30-48
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
• (Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one.
Step 2 On the Other Settings page, click the Proxy tab. The Proxy tab displays any currently defined proxies
and proxy rules.
Step 3 From the Proxy Type field, select the type of external proxy server to use for SSL VPN connections:
• HTTP/HTTPS Proxy Server—To specify proxy servers to handle HTTP or HTTPS requests.
• Proxy Using PAC—To specify a proxy auto-configuration (PAC) file to download from an HTTP
proxy server to the user’s browser. Once downloaded, the PAC file uses a JavaScript function to
identify a proxy for each URL.
If you select this option, enter the URL for the PAC file in the Specify Proxy Auto Config file URL
field. The URL must begin with http:// or the security appliance will not use the PAC file.
Step 4 If you select HTTP/HTTPS Proxy Server for the proxy type, configure the settings for the HTTP and
HTTPS proxy servers. There are separate settings for the HTTP and HTTPS server, allowing you to use
different servers, or to specify only one type of proxy. Configure the following options:
• Enable HTTP Proxy Server, Enable HTTPS Proxy Server—Select either or both of these options
to configure the proxy server.
• HTTP Proxy Server, HTTPS Proxy Server—Enter the IP address, or the name of a network/host
object that contains the single proxy server’s IP address, for each type of proxy server you are
configuring. You can click Select to select the object from a list or to create a new object.
The default ports are 80 for HTTP and 443 for HTTPS.
• HTTP Proxy Port, HTTPS Proxy Port—Enter the port on the proxy server to which HTTP or
HTTPS requests will be forwarded. You can also enter the name of a port list object that defines the
port, or click Select to select an object or to create a new one.
• Exception Address List—A URL or a comma-delimited list of several URLs to exclude from those
that should be sent to the HTTP or HTTPS proxy servers. The string does not have a character limit,
but the entire command cannot exceed 512 characters. You can specify literal URLs or use the
following wildcards:
–
* to match any string, including slashes (/) and periods (.). You must accompany this wildcard
with an alphanumeric string.
–
? to match any single character, including slashes and periods.
–
[x-y] to match any single character in the range of x and y, where x represents one character and
y represents another character in the ANSI character set.
–
[!x-y] to match any single character that is not in the range.
• Authentication User Name, Authentication Password, Confirm—If the proxy server requires
user authentication, enter a valid user name and password.
Step 5 If necessary, configure proxy bypass rules in the Proxy Bypass table at the bottom of the tab. Proxy
bypass rules specify the ASA interface, port, and target URL configured for proxy bypass. Do any of the
following:
• To create a proxy bypass rule, click the Add Row button and fill in the Add Proxy Bypass dialog
box. For specific information on the attributes of a proxy bypass rule, see Add or Edit Proxy Bypass
Dialog Box, page 30-49.
• To edit a proxy bypass rule, select the rule and click the Edit Row button.
• To delete a rule, select it and click the Delete Row button. You are asked to confirm the deletion.