 and 30 seconds.

Retries

The number of times to retry sending WINS queries to the configured servers. The security appliance recycles through the list of servers this number of times before sending an error message.

The default is 2. The range is between 0 and 10.