30-73
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Customizing Clientless SSL VPN Portals
These are the available macro substitutions:
–
CSCO_WEBVPN_USERNAME
The username used to log into the SSL VPN.
–
CSCO_WEBVPN_PASSWORD
The password used to log into the SSL VPN.
–
CSCO_WEBVPN_INTERNAL_PASSWORD
The internal resource password entered when logging into the SSL VPN.
–
CSCO_WEBVPN_CONNECTION_PROFILE
The connection profile associated with the user group selected when logging into the SSL VPN.
For example, if a URL list contains the link
http://someserver/homepage/CSCO_WEBVPN_USERNAME.html, the security appliance
translates it to the following unique links:
–
For USER1 the link becomes http://someserver/homepage/USER1.html
–
For USER2 the link is http://someserver/homepage/USER2.html
In the following example, cifs://server/users/CSCO_WEBVPN_USERNAME lets the security
appliance map a file drive to specific users:
–
For USER1 the link becomes cifs://server/users/USER1
–
For USER2 the link is cifs://server/users/USER2
• RADIUS/LDAP Vendor-Specific Attributes (VSAs)—These substitutions let you set substitutions
configured on either a RADIUS or an LDAP server. These are the available macro substitutions:
–
CSCO_WEBVPN_MACRO1
–
CSCO_WEBVPN_MACRO2
For information on configuring bookmarks, see Configuring SSL VPN Bookmark Lists for ASA and IOS
Devices, page 30-70.
Configuring SSL VPN Smart Tunnels for ASA Devices
A smart tunnel is a connection between an application running on a user’s workstation and a private site.
The connection uses a clientless (browser-based) SSL VPN session with the security appliance as the
pathway and proxy server. Smart tunnels do not require the user to connect the application to the local
port, so the application can gain access to the network without giving the user administrative privileges,
as is required for full tunnel support. If you do not otherwise configure the network to allow access to
an application, you can create a smart tunnel for those applications that you want to support.
You can configure smart tunnel access to an application under the following conditions:
• The application is a Winsock 2, TCP-based application and there is a browser plug-in for the
application. Cisco distributes plug-ins for some applications for use in clientless SSL VPN,
including SSH (for both SSH and Telnet sessions), RDP, and VNC. You must supply or obtain
plug-ins for any other applications. Configure plug-ins in the Remote Access VPN > SSL VPN >
Other Settings policy on the Plug-Ins tab.
• The user’s workstation is a supported platform. See the Cisco ASA 5500 Series Adaptive Security
Appliances documentation that corresponds with your ASA version for supported platforms,
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_lis
t.html.