Filter
Top Products
29-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Understanding Remote Access VPNs
Note The TCP port-forwarding proxy works only with Sun’s Java Runtime Environment (JRE) version 1.4 or
later. A Java applet is loaded through the browser that verifies the JRE version. The Java applet refuses
to run if a compatible JRE version is not detected.
When using Thin Client mode, you should be aware of the following:
• The remote user must allow the Java applet to download and install.
• For TCP port-forwarding applications to work seamlessly, administrative privileges must be enabled
for remote users.
• You cannot use Thin Client mode for applications such as FTP, where the ports are negotiated
dynamically. That is, you can use TCP port forwarding only with static ports.
Full Tunnel Client Access Mode
Full Tunnel Client mode enables access to the corporate network completely over an SSL VPN tunnel,
which is used to move data at the network (IP) layer. This mode supports most IP-based applications,
such as Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet. Being part of the SSL
VPN is completely transparent to the applications run on the client. A Java applet is downloaded to
handle the tunneling between the client host and the SSL VPN gateway. The user can use any application
as if the client host was in the internal network.
The tunnel connection is determined by the group policy configuration. The SSL VPN client (SVC) or
AnyConnect client is downloaded and installed to the remote client, and the tunnel connection is
established when the remote user logs in to the SSL VPN gateway. By default, the client software is
removed from the remote client after the connection is closed, but you can keep it installed, if required.
Note Full Tunnel SSL VPN access requires administrative privileges on the remote client.
Understanding and Managing SSL VPN Support Files
SSL VPNs sometimes require supporting files that reside in the device’s flash storage. This is especially
true of SSL VPNs configured on ASA devices. Supporting files include Cisco Secure Desktop (CSD)
packages, AnyConnect client images, and plug-in files. Security Manager includes many of these files
for your use. However, some supporting files, such as graphic files used for portal pages, or client
profiles used for AnyConnect clients are not provided by Security Manager.
Typically, you need to create a File Object to specify a supporting file, and you then select the File Object
when you create a policy that refers to it. You can create the File Objects that you need when you create
the policies, or you can create them before you start defining policies. For more information, see Add
and Edit File Object Dialog Boxes, page 33-25.
When you deploy policies to the devices, any supporting files referenced in your policies are copied to
the device and placed in flash memory in the \csm folder. For the most part, you do not have to do any
manual work to make this happen. The following are some situations where you might need to do some
manual work:
• If you are trying to discover existing SSL VPN policies, or rediscover them, file references from the
SSL VPN policies must be correct. For detailed information on how supporting files are handled
during policy discovery, see Discovering Remote Access VPN Policies, page 29-12.
• If you have configured the ASA device in an Active/Failover configuration, you must get the
supporting files onto the failover device. The supporting files are not copied over to the failover
device during a failover. You have these choices for getting the files onto the failover device: